Our pentester Josef discovered a vulnerability in a public python library used by the application’s REST API. The vulnerability was found in the library’s support for different content types that could be used to communicate with the API. While the default content type for the API was JSON, it was discovered that the library also supported YAML.
The issue arose because the library used a misconfigured YAML parsing library - pyYAML, which made it vulnerable to unsafe YAML deserialization. This meant that an attacker could execute arbitrary code by exploiting this vulnerability (aka Remote Code Execution).
To discover the vulnerability, our team tried different content types while interacting with the API. For some of the unsupported content types, the API responded with an error message stating that the content type was not supported, however, it also listed all supported content types, one of which was YAML..
Since YAML content type is not often used by APIs, and since our team knew the solution is written in Python from other findings, they immediately tried exploiting a well-known vector in Python YAML parsing - Unsafe Deserialization. This vector proved to be valid and Remote Code Execution was achieved. This unintentionally provided access to sensitive information about the application’s implementation and configuration, which could potentially be exploited by an attacker.
The discovery of this vulnerability allowed us to alert the client and provide temporary recommendations for remediation, since the library in use was not maintained by them, we’ve reached out to the author of the library, reported the vulnerability along with a proposal to fix the issue and filed for a CVE identifier, which was received and identified as a CVE-2023-47204. The author of the library promptly released a new, fixed version. After that, the client was notified to address the issue by updating the library.
It is crucial for organizations to regularly assess the security of their systems and applications, both through internal testing and external penetration testing. This helps identify and address vulnerabilities before they can be exploited by malicious actors.
In conclusion, the vulnerability discovered in the library used by the REST API demonstrated the potential risks of widening the attack surface by using 3rd party libraries that are not regularly tested or time-proven. It serves as a reminder to prioritize security in software development and regularly conduct security assessments to mitigate potential threats.
Contact us today and turn your vulnerabilities into strengths!
