GHSA-c24f-2j3g-rg48
Suggest an improvement- Source
- https://github.com/advisories/GHSA-c24f-2j3g-rg48
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-c24f-2j3g-rg48/GHSA-c24f-2j3g-rg48.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-c24f-2j3g-rg48
- Aliases
- Published
- 2023-03-20T21:26:59Z
- Modified
- 2023-11-08T04:12:09.233283Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- kaml has potential denial of service while parsing input with anchors and aliases
- Details
-
Impact
Applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash.
Patches
Version 0.53.0 and later default to refusing to parse YAML documents containing anchors and aliases.
Workarounds
None.
References
Wikipedia has an explanation of this class of vulnerability: billion laughs attack
Acknowledgements
Thank you to @gdude2002 for reporting this issue.
- Database specific
{ "nvd_published_at": "2023-03-20T13:15:00Z", "github_reviewed_at": "2023-03-20T21:26:59Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-776" ] }- References
Affected packages
Maven / com.charleskorn.kaml:kaml
Package
- Name
- com.charleskorn.kaml:kaml
- View open source insights on deps.dev
- Purl
- pkg:maven/com.charleskorn.kaml/kaml
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.53.0
Affected versions
0.*
0.1.0
0.2.1
0.3.0
0.4.0
0.5.0
0.6.0
0.7.0
0.8.0
0.9.0
0.10.0
0.11.0
0.12.0
0.13.0
0.14.0
0.15.0
0.16.1
0.17.0
0.18.0
0.18.1
0.19.0
0.20.0
0.21.0
0.22.0
0.23.0
0.24.0
0.25.0
0.26.0
0.27.0
0.28.0
0.28.1
0.28.2
0.28.3
0.29.0
0.30.0
0.31.0
0.32.0
0.33.0
0.34.0
0.35.0
0.35.1
0.35.2
0.35.3
0.36.0
0.37.0
0.38.0
0.39.0
0.39.1
0.40.0
0.41.0
0.42.0
0.43.0
0.44.0
0.45.0
0.46.0
0.47.0
0.48.0
0.49.0
0.50.0
0.51.0
0.52.0