Lucene search

K
ibmIBM83FB543E615A9C8662A98035262ECF1D1F4689ADFAF69DF4FB232747683951CC
HistoryFeb 17, 2021 - 2:52 p.m.

Security Bulletin: Vulnerability has been identified in SnakeYAML used by IBM Dependency Based Build

2021-02-1714:52:25
www.ibm.com
123

EPSS

0.019

Percentile

88.5%

Summary

A vulnerability has been identified in SnakeYAML used by IBM Dependency Based BUild. SnakeYAML is used to load local YAML property files and is unlikely to cause a DoS incident described in the Vulnerability Details below. However, IBM recommends upgrading to version 1.1.0 or later.

Vulnerability Details

CVEID:CVE-2017-18640
**DESCRIPTION:**SnakeYAML is vulnerable to a denial of service, caused by an entity expansion in Alias feature during a load operation. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/174331 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
Dependency Based Build (DBB) 1.0.9 and earlier

Remediation/Fixes

Upgrade the IBM Dependency Based Build toolkit to IBM Dependency Based Build 1.1.0. IBM Dependency Based Build toollkit can be obtained via Shopz.

Workarounds and Mitigations

Upgrade the IBM Dependency Based Build toolkit to IBM Dependency Based Build 1.1.0 or replace the snakeyaml-1.23.jar with snakeyaml-1.26.jar.

CPENameOperatorVersion
ibm dependency based buildeq1.1.0