Lucene search

K
osvGoogleOSV:USN-5944-1
HistoryMar 10, 2023 - 10:18 a.m.

snakeyaml vulnerabilities

2023-03-1010:18:12
Google
osv.dev
7
snakeyaml
vulnerabilities
depth limit
regex
denial of service
software

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7

Confidence

High

EPSS

0.002

Percentile

55.6%

It was discovered that SnakeYAML did not limit the maximal nested depth
for collections when parsing YAML data. If a user or automated system were
tricked into opening a specially crafted YAML file, an attacker could
possibly use this issue to cause applications using SnakeYAML to crash,
resulting in a denial of service. (CVE-2022-25857, CVE-2022-38749,
CVE-2022-38750)

It was discovered that SnakeYAML did not limit the maximal data matched
with regular expressions when parsing YAML data. If a user or automated
system were tricked into opening a specially crafted YAML file, an
attacker could possibly use this issue to cause applications using
SnakeYAML to crash, resulting in a denial of service. (CVE-2022-38751)

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7

Confidence

High

EPSS

0.002

Percentile

55.6%