Lucene search

[email protected]CVE-2023-24620

HistoryAug 25, 2023 - 8:15 p.m.

CVE-2023-24620

2023-08-2520:15:07

CWE-611

[email protected]

web.nvd.nist.gov

cve-2023-24620

esoteric yamlbeans

yaml

xml

entity expansion

attack

nvd

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

5.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.2%

JSON

An issue was discovered in Esoteric YamlBeans through 1.15. A crafted YAML document is able perform am XML Entity Expansion attack against YamlBeans YamlReader. By exploiting the Anchor feature in YAML, it is possible to generate a small YAML document that, when read, is expanded to a large size, causing CPU and memory consumption, such as a Java Out-of-Memory exception.

Affected configurations

NVD

Node

esotericsoftwareyamlbeansRange≤1.15

CPENameOperatorVersion
esotericsoftware:yamlbeansesotericsoftware yamlbeansle1.15

CPE	Name	Operator	Version
esotericsoftware:yamlbeans	esotericsoftware yamlbeans	le	1.15

References

contrastsecurity.com

github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md

github.com/EsotericSoftware

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

5.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.2%

JSON

Related for CVE-2023-24620

veracode1 osv2 cvelist1 prion1 nvd1 github1