cbcvebase.
CVE-2014-2525
published 2014-03-28

CVE-2014-2525: Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code…

PriorityP341medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
9.19%
94.7th percentile
Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file.

Affected

15 ranges
VendorProductVersion rangeFixed in
debianlibyaml< libyaml 0.1.4-3.2 (bookworm)libyaml 0.1.4-3.2 (bookworm)
debianlibyaml-libyaml-perl< libyaml 0.1.4-3.2 (bookworm)libyaml 0.1.4-3.2 (bookworm)
opensuseleap
opensuseopensuse
opensuseopensuse
pyyamllibyaml<= 0.1.5
pyyamllibyaml
pyyamllibyaml
pyyamllibyaml
pyyamllibyaml
pyyamllibyaml
pyyamllibyaml>= 0 < 0.1.4-3.20.1.4-3.2
pyyamllibyaml>= 0 < 0.1.4-3.20.1.4-3.2
pyyamllibyaml>= 0 < 0.1.4-3.20.1.4-3.2
pyyamllibyaml>= 0 < 0.1.4-3.20.1.4-3.2

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered by a long sequence of percent-encoded characters in a URI within a YAML file, targeting the yaml_parser_scan_uri_escapes function. Detection should focus on YAML files or input streams containing abnormally long sequences of percent-encoded (%XX) characters in URI fields.
  • The vulnerable function is yaml_parser_scan_uri_escapes in LibYAML before version 0.1.6. Process-level monitoring or library call tracing targeting this function with oversized URI input can help detect exploitation attempts.
  • ·LibYAML versions before 0.1.6 are vulnerable. Patched version is 0.1.6 or later. On Debian-based systems, the fix is present in package version 0.1.4-3.2 or later.
  • ·Red Hat Enterprise Linux 6 and Red Hat Subscription Asset Manager are confirmed affected. RHEL 7, Red Hat Satellite 5/6, and Red Hat Software Collections are listed as not affected.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8MEDIUM
vendor_redhat6.8MEDIUM
vendor_ubuntu6.8MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.