Описание
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.
Отчет
For RHEL-8 it's downgraded to moderate because "snakeyaml" itself in RHEL 8 or RHEL-9 isn't shipped and "prometheus-jmx-exporter" is needed as build dependency. And it's not directly exploitable, hence severity marked as moderate. Red Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate. Red Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low. Red Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | snakeyaml | Affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch6-rhel8 | Not affected | ||
| Red Hat A-MQ Online | snakeyaml | Not affected | ||
| Red Hat build of Debezium 1 | snakeyaml | Not affected | ||
| Red Hat build of Quarkus | snakeyaml | Affected | ||
| Red Hat Enterprise Linux 7 | snakeyaml | Out of support scope | ||
| Red Hat Integration Camel K 1 | snakeyaml | Affected | ||
| Red Hat Integration Camel Quarkus 1 | snakeyaml | Affected | ||
| Red Hat Integration Service Registry | snakeyaml | Out of support scope | ||
| Red Hat JBoss Data Grid 7 | snakeyaml | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable t ...
EPSS
7.5 High
CVSS3