VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-4bcd-g1mw-43fq

Essentials
Severities (25)
References (11)
Severity details (22)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-4bcd-g1mw-43fq
Aliases	CVE-2022-31115 GHSA-977c-63xq-cgw3
Summary	Unsafe YAML deserialization in opensearch-ruby ### Impact A YAML deserialization in opensearch-ruby 2.0.0 can lead to unsafe deserialization using YAML.load if the response is of type YAML. ### Patches The problem has been patched in opensearch-ruby gem version 2.0.2. ### Workarounds No viable workaround. Please upgrade to 2.0.2
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-502	Deserialization of Untrusted Data
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2022-31115
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2022-31115
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-977c-63xq-cgw3
cvssv3.1	8.8	https://github.com/opensearch-project/opensearch-ruby
generic_textual	HIGH	https://github.com/opensearch-project/opensearch-ruby
cvssv3.1	8.8	https://github.com/opensearch-project/opensearch-ruby/commit/d74a98b45c037671e8819fa87f6a6423458ab08a
generic_textual	HIGH	https://github.com/opensearch-project/opensearch-ruby/commit/d74a98b45c037671e8819fa87f6a6423458ab08a
cvssv3.1	8.8	https://github.com/opensearch-project/opensearch-ruby/compare/v2.0.1...v2.0.2
generic_textual	HIGH	https://github.com/opensearch-project/opensearch-ruby/compare/v2.0.1...v2.0.2
cvssv3.1	8.8	https://github.com/opensearch-project/opensearch-ruby/pull/77
generic_textual	HIGH	https://github.com/opensearch-project/opensearch-ruby/pull/77
ssvc	Track*	https://github.com/opensearch-project/opensearch-ruby/pull/77
cvssv3	8.8	https://github.com/opensearch-project/opensearch-ruby/security/advisories/GHSA-977c-63xq-cgw3
cvssv3.1	8.8	https://github.com/opensearch-project/opensearch-ruby/security/advisories/GHSA-977c-63xq-cgw3
cvssv3.1_qr	HIGH	https://github.com/opensearch-project/opensearch-ruby/security/advisories/GHSA-977c-63xq-cgw3
generic_textual	HIGH	https://github.com/opensearch-project/opensearch-ruby/security/advisories/GHSA-977c-63xq-cgw3
ssvc	Track*	https://github.com/opensearch-project/opensearch-ruby/security/advisories/GHSA-977c-63xq-cgw3
cvssv3.1	8.8	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/opensearch-ruby/CVE-2022-31115.yml
generic_textual	HIGH	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/opensearch-ruby/CVE-2022-31115.yml
cvssv3.1	8.8	https://nvd.nist.gov/vuln/detail/CVE-2022-31115
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2022-31115
cvssv3.1	8.8	https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated
generic_textual	HIGH	https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated
cvssv3.1	8.8	https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/
ssvc	Track*	https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2022-31115
		https://github.com/opensearch-project/opensearch-ruby
		https://github.com/opensearch-project/opensearch-ruby/commit/d74a98b45c037671e8819fa87f6a6423458ab08a
		https://github.com/opensearch-project/opensearch-ruby/compare/v2.0.1...v2.0.2
		https://github.com/opensearch-project/opensearch-ruby/pull/77
		https://github.com/opensearch-project/opensearch-ruby/security/advisories/GHSA-977c-63xq-cgw3
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/opensearch-ruby/CVE-2022-31115.yml
		https://nvd.nist.gov/vuln/detail/CVE-2022-31115
		https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated
		https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/
GHSA-977c-63xq-cgw3		https://github.com/advisories/GHSA-977c-63xq-cgw3

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/opensearch-project/opensearch-ruby

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/opensearch-project/opensearch-ruby/commit/d74a98b45c037671e8819fa87f6a6423458ab08a

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/opensearch-project/opensearch-ruby/compare/v2.0.1...v2.0.2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/opensearch-project/opensearch-ruby/pull/77

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:42:50Z/ Found at https://github.com/opensearch-project/opensearch-ruby/pull/77

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/opensearch-project/opensearch-ruby/security/advisories/GHSA-977c-63xq-cgw3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:42:50Z/ Found at https://github.com/opensearch-project/opensearch-ruby/security/advisories/GHSA-977c-63xq-cgw3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/opensearch-ruby/CVE-2022-31115.yml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-31115

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:42:50Z/ Found at https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/

Exploit Prediction Scoring System (EPSS)

Percentile	0.63757
EPSS Score	0.00445
Published At	June 4, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-04T16:14:50.536531+00:00	Ruby Importer	Import	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/opensearch-ruby/CVE-2022-31115.yml	38.6.0