Lucene search

Japan Vulnerability NotesJVN:86156389

HistoryNov 10, 2023 - 12:00 a.m.

JVN#86156389: Remarshal unlimitedly expanding YAML alias nodes

2023-11-1000:00:00

Japan Vulnerability Notes

jvn.jp

remarshal

yaml

alias

expansion

vulnerability

fix

dos

update

software

developer

version

affected

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

18.8%

JSON

Remarshal provided by Remarshal Project expands YAML alias nodes unlimitedly (CWE-674), hence Remarshal is vulnerable to Billion Laughs Attack.

Impact

Processing untrusted YAML files may cause a denial-of-service (DoS) condition.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.
The developer has released the version listed below that addresses the vulnerability.

Remarshal v0.17.1

Products Affected

Remarshal versions prior to v0.17.1

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

18.8%

JSON

Related for JVN:86156389