What is Using Components with Know Vulnerability means?
- This lab helps us to understand some areas where this threat can occur.
- The user on accessing the lab is given with certain libraries used by jack in his project.
- Try to identify if they are safe or vulnerable.
-
-
+ This lab helps us to understand why components with know vulnerability can be a serious issue.
+
+ The user on accessing the lab is provided with a feature to convert yaml files into json objects.
+ The user needs to choose an yaml file and click upload to get the json data.
+ There is also a get version feature which tells the user the version of the library the app uses.
+
+ Exploiting the vulnerability.
+
+
The app uses pyyaml 5.1 Which is vulnerable to code execution.
+
You can google the library with the version to get the poc and vulnerability details
+
Create An yaml file with this payload:
+ !!python/object/apply:subprocess.Popen
+ - ls
+
+
On Uploading this file the user should be able to see the output of the command executed.
+
+
@@ -29,7 +41,7 @@
What is Using Components with Know Vulnerability means?
-
Mitigation
+
Mitigation
Remove unused dependencies, unnecessary features, components, files, and documentation.