Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-38749

Опубликовано: 05 сент. 2022
Источник: redhat
CVSS3: 6.5
EPSS Низкий

Описание

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.

Отчет

Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version. Satellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
A-MQ Clients 2snakeyamlAffected
Logging Subsystem for Red Hat OpenShiftopenshift-logging/elasticsearch6-rhel8Not affected
OpenShift Developer Tools and Servicesjenkins-2-pluginsAffected
Red Hat A-MQ OnlinesnakeyamlNot affected
Red Hat build of Apicurio Registry 2snakeyamlNot affected
Red Hat build of Debezium 1snakeyamlNot affected
Red Hat build of QuarkussnakeyamlNot affected
Red Hat Decision Manager 7snakeyamlOut of support scope
Red Hat Enterprise Linux 7snakeyamlOut of support scope
Red Hat Integration Camel K 1snakeyamlAffected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-787
https://bugzilla.redhat.com/show_bug.cgi?id=2129706snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode

EPSS

Процентиль: 68%
0.00559
Низкий

6.5 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-38749

CVSS3: 6.5
ubuntu
больше 3 лет назад

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

nvd логотип

CVE-2022-38749

CVSS3: 6.5
nvd
больше 3 лет назад

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

msrc логотип

CVE-2022-38749

CVSS3: 6.5
msrc
4 месяца назад

DoS in SnakeYAML

debian логотип

CVE-2022-38749

CVSS3: 6.5
debian
больше 3 лет назад

Using snakeYAML to parse untrusted YAML files may be vulnerable to Den ...

github логотип

GHSA-c4r9-r8fh-9vj2

CVSS3: 6.5
github
больше 3 лет назад

snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write

EPSS

Процентиль: 68%
0.00559
Низкий

6.5 Medium

CVSS3