Description

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

Remediation

References

https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081

https://security.gentoo.org/glsa/202305-28

https://security.netapp.com/advisory/ntap-20240315-0009/

Related Vulnerabilities

CVE-2018-16330 Vulnerability in npm package editor.md

CVE-2021-32014 Vulnerability in npm package xlsx

CVE-2020-28472 Vulnerability in maven package org.webjars.npm:aws-sdk

CVE-2018-18853 Vulnerability in maven package io.spray:spray-json

CVE-2022-29631 Vulnerability in maven package org.jodd:jodd-http

Severity

High

Classification

CWE-787 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Tags

Third Party Advisory Permissions Required