CVE-2022-38749

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Published: Sep 5, 2022
Updated: May 22, 2023
CVE: CVE-2022-38749
GHSA: GHSA-c4r9-r8fh-9vj2
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-121
CWE-787

Affected Software
References

Software	From	Fixed in
snakeyaml_project / snakeyaml	-	1.31
debian / debian_linux	10.0	10.0.x
org.yaml / snakeyaml	-	1.31

https://bitbucket.org/snakeyaml/snakeyaml/issues/525/got-stackoverflowerror-for-many-open
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47024
https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html
https://security.gentoo.org/glsa/202305-28
https://security.netapp.com/advisory/ntap-20240315-0010/

Vulnerability Database

289,697

CVE-2022-38749