GHSA-fmm9-3gv8-58f4

Source

https://github.com/advisories/GHSA-fmm9-3gv8-58f4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-fmm9-3gv8-58f4/GHSA-fmm9-3gv8-58f4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fmm9-3gv8-58f4

Aliases

CVE-2021-39194

Published

2021-09-07T23:08:40Z

Modified

2024-02-17T05:34:08.557056Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Summary

Improper Handling of Missing Values in kaml

Details

Impact

Attackers that could provide arbitrary YAML input to an application that uses kaml could cause the application to endlessly loop while parsing the input. This could result in resource starvation and denial of service.

This only affects applications that use polymorphic serialization with the default tagged polymorphism style. Applications using the property polymorphism style are not affected.

YAML input for a polymorphic type that provided a tag but no value for the object would trigger the issue, for example:

!<x>

The following is a sample application that demonstrates this issue:

import com.charleskorn.kaml.Yaml
import kotlinx.serialization.SerialName
import kotlinx.serialization.Serializable

@Serializable
private sealed class K {
    @Serializable
    @SerialName("x")
    data class X(
        val property: String? = null,
    ) : K()
}

const val s = """
!<x>
"""

fun main() {
    println("Started.")
    val result = Yaml.default.decodeFromString(K.serializer(), s)
    println("Finished, result is $result")
}

On vulnerable versions of kaml, the decodeFromString() operation hangs and never returns.

Patches

Version 0.35.3 or later contain the fix for this issue.

Database specific

{
    "nvd_published_at": "2021-09-07T20:15:00Z",
    "cwe_ids": [
        "CWE-230",
        "CWE-835"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-07T18:02:13Z"
}

References

Affected packages

Maven / com.charleskorn.kaml:kaml

Package

Name: com.charleskorn.kaml:kaml; View open source insights on deps.dev
Purl: pkg:maven/com.charleskorn.kaml/kaml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.35.3

Affected versions

0.*

0.1.0

0.2.1

0.3.0

0.4.0

0.5.0

0.6.0

0.7.0

0.8.0

0.9.0

0.10.0

0.11.0

0.12.0

0.13.0

0.14.0

0.15.0

0.16.1

0.17.0

0.18.0

0.18.1

0.19.0

0.20.0

0.21.0

0.22.0

0.23.0

0.24.0

0.25.0

0.26.0

0.27.0

0.28.0

0.28.1

0.28.2

0.28.3

0.29.0

0.30.0

0.31.0

0.32.0

0.33.0

0.34.0

0.35.0

0.35.1

0.35.2

Database specific

{
    "last_known_affected_version_range": "< 0.35.2"
}