GHSA-39vw-qp34-rmwf

Опубликовано: 25 авг. 2021

Источник: github

Github: Прошло ревью

Описание

Uncontrolled recursion leads to abort in deserialization

Affected versions of this crate did not properly check for recursion while deserializing aliases. This allows an attacker to make a YAML file with an alias referring to itself causing an abort. The flaw was corrected by checking the recursion depth.

Ссылки

https://github.com/dtolnay/serde-yaml/pull/105
https://github.com/dtolnay/serde-yaml/commit/b93aff6e904cffbbfd1f421b82f6dcc5ca19a4fd
https://rustsec.org/advisories/RUSTSEC-2018-0005.html

Пакеты

Наименование

serde_yaml

rust

Затронутые версииВерсия исправления

>= 0.6.0-rc1, < 0.8.4

0.8.4

Дефекты

CWE-674

Дефекты

CWE-674