Description

kaml provides YAML support for kotlinx.serialization. Prior to version 0.53.0, applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash. Version 0.53.0 and later default to refusing to parse YAML documents containing anchors and aliases. There are no known workarounds.

Remediation

References

https://github.com/charleskorn/kaml/commit/5f82a2d7e00bfc307afca05d1dc4d7c50593531a

https://github.com/charleskorn/kaml/releases/tag/0.53.0

https://github.com/charleskorn/kaml/security/advisories/GHSA-c24f-2j3g-rg48

Related Vulnerabilities

CVE-2023-31453 Vulnerability in maven package org.apache.inlong:manager-web

CVE-2020-5258 Vulnerability in maven package org.webjars.bower:dojo

CVE-2020-36320 Vulnerability in maven package com.vaadin:vaadin-server

CVE-2023-37956 Vulnerability in maven package org.jenkins-ci.plugins:test-results-aggregator

CVE-2023-28155 Vulnerability in maven package org.webjars.bower:request

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Patch Release Notes Vendor Advisory NVD-CWE-noinfo