GHSA-9w3m-gqgf-c4p9

Source

https://github.com/advisories/GHSA-9w3m-gqgf-c4p9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-9w3m-gqgf-c4p9/GHSA-9w3m-gqgf-c4p9.json

Aliases

CVE-2022-38752

Published

2022-09-06T00:00:27Z

Modified

2024-03-15T12:59:23.253312Z

Summary

snakeYAML before 1.32 vulnerable to Denial of Service due to Out-of-bounds Write

Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DoS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-38752
https://bitbucket.org/snakeyaml/snakeyaml
https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081
https://security.gentoo.org/glsa/202305-28
https://security.netapp.com/advisory/ntap-20240315-0009

Affected packages

Maven / org.yaml:snakeyaml

Package

Name: org.yaml:snakeyaml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

1.32

Affected versions

1.*

1.4

1.5

1.6

1.7

1.8

1.9

1.10

1.11

1.12

1.13

1.14

1.15

1.16

1.17

1.18

1.19

1.20

1.21

1.22

1.23

1.24

1.25

1.26

1.27

1.28

1.29

1.30

1.31