Description
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
Remediation
References
https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081
https://security.gentoo.org/glsa/202305-28
https://security.netapp.com/advisory/ntap-20240315-0009/
Related Vulnerabilities
CVE-2016-10588 Vulnerability in npm package nw
CVE-2016-0785 Vulnerability in maven package org.apache.struts.xwork:xwork-core
CVE-2022-1243 Vulnerability in npm package urijs
CVE-2022-21704 Vulnerability in npm package log4js
CVE-2019-10908 Vulnerability in maven package org.airsonic.player:airsonic-main