CVE-2014-9130
published 2014-12-08CVE-2014-9130: scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allows context-dependent attackers to cause a denial of…
PriorityP426medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
13.20%
95.9th percentile
scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allows context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libyaml | < libyaml 0.1.6-3 (bookworm) | libyaml 0.1.6-3 (bookworm) |
| debian | libyaml-libyaml-perl | < libyaml 0.1.6-3 (bookworm) | libyaml 0.1.6-3 (bookworm) |
| debian | pyyaml | < libyaml 0.1.6-3 (bookworm) | libyaml 0.1.6-3 (bookworm) |
| pyyaml | libyaml | — | — |
| pyyaml | libyaml | — | — |
| pyyaml | libyaml | >= 0 < 0.1.6-3 | 0.1.6-3 |
| pyyaml | libyaml | >= 0 < 0.1.6-3 | 0.1.6-3 |
| pyyaml | libyaml | >= 0 < 0.1.6-3 | 0.1.6-3 |
| pyyaml | libyaml | >= 0 < 0.1.6-3 | 0.1.6-3 |
| pyyaml | pyyaml | >= 0 < 3.11-2 | 3.11-2 |
| pyyaml | pyyaml | >= 0 < 3.11-2 | 3.11-2 |
| pyyaml | pyyaml | >= 0 < 3.11-2 | 3.11-2 |
| pyyaml | pyyaml | >= 0 < 3.11-2 | 3.11-2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger condition is an assertion failure in scanner.c when parsing YAML data containing wrapped (line-wrapped) strings; look for abnormal process termination (SIGABRT/assert) in applications that consume YAML input via LibYAML, YAML-LibYAML (Perl), or PyYAML. ↗
- →Vulnerable code is specifically in scanner.c of LibYAML 0.1.5 and 0.1.6; detection should focus on processes loading YAML from untrusted sources using these library versions. ↗
- →The same assertion-failure vulnerability exists in PyYAML (Python implementation); monitor Python applications parsing untrusted YAML for unexpected crashes/assert failures. ↗
- ·Debian fixed the vulnerability in libyaml package version 0.1.6-3; systems running earlier package versions across bookworm, bullseye, trixie, forky, and sid remain vulnerable. ↗
- ·Red Hat deferred or will not fix the issue in several products (MRG 1, MRG 2, Satellite 5, Satellite 6, Subscription Asset Manager); mingw-libyaml in CloudForms Management Engine 5 is not affected. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PyYAML vulnerability
vendor_ubuntu·2015-01-12
CVE-2014-9130 PyYAML vulnerability
Title: PyYAML vulnerability
Summary: Applications using PyYAML could be made to crash if they received
specially crafted input.
Stanisław Pitucha and Jonathan Gray discovered that PyYAML did not
properly handle wrapped strings. An attacker could create specially
crafted YAML data to trigger an assert, causing a denial of service.
Instructions: After a standard system update you need to restart applications using
PyYAML to make all the necessary changes.
Ubuntu
libyaml-libyaml-perl vulnerability
vendor_ubuntu·2015-01-12
CVE-2014-9130 libyaml-libyaml-perl vulnerability
Title: libyaml-libyaml-perl vulnerability
Summary: Applications using libyaml-libyaml-perl could be made to crash if
they received specially crafted input.
Stanisław Pitucha and Jonathan Gray discovered that
libyaml-libyaml-perl did not properly handle wrapped strings. An
attacker could create specially crafted YAML data to trigger an assert,
causing a denial of service.
Instructions: After a standard system update you need to restart applications using
libyaml-libyaml-perl to make all the necessary changes.
Ubuntu
LibYAML vulnerability
vendor_ubuntu·2015-01-12
CVE-2014-9130 LibYAML vulnerability
Title: LibYAML vulnerability
Summary: Applications using LibYAML could be made to crash if they received
specially crafted input.
Stanisław Pitucha and Jonathan Gray discovered that LibYAML did not
properly handle wrapped strings. An attacker could create specially
crafted YAML data to trigger an assert, causing a denial of service.
Instructions: After a standard system update you need to restart applications using
LibYAML to make all the necessary changes.
Red Hat
libyaml: assert failure when processing wrapped strings
vendor_redhat·2014-11-26·CVSS 5.0
CVE-2014-9130 [MEDIUM] CWE-617 libyaml: assert failure when processing wrapped strings
libyaml: assert failure when processing wrapped strings
scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allows context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping.
An assertion failure was found in the way the libyaml library parsed wrapped strings. An attacker able to load specially crafted YAML input into an application using libyaml could cause the application to crash.
