CVE-2022-41854 — Stack-based Buffer Overflow in Snakeyaml

