Lucene search

GoogleOSV:CVE-2023-24620

HistoryAug 25, 2023 - 8:15 p.m.

CVE-2023-24620

2023-08-2520:15:07

Google

osv.dev

cve-2023-24620

yamlbeans

xml entity expansion

yamlreader

anchor feature

cpu consumption

memory consumption

out-of-memory exception

software

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

10.2%

JSON

An issue was discovered in Esoteric YamlBeans through 1.15. A crafted YAML document is able perform am XML Entity Expansion attack against YamlBeans YamlReader. By exploiting the Anchor feature in YAML, it is possible to generate a small YAML document that, when read, is expanded to a large size, causing CPU and memory consumption, such as a Java Out-of-Memory exception.

CPENameOperatorVersion
yamlbeanseq1.15
yamlbeanseq1.11
yamlbeanseq1.13
yamlbeanseqyamlbeans-1.08
yamlbeanseqyamlbeans-1.09
yamlbeanseq1.14
yamlbeanseq1.12
yamlbeanseq1.07

Name	Operator	Version
yamlbeans	eq	1.15
yamlbeans	eq	1.11
yamlbeans	eq	1.13
yamlbeans	eq	yamlbeans-1.08
yamlbeans	eq	yamlbeans-1.09
yamlbeans	eq	1.14
yamlbeans	eq	1.12
yamlbeans	eq	1.07

References

contrastsecurity.com

github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md

github.com/EsotericSoftware

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

10.2%

JSON

Related for OSV:CVE-2023-24620