CVE-2022-38749 — Stack-based Buffer Overflow in Snakeyaml

CWE-121 — Stack-based Buffer Overflow CWE-787 — Out-of-bounds Write10 documents8 sources

Severity

6.5MEDIUMNVD

OSV7.5

EPSS

0.5%

top 32.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Snakeyaml Snakeyaml Project Snakeyaml Debian Linux

Timeline

PublishedSep 5

Latest updateMar 10

Description

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5snakeyaml/snakeyamlunspecified — 1.31

▶NVDsnakeyaml_project/snakeyaml< 1.31

Also affects: Debian Linux 10.0

🔴Vulnerability Details

OSV

snakeyaml vulnerabilities↗2023-03-10

▶

OSV

snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write↗2022-09-06

▶

GHSA

snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write↗2022-09-06

▶

CVEList

DoS in SnakeYAML↗2022-09-05

▶

OSV

CVE-2022-38749: Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS)↗2022-09-05

▶

📋Vendor Advisories

Ubuntu

SnakeYAML vulnerabilities↗2023-03-10

▶

Microsoft

DoS in SnakeYAML↗2022-09-13

▶

Red Hat

snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode↗2022-09-05

▶

Debian

CVE-2022-38749: snakeyaml - Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Ser...↗2022

▶