CVE-2023-28118

Опубликовано: 20 мар. 2023

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

kaml provides YAML support for kotlinx.serialization. Prior to version 0.53.0, applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash. Version 0.53.0 and later default to refusing to parse YAML documents containing anchors and aliases. There are no known workarounds.

Ссылки

https://github.com/charleskorn/kaml/commit/5f82a2d7e00bfc307afca05d1dc4d7c50593531a
Patch
https://github.com/charleskorn/kaml/releases/tag/0.53.0
Release Notes
https://github.com/charleskorn/kaml/security/advisories/GHSA-c24f-2j3g-rg48
Vendor Advisory
https://github.com/charleskorn/kaml/commit/5f82a2d7e00bfc307afca05d1dc4d7c50593531a
Patch
https://github.com/charleskorn/kaml/releases/tag/0.53.0
Release Notes
https://github.com/charleskorn/kaml/security/advisories/GHSA-c24f-2j3g-rg48
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:kaml_project:kaml:*:*:*:*:*:*:*:*

Версия до 0.53.0 (исключая)

EPSS

Процентиль: 47%

0.00237

Низкий

7.5 High

CVSS3

Дефекты

CWE-776

Связанные уязвимости

GHSA-c24f-2j3g-rg48