GHSA-c24f-2j3g-rg48

Опубликовано: 20 мар. 2023

Источник: github

Github: Прошло ревью

CVSS3: 7.5

Описание

kaml has potential denial of service while parsing input with anchors and aliases

Impact

Applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash.

Patches

Version 0.53.0 and later default to refusing to parse YAML documents containing anchors and aliases.

Workarounds

None.

References

Wikipedia has an explanation of this class of vulnerability: billion laughs attack

Acknowledgements

Thank you to @gdude2002 for reporting this issue.

Ссылки

Пакеты

Наименование

com.charleskorn.kaml:kaml

maven

Затронутые версииВерсия исправления

< 0.53.0

0.53.0

EPSS

Процентиль: 47%

0.00237

Низкий

7.5 High

CVSS3

CVE ID

CVE-2023-28118

Дефекты

CWE-776

Связанные уязвимости

CVE-2023-28118

CVSS3: 7.5

nvd

почти 3 года назад

kaml provides YAML support for kotlinx.serialization. Prior to version 0.53.0, applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash. Version 0.53.0 and later default to refusing to parse YAML documents containing anchors and aliases. There are no known workarounds.

EPSS

Процентиль: 47%

0.00237

Низкий

7.5 High

CVSS3

CVE ID

CVE-2023-28118

Дефекты

CWE-776