Vulnerability Description
cwlviewer is a web application to view and share Common Workflow Language workflows. Versions prior to 1.3.1 contain a Deserialization of Untrusted Data vulnerability. Commit number f6066f09edb70033a2ce80200e9fa9e70a5c29de (dated 2021-09-30) contains a patch. There are no available workarounds aside from installing the patch. The SnakeYaml constructor, by default, allows any data to be parsed. To fix the issue the object needs to be created with a `SafeConstructor` object, as seen in the patch.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Commonwl | Cwlviewer | < 1.3.1 |
Related Weaknesses (CWE)
References
- https://github.com/common-workflow-language/cwlviewer/commit/f6066f09edb70033a2cPatchThird Party Advisory
- https://github.com/common-workflow-language/cwlviewer/security/advisories/GHSA-7PatchThird Party Advisory
- https://www.fatalerrors.org/a/analysis-of-the-snakeyaml-deserialization-in-java-ExploitThird Party Advisory
- https://github.com/common-workflow-language/cwlviewer/commit/f6066f09edb70033a2cPatchThird Party Advisory
- https://github.com/common-workflow-language/cwlviewer/security/advisories/GHSA-7PatchThird Party Advisory
- https://www.fatalerrors.org/a/analysis-of-the-snakeyaml-deserialization-in-java-ExploitThird Party Advisory
FAQ
What is CVE-2021-41110?
CVE-2021-41110 is a vulnerability with a CVSS score of 9.1 (CRITICAL). cwlviewer is a web application to view and share Common Workflow Language workflows. Versions prior to 1.3.1 contain a Deserialization of Untrusted Data vulnerability. Commit number f6066f09edb70033a2...
How severe is CVE-2021-41110?
CVE-2021-41110 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-41110?
Check the references section above for vendor advisories and patch information. Affected products include: Commonwl Cwlviewer.