Package: mingw-libyaml (CloudForms Management Engine 5) - Not affected
Package: libyaml (Red Hat Enterprise MRG 1) - Will not fix
Package: libyaml (Red Hat Enterprise MRG 2) - Will not fix
Package: libyaml (Red Hat Satellite 5) - Fix deferred
Package: libyaml (Red Hat Satellite 6) - Fix deferred
Debian
CVE-2014-9130: libyaml - scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) ...
vendor_debian·2014·CVSS 5.0
CVE-2014-9130 [MEDIUM] CVE-2014-9130: libyaml - scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) ...
scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allows context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping.
Scope: local
bookworm: resolved (fixed in 0.1.6-3)
bullseye: resolved (fixed in 0.1.6-3)
forky: resolved (fixed in 0.1.6-3)
sid: resolved (fixed in 0.1.6-3)
trixie: resolved (fixed in 0.1.6-3)
GHSA
GHSA-wrq2-fvvw-grpm: scanner
ghsa_unreviewed·2022-05-17
CVE-2014-9130 [MEDIUM] CWE-20 GHSA-wrq2-fvvw-grpm: scanner
scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allows context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping.
OSV
CVE-2014-9130: scanner
osv·2014-12-08·CVSS 5.0
CVE-2014-9130 [MEDIUM] CVE-2014-9130: scanner
scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allows context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping.
No detection rules found.
No public exploits indexed.
HackerOne
Ruby 2.3.x and 2.2.x still bundle DoS vulnerable verision of libYAML
hackerone·2017-10-25·CVSS 5.0
CVE-2014-9130 [MEDIUM] Ruby 2.3.x and 2.2.x still bundle DoS vulnerable verision of libYAML
Ruby 2.3.x and 2.2.x still bundle DoS vulnerable verision of libYAML
libYAML 0.1.6 (and 0.1.5) has a DoS vulnerablitity known as [CVE-2014-9130](http://www.cvedetails.com/cve/CVE-2014-9130/).
Now Ruby 2.4.x bundles fixed version 0.1.7, but 2.3.x and 2.2.x still bundle 0.1.6.
Note that I'm the maintainer of Ruby 2.3.x and 2.2.x.
Therefore, this report is a kind of remainder.
Bugzilla
PyYAML: assert failure when processing wrapped strings
bugzilla·2015-03-23·CVSS 5.0
CVE-2014-9130 [MEDIUM] PyYAML: assert failure when processing wrapped strings
PyYAML: assert failure when processing wrapped strings
An assertion failure was found in the way the PyYAML library parsed wrapped strings. An attacker able to load specially crafted YAML input into an application using PyYAML could cause the application to crash.
This is the same flaw as CVE-2014-9130 but in the Python implementation of the YAML library. MITRE recommends it should be a separate issue:
http://seclists.org/oss-sec/2014/q4/854
Upstream patch:
https://bitbucket.org/xi/pyyaml/commits/ddf211a41bb231c365fece5599b7e484e6dc33fc
Discussion:
Created PyYAML tracking bugs for this issue:
Affects: fedora-all [bug 1204830]
Affects: epel-5 [bug 1204832]
---
Created python26-PyYAML tracking bugs for this issue:
Affects: epel-5 [bug 1204833]
---
PyYAML-3.11-7.fc21 has been pus
Bugzilla
CVE-2014-9130 perl-YAML-LibYAML: libyaml: assert failure when processing wrapped strings [epel-6]
bugzilla·2014-12-02·CVSS 5.0
CVE-2014-9130 [MEDIUM] CVE-2014-9130 perl-YAML-LibYAML: libyaml: assert failure when processing wrapped strings [epel-6]
CVE-2014-9130 perl-YAML-LibYAML: libyaml: assert failure when processing wrapped strings [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-6 tracking bug for perl-YA
Bugzilla
CVE-2014-9130 perl-YAML-LibYAML: libyaml: assert failure when processing wrapped strings [epel-7]
bugzilla·2014-12-02·CVSS 5.0
CVE-2014-9130 [MEDIUM] CVE-2014-9130 perl-YAML-LibYAML: libyaml: assert failure when processing wrapped strings [epel-7]
CVE-2014-9130 perl-YAML-LibYAML: libyaml: assert failure when processing wrapped strings [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-7 tracking bug for perl-YA
Bugzilla
CVE-2014-9130 perl-YAML-LibYAML: libyaml: assert failure when processing wrapped strings [fedora-all]
bugzilla·2014-12-02·CVSS 5.0
CVE-2014-9130 [MEDIUM] CVE-2014-9130 perl-YAML-LibYAML: libyaml: assert failure when processing wrapped strings [fedora-all]
CVE-2014-9130 perl-YAML-LibYAML: libyaml: assert failure when processing wrapped strings [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multipl
Bugzilla
CVE-2014-9130 libyaml: assert failure when processing wrapped strings [epel-all]
bugzilla·2014-12-01·CVSS 5.0
CVE-2014-9130 [MEDIUM] CVE-2014-9130 libyaml: assert failure when processing wrapped strings [epel-all]
CVE-2014-9130 libyaml: assert failure when processing wrapped strings [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported vers
Bugzilla
CVE-2014-9130 libyaml: assert failure when processing wrapped strings
bugzilla·2014-12-01·CVSS 5.0
CVE-2014-9130 [MEDIUM] CVE-2014-9130 libyaml: assert failure when processing wrapped strings
CVE-2014-9130 libyaml: assert failure when processing wrapped strings
An assertion failure was found in the way the libyaml library parsed wrapped strings. An attacker able to load specially crafted YAML input into an application using libyaml could cause the application to crash.
This issue was reported upstream at [1]; a patch that fixes this issue is available at [2].
[1] https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure
[2] https://github.com/yaml/libyaml/commit/e6aa721cc0e5a48f408c52355559fd36780ba32a
Discussion:
Created libyaml tracking bugs for this issue:
Affects: fedora-all [bug 1169371]
Affects: epel-all [bug 1169372]
---
References:
https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure
http://www.openwall.com/lists/o
Bugzilla
CVE-2014-9130 libyaml: assert failure when processing wrapped strings [fedora-all]
bugzilla·2014-12-01·CVSS 5.0
CVE-2014-9130 [MEDIUM] CVE-2014-9130 libyaml: assert failure when processing wrapped strings [fedora-all]
CVE-2014-9130 libyaml: assert failure when processing wrapped strings [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported version
http://advisories.mageia.org/MGASA-2014-0508.htmlhttp://linux.oracle.com/errata/ELSA-2015-0100.htmlhttp://lists.opensuse.org/opensuse-updates/2015-02/msg00078.htmlhttp://lists.opensuse.org/opensuse-updates/2016-04/msg00050.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0100.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0112.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0260.htmlhttp://secunia.com/advisories/59947http://secunia.com/advisories/60944http://secunia.com/advisories/62164http://secunia.com/advisories/62174http://secunia.com/advisories/62176http://secunia.com/advisories/62705http://secunia.com/advisories/62723http://secunia.com/advisories/62774http://www.debian.org/security/2014/dsa-3102http://www.debian.org/security/2014/dsa-3103http://www.debian.org/security/2014/dsa-3115http://www.mandriva.com/security/advisories?name=MDVSA-2014:242http://www.mandriva.com/security/advisories?name=MDVSA-2015:060http://www.openwall.com/lists/oss-security/2014/11/28/1http://www.openwall.com/lists/oss-security/2014/11/28/8http://www.openwall.com/lists/oss-security/2014/11/29/3http://www.securityfocus.com/bid/71349http://www.ubuntu.com/usn/USN-2461-1http://www.ubuntu.com/usn/USN-2461-2http://www.ubuntu.com/usn/USN-2461-3https://bitbucket.org/xi/libyaml/commits/2b9156756423e967cfd09a61d125d883fca6f4f2https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failurehttps://exchange.xforce.ibmcloud.com/vulnerabilities/99047https://puppet.com/security/cve/cve-2014-9130http://advisories.mageia.org/MGASA-2014-0508.htmlhttp://linux.oracle.com/errata/ELSA-2015-0100.htmlhttp://lists.opensuse.org/opensuse-updates/2015-02/msg00078.htmlhttp://lists.opensuse.org/opensuse-updates/2016-04/msg00050.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0100.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0112.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0260.htmlhttp://secunia.com/advisories/59947http://secunia.com/advisories/60944http://secunia.com/advisories/62164http://secunia.com/advisories/62174http://secunia.com/advisories/62176http://secunia.com/advisories/62705http://secunia.com/advisories/62723http://secunia.com/advisories/62774http://www.debian.org/security/2014/dsa-3102http://www.debian.org/security/2014/dsa-3103http://www.debian.org/security/2014/dsa-3115http://www.mandriva.com/security/advisories?name=MDVSA-2014:242http://www.mandriva.com/security/advisories?name=MDVSA-2015:060http://www.openwall.com/lists/oss-security/2014/11/28/1http://www.openwall.com/lists/oss-security/2014/11/28/8http://www.openwall.com/lists/oss-security/2014/11/29/3http://www.securityfocus.com/bid/71349http://www.ubuntu.com/usn/USN-2461-1http://www.ubuntu.com/usn/USN-2461-2http://www.ubuntu.com/usn/USN-2461-3https://bitbucket.org/xi/libyaml/commits/2b9156756423e967cfd09a61d125d883fca6f4f2https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failurehttps://exchange.xforce.ibmcloud.com/vulnerabilities/99047https://puppet.com/security/cve/cve-2014-9130
2014-12-08
Published