GHSA-hhhw-99gj-p3c3

Source

https://github.com/advisories/GHSA-hhhw-99gj-p3c3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-hhhw-99gj-p3c3/GHSA-hhhw-99gj-p3c3.json

Aliases

CVE-2022-38750

Published

2022-09-06T00:00:27Z

Modified

2024-03-15T12:49:06.729862Z

Summary

snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write

Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-38750
https://bitbucket.org/snakeyaml/snakeyaml
https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027
https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html
https://security.gentoo.org/glsa/202305-28
https://security.netapp.com/advisory/ntap-20240315-0010

Affected packages

Maven / org.yaml:snakeyaml

Package

Name: org.yaml:snakeyaml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

1.31

Affected versions

1.*

1.4

1.5

1.6

1.7

1.8

1.9

1.10

1.11

1.12

1.13

1.14

1.15

1.16

1.17

1.18

1.19

1.20

1.21

1.22

1.23

1.24

1.25

1.26

1.27

1.28

1.29

1.30