Description

kaml provides YAML support for kotlinx.serialization. Prior to version 0.53.0, applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash. Version 0.53.0 and later default to refusing to parse YAML documents containing anchors and aliases. There are no known workarounds.

Remediation

References

https://github.com/charleskorn/kaml/commit/5f82a2d7e00bfc307afca05d1dc4d7c50593531a

https://github.com/charleskorn/kaml/releases/tag/0.53.0

https://github.com/charleskorn/kaml/security/advisories/GHSA-c24f-2j3g-rg48

Related Vulnerabilities

CVE-2014-7810 Vulnerability in maven package org.mortbay.jasper:apache-jsp

CVE-2023-31058 Vulnerability in maven package org.apache.inlong:manager-common

CVE-2018-3785 Vulnerability in npm package git-dummy-commit

CVE-2023-40312 Vulnerability in maven package org.opennms:opennms-webapp

CVE-2023-46589 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Patch Release Notes Vendor Advisory NVD-CWE-noinfo