Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM83FB543E615A9C8662A98035262ECF1D1F4689ADFAF69DF4FB232747683951CC
HistoryFeb 17, 2021 - 2:52 p.m.

Security Bulletin: Vulnerability has been identified in SnakeYAML used by IBM Dependency Based Build

2021-02-1714:52:25
www.ibm.com
126
snakeyaml
ibm dependency based build
vulnerability
dos
upgrade

EPSS

0.019

Percentile

88.5%

JSON

Summary

A vulnerability has been identified in SnakeYAML used by IBM Dependency Based BUild. SnakeYAML is used to load local YAML property files and is unlikely to cause a DoS incident described in the Vulnerability Details below. However, IBM recommends upgrading to version 1.1.0 or later.

Vulnerability Details

CVEID:CVE-2017-18640
**DESCRIPTION:**SnakeYAML is vulnerable to a denial of service, caused by an entity expansion in Alias feature during a load operation. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/174331 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
Dependency Based Build (DBB) 1.0.9 and earlier

Remediation/Fixes

Upgrade the IBM Dependency Based Build toolkit to IBM Dependency Based Build 1.1.0. IBM Dependency Based Build toollkit can be obtained via Shopz.

Workarounds and Mitigations

Upgrade the IBM Dependency Based Build toolkit to IBM Dependency Based Build 1.1.0 or replace the snakeyaml-1.23.jar with snakeyaml-1.26.jar.

Related

veracode 1
fedora 2
checkpoint_advisories 1
ibm 19
openvas 5
nessus 12
oraclelinux 1
osv 4
rocky 1
suse 1
cbl_mariner 1
redhat 4
almalinux 1
jvn 1
cvelist 1
github 1
redhatcve 1
cve 1
debiancve 1
prion 1
ubuntucve 1
nvd 1
gentoo 1
oracle 1
veracode
veracode
Denial Of Service (DoS)
2020-02-13 05:33:31
fedora
fedora
[SECURITY] Fedora 31 Update: snakeyaml-1.26-1.fc31
2020-04-26 02:49:49
[SECURITY] Fedora 32 Update: snakeyaml-1.26-1.fc32
2020-04-25 02:40:54
checkpoint_advisories
checkpoint_advisories
Develar SnakeYAML Entity Expansion (CVE-2017-18640)
2022-05-17 00:00:00
ibm
ibm
Security Bulletin: vulnerability in snakeyaml might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2017-18640
2020-08-19 09:24:06
Security Bulletin: IBM Sterling B2B Integrator is vulnerable to denial of service due to SnakeYAML (CVE-2017-18640)
2022-08-09 19:59:23
Security Bulletin: IBM B2B Advanced Communications is vulnerable to denial of service due to SnakeYAML (CVE-2017-18640)
2023-02-20 06:33:10
openvas
openvas
openSUSE: Security Advisory for snakeyaml (openSUSE-SU-2021:1876-1)
2021-07-13 00:00:00
openSUSE: Security Advisory for snakeyaml (openSUSE-SU-2021:0855-1)
2021-06-09 00:00:00
Fedora: Security Advisory for snakeyaml (FEDORA-2020-599514b47e)
2020-04-30 00:00:00
nessus
nessus
RHEL 7 : snakeyaml (Unpatched Vulnerability)
2024-06-03 00:00:00
CentOS 8 : prometheus-jmx-exporter (CESA-2020:4807)
2021-02-01 00:00:00
RHEL 8 : prometheus-jmx-exporter (RHSA-2020:4807)
2020-11-04 00:00:00
oraclelinux
oraclelinux
prometheus-jmx-exporter security update
2020-11-10 00:00:00
osv
osv
Moderate: prometheus-jmx-exporter security update
2020-11-03 12:37:53
Moderate: prometheus-jmx-exporter security update
2020-11-03 12:37:53
SnakeYAML Entity Expansion during load operation
2021-06-04 21:37:45
rocky
rocky
prometheus-jmx-exporter security update
2020-11-03 12:37:53
suse
suse
Security update for snakeyaml (important)
2021-07-11 00:00:00
cbl_mariner
cbl_mariner
CVE-2017-18640 affecting package snakeyaml 1.25-2
2024-09-07 21:11:23
redhat
redhat
(RHSA-2020:2603) Moderate: Red Hat build of Quarkus 1.3.4 security update
2020-06-17 10:59:42
(RHSA-2020:4807) Moderate: prometheus-jmx-exporter security update
2020-11-03 12:37:53
(RHSA-2021:3225) Moderate: Red Hat AMQ Streams 1.8.0 release and security update
2021-08-19 07:14:27
almalinux
almalinux
Moderate: prometheus-jmx-exporter security update
2020-11-03 12:37:53
jvn
jvn
JVN#42883072: Kaitai Struct: compiler vulnerable to denial-of-service (DoS)
2022-08-04 00:00:00
cvelist
cvelist
CVE-2017-18640
2019-12-12 00:00:00
github
github
SnakeYAML Entity Expansion during load operation
2021-06-04 21:37:45
redhatcve
redhatcve
CVE-2017-18640
2020-04-08 21:02:33
cve
cve
CVE-2017-18640
2019-12-12 03:15:10
debiancve
debiancve
CVE-2017-18640
2019-12-12 03:15:10
prion
prion
Design/Logic Flaw
2019-12-12 03:15:00
ubuntucve
ubuntucve
CVE-2017-18640
2019-12-12 00:00:00
nvd
nvd
CVE-2017-18640
2019-12-12 03:15:10
gentoo
gentoo
snakeyaml: Multiple Vulnerabilities
2023-05-21 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - April 2021
2021-04-20 00:00:00

EPSS

0.019

Percentile

88.5%

JSON
Related for 83FB543E615A9C8662A98035262ECF1D1F4689ADFAF69DF4FB232747683951CC
veracode1fedora2checkpoint_advisories1ibm19openvas5nessus12oraclelinux1osv4rocky1suse1cbl_mariner1redhat4almalinux1jvn1cvelist1github1redhatcve1cve1debiancve1prion1ubuntucve1nvd1gentoo1oracle1