Description
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Remediation
References
https://bitbucket.org/snakeyaml/snakeyaml/issues/525/got-stackoverflowerror-for-many-open
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47024
https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html
https://security.gentoo.org/glsa/202305-28
https://security.netapp.com/advisory/ntap-20240315-0010/
Related Vulnerabilities
CVE-2022-31150 Vulnerability in maven package org.webjars.npm:undici
CVE-2020-2136 Vulnerability in maven package org.jenkins-ci.plugins:git
CVE-2021-21120 Vulnerability in maven package org.webjars.npm:electron
CVE-2019-16728 Vulnerability in maven package org.webjars.bowergithub.cure53:dompurify
CVE-2019-1003010 Vulnerability in maven package org.jenkins-ci.plugins:git