nGrinder before 3.5.9 uses old version of SnakeYAML, which could allow remote attacker to execute arbitrary code via unsafe deserialization.
The vulnerability stems from the use of an outdated version of the SnakeYAML library, which does not properly secure the YAML data deserialization process. An attacker can submit a specially crafted YAML payload that, when processed by the application, leads to the execution of malicious code. The attack vector is network-based, requires no authentication or user interaction, making the vulnerability particularly serious.
An attacker can remotely execute arbitrary code (RCE) on the server running nGrinder with application privileges, leading to complete compromise of system confidentiality, integrity, and availability.
Update nGrinder to version 3.5.9 or later, which includes an updated version of the SnakeYAML library that eliminates the unsafe deserialization vulnerability.
Naver nGrinder in versions before 3.5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HNaver Ngrinder
APPNaver< 3.5.9
Related vulnerabilities
Naver nGrinder — RCE przez złośliwy serwer JMX/RMI
RCE przez niebezpieczną deserializację obiektów Java w Naver nGrinder
nGrinder before 3.5.9 allows an attacker to create or update webhook configuration due to lack of access contr...
nGrinder before 3.5.9 allows an attacker to obtain the results of webhook requests due to lack of access contr...
Multiple cross-site scripting (XSS) vulnerabilities in nGrinder before 3.4 allow remote attackers to inject ar...