As part of a proactive and thorough investigation of recent findings, we discovered and corrected the following vulnerability. We recommend all self-hosted installations of Humio update to the latest security release.
Insecure deserialization of YAML
Status: Fixed in Humio 1.10.9, 1.12.4 and 1.13.4
Fixed an issue related to insecure deserilization of YAML files in our Dashboard Template files. The issue would have made it possible for an authenticated user to craft a malicious YAML file that when uploaded would allow the user to perform remote code execution. We found no evidence that this exploit have been utilized on our cloud.