Description
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Remediation
References
https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027
https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html
https://security.gentoo.org/glsa/202305-28
https://security.netapp.com/advisory/ntap-20240315-0010/
Related Vulnerabilities
CVE-2021-43138 Vulnerability in maven package org.webjars.bower:async
CVE-2020-7605 Vulnerability in npm package gulp-tape
CVE-2022-39312 Vulnerability in maven package io.dataease:dataease-plugin-common
CVE-2023-47322 Vulnerability in maven package org.silverpeas.core:silverpeas-core-web
CVE-2018-20059 Vulnerability in maven package ro.pippo:pippo-jaxb