Description

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Remediation

References

https://bitbucket.org/snakeyaml/snakeyaml/issues/530/stackoverflow-oss-fuzz-47039

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039

https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html

https://security.gentoo.org/glsa/202305-28

https://security.netapp.com/advisory/ntap-20240315-0010/

Related Vulnerabilities

CVE-2022-25644 Vulnerability in npm package @pendo324/get-process-by-name

CVE-2017-12160 Vulnerability in maven package org.keycloak:keycloak-services

CVE-2021-22204 Vulnerability in npm package exiftool-vendored

CVE-2019-5427 Vulnerability in maven package com.mchange:c3p0

CVE-2018-3721 Vulnerability in npm package lodash.merge

Severity

High

Classification

CWE-787 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Tags

Third Party Advisory Mailing List