A YAML deserialization in opensearch-ruby 2.0.0 can lead to unsafe deserialization using YAML.load if the response is of type YAML.
The problem has been patched in opensearch-ruby gem version 2.0.2.
No viable workaround. Please upgrade to 2.0.2
https://github.com/opensearch-project/opensearch-ruby/pull/77 https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/
If you have any questions or comments about this advisory: * Open an issue in opensearch-ruby
{ "nvd_published_at": "2022-06-30T22:15:00Z", "cwe_ids": [ "CWE-502" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-07-05T20:41:26Z" }