Lucene search

K
amazonAmazonALAS2-2023-1976
HistoryMar 02, 2023 - 10:35 p.m.

Important: snakeyaml

2023-03-0222:35:00
alas.aws.amazon.com
88
snakeyaml
dos
denial of service
amazon linux 2
update
vulnerability
red hat
mitre

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

8.9 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.6%

Issue Overview:

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections. (CVE-2022-25857)

Affected Packages:

snakeyaml

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update snakeyaml to update your system.

New Packages:

noarch:  
    snakeyaml-1.11-8.amzn2.0.1.noarch  
    snakeyaml-javadoc-1.11-8.amzn2.0.1.noarch  
  
src:  
    snakeyaml-1.11-8.amzn2.0.1.src  

Additional References

Red Hat: CVE-2022-25857

Mitre: CVE-2022-25857

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

8.9 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.6%