Fedora Account System
Red Hat Associate
Red Hat Customer
A deserialization vulnerability was found in ManageIQ. The YamlLoadAliases module in lib/extensions/yaml_load_aliases.rb overrides YAML.safe_load globally. When a Psych::DisallowedClass error is raised in production, instead of raising the error, it silently falls back to YAML.unsafe_load, which deserializes arbitrary Ruby objects. An authenticated user with dialog import access can upload a crafted YAML payload containing classes outside the permitted list to trigger the fallback and achieve Remote Code Execution via standard Ruby gadget chains. The code comment explicitly labels this a "Temporary hack to fallback to psych 3 behavior" but it was never removed.