Description

kaml provides YAML support for kotlinx.serialization. Prior to version 0.53.0, applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash. Version 0.53.0 and later default to refusing to parse YAML documents containing anchors and aliases. There are no known workarounds.

Remediation

References

https://github.com/charleskorn/kaml/releases/tag/0.53.0

https://github.com/charleskorn/kaml/security/advisories/GHSA-c24f-2j3g-rg48

https://github.com/charleskorn/kaml/commit/5f82a2d7e00bfc307afca05d1dc4d7c50593531a

Related Vulnerabilities

CVE-2019-10448 Vulnerability in maven package org.jenkins-ci.plugins:icescrum

CVE-2022-45146 Vulnerability in maven package org.bouncycastle:bc-fips

CVE-2018-19048 Vulnerability in maven package org.webjars.bower:simditor

CVE-2023-29471 Vulnerability in maven package com.typesafe.akka:akka-stream-kafka

CVE-2021-32730 Vulnerability in maven package org.xwiki.platform:xwiki-platform-administration-ui

Severity

High

Classification

CWE-776 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Release Notes Vendor Advisory Patch