Description

Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.

Remediation

References

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3DDXEXXWAZGF5AVHIPGFPXIWL6TSMKJE/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MKE4XWRXTH32757H7QJU4ACS67DYDCR/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSPAJ5Y45A4ZDION2KN5RDWLHK4XKY2J/

https://security.netapp.com/advisory/ntap-20240315-0009/

https://security.netapp.com/advisory/ntap-20240621-0006/

Related Vulnerabilities

CVE-2017-16196 Vulnerability in npm package quickserver

CVE-2021-3163 Vulnerability in npm package quill

CVE-2021-23431 Vulnerability in npm package joplin

CVE-2020-13445 Vulnerability in maven package com.liferay:com.liferay.portal.template.freemarker

CVE-2020-14966 Vulnerability in maven package org.webjars.npm:jsrsasign

Severity

High

Classification

CWE-787 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Tags

Exploit Issue Tracking Third Party Advisory