CVE-2022-38752 — Stack-based Buffer Overflow in Project Snakeyaml

CWE-121 — Stack-based Buffer Overflow CWE-787 — Out-of-bounds Write10 documents8 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 62.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Snakeyaml Project Snakeyaml Snakeyaml

Timeline

PublishedSep 5

Latest updateApr 15

Description

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDsnakeyaml_project/snakeyaml< 1.32

▶CVEListV5snakeyaml/snakeyamlunspecified — 1.31

🔴Vulnerability Details

GHSA

snakeYAML before 1.32 vulnerable to Denial of Service due to Out-of-bounds Write↗2022-09-06

▶

OSV

snakeYAML before 1.32 vulnerable to Denial of Service due to Out-of-bounds Write↗2022-09-06

▶

CVEList

DoS in SnakeYAML↗2022-09-05

▶

OSV

CVE-2022-38752: Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS)↗2022-09-05

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Install/Upgrade (SnakeYAML) — CVE-2022-38752↗2023-04-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Signaling (SnakeYAML) — CVE-2022-38752↗2023-01-15

▶

Microsoft

DoS in SnakeYAML↗2022-09-13

▶

Red Hat

snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode↗2022-09-05

▶

Debian

CVE-2022-38752: snakeyaml - Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Ser...↗2022

▶