CVE-2023-39010: 
Java vulnerability analysis and mitigation

A code injection vulnerability was discovered in BoofCV version 0.42 and earlier versions, specifically in the component boofcv.io.calibration.CalibrationIO.load. The vulnerability was disclosed on July 17, 2023, and affects the camera calibration configuration loading functionality. This security issue is tracked as CVE-2023-39010 (NVD, CVE).

The vulnerability exists in the CalibrationIO.load(String) method which is designed to load camera calibration configurations. The issue stems from insufficient input validation when processing YAML files. When loading a camera calibration file, the application fails to properly validate the content, allowing for the execution of arbitrary code through malicious YAML content. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified as CWE-94: Improper Control of Generation of Code (Code Injection) (NVD).

A successful exploitation of this vulnerability could allow attackers to execute arbitrary code on the affected system by providing a specially crafted camera calibration file. This could lead to complete system compromise, allowing attackers to gain the same privileges as the application running the vulnerable code (NVD).

The recommended fix is to use new Yaml(new SafeConstructor()) when processing YAML files to prevent code injection attacks. This ensures proper validation and safe construction of YAML content (GitHub Issue).