In 0.42 and before there's a code injection vulnerability of boofcv.io.calibration.CalibrationIO.load
#406
Labels
boofcv.io.calibration.CalibrationIO.load
#406
Affected Version
Versions including 0.42 and below.
Describe the vulnerability
boofcv.io.calibration.CalibrationIO.load(String)
is designed to load camera calibration configurations. However, passing an unchecked argument to this API can lead to the execution of arbitrary codes. For instance, if we useCalibrationIO.load("example.yaml")
to load camera calibration while the file "example.yaml" contains the following content:malicious code in the
evil.jar
could be executed.To Reproduce
Just execute
CalibrationIO.load("PoC.yaml");
would reproduce it.Fix Suggestion
Using
new Yaml(new SafeConstructor())
can fix it.The text was updated successfully, but these errors were encountered: