CVE-2013-6393Improper Restriction of Operations within the Bounds of a Memory Buffer in Libyaml

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-122Heap-based Buffer Overflow15 documents8 sources
Severity
6.8MEDIUMNVD
EPSS
8.1%
top 7.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Pyyaml LibyamlCanonical Ubuntu LinuxDebian Linux+3 more
Timeline
PublishedFeb 6
Latest updateAug 31

Description

The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggers a heap-based buffer overflow.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages6 packages

npmpyyaml/libyaml< 0.2.3
Debianpyyaml/libyaml< 0.1.4-3+3
NVDpyyaml/libyaml0.1.4+4
NVDopensuse/leap42.1
NVDredhat/openstack3.0, 4.0+1

Also affects: Debian Linux 6.0, 7.0, Ubuntu Linux 12.04, 12.10, 13.10

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

4
OSV
Heap Based Buffer Overflow in libyaml2020-08-31
GHSA
Heap Based Buffer Overflow in libyaml2020-08-31
OSV
CVE-2013-6393: The yaml_parser_scan_tag_uri function in scanner2014-02-06
CVEList
CVE-2013-6393: The yaml_parser_scan_tag_uri function in scanner2014-02-06

📋Vendor Advisories

4
Ubuntu
libyaml-libyaml-perl vulnerabilities2014-04-03
Ubuntu
LibYAML vulnerability2014-02-04
Red Hat
libyaml: heap-based buffer overflow when parsing YAML tags2014-01-27
Debian
CVE-2013-6393: libyaml - The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 perfo...2013

💬Community

6
Bugzilla
CVE-2013-6393 perl-YAML-LibYAML: libyaml: heap-based buffer overflow when parsing YAML tags [epel-6]2014-03-27
Bugzilla
CVE-2013-6393 perl-YAML-LibYAML: libyaml: heap-based buffer overflow when parsing YAML tags [fedora-all]2014-03-27
Bugzilla
CVE-2013-6393 libyaml: heap-based buffer overflow when parsing YAML tags [epel-all]2014-01-29
Bugzilla
CVE-2013-6393 libyaml: heap-based buffer overflow when parsing YAML tags [fedora-all]2014-01-29
Bugzilla
CVE-2013-6393 libyaml: heap-based buffer overflow when parsing YAML tags [fedora-all]2014-01-29
CVE-2013-6393 — Pyyaml Libyaml vulnerability | cvebase