YAPIÔ¶³Ì´úÂëÖ´ÐÐ0 day·ì϶

°ä²¼¹¦·ò 2021-07-09

0x00 ·ì϶¸ÅÊö

CVE     ID


ʱ       ¼ä

2021-07-09

Àà       ÐÍ

RCE

µÈ      ¼¶

¸ßΣ

Ô¶³ÌÀûÓÃ

ÊÇ

Ó°ÏìÁìÓò

  ËùÓа汾

¹¥»÷¸´ÔÓ¶È


¿ÉÓÃÐÔ

¸ß

Óû§½»»¥


ËùÐèȨÏÞ


PoC/EXP


ÔÚÒ°ÀûÓÃ

ÊÇ

 

0x01 ·ì϶ÏêÇé

image.png


YAPI ÊÇÒ»¸ö¸ßЧ¡¢Ò×Óá¢Ö°ÄÜ׳´óµÄAPIÖÎÀíƽ̨ £¬Ö¼ÔÚΪ¿ª·¢¡¢²úÆ·¡¢²âÊÔÈËÔ±Ìṩ¸üÓÅÑŵĽӿÚÖÎÀí·þÎñ¡£

2021Äê7ÔÂ8ÈÕ £¬YAPI±»Åû¶´æÔÚÒ»¸öÔ¶³Ì´úÂëÖ´ÐÐ0 day·ì϶¡£ÓÉÓÚmock¾ç±¾×Ô½ç˵·þÎñ¶ÔJS¾ç±¾¹ýÂ˲»ÑÏ £¬µ¼ÖÂÓû§Äܹ»Ôö³¤ÒªÇó´¦Öþ籾 £¬²¢Ôھ籾ÖÐÖ²Èë¶ñÒâºÅÁî £¬×îÖÕÔì³ÉÔ¶³ÌºÅÁîÖ´ÐС£Ä¿Ç°¸Ã·ì϶Òѱ»½©Ê¬ÍøÂçºÍľÂí´ó¹æÄ£ÀûÓá£

 

0x02 ´ëÖý¨Òé

Ä¿Ç°´Ë·ì϶ÔÝÎÞ²¹¶¡¡£½¨ÒéÆÚ´ý¹Ù·½°ä²¼²¹¶¡ £¬²¢ÀûÓÃÒÔÏ»º½â´ëÊ©£º

l  ¹Ø¹ØYAPIÓû§×¢²áÖ°ÄÜ£»

l  ɾ³ýÒÑ×¢²áµÄ¶ñÒâÕË»§£»

l  ɾ³ý¶ñÒâmock¾ç±¾£»

l  »Ø¹ö·þÎñÆ÷¿ìÕÕ¡£

ÏÂÔØÁ´½Ó£º

https://github.com/YMFE/yapi

 

0x03 ²Î¿¼Á´½Ó

https://github.com/YMFE/yapi/issues/2229

https://github.com/YMFE/yapi

https://s.tencent.com/research/report/76

 

0x04 ¹¦·òÏß

2021-07-08  ·ì϶Åû¶

2021-07-09  VSRC°ä²¼°²È«¹«¸æ

0x05 ¸½Â¼

CVSSÆÀ·Ö³ß¶È¹ÙÍø£ºhttp://www.first.org/cvss/

image.png