CVE-2021-46364: Deserialization of Untrusted Data in Magnolia CMS
7.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.76045%
CWE
Published
2/12/2022
Updated
2/3/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
info.magnolia:magnolia-core | maven | < 6.2.4 | 6.2.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unsafe YAML deserialization using SnakeYAML's default configuration. Runtime detection would show:
- The core SnakeYAML load() method being called with attacker-controlled input
- Magnolia's YAML processing entry points that accept user-supplied YAML While exact patch details are unavailable, the PoC and vulnerability nature indicate these functions would appear in stack traces during exploitation when malicious YAML is processed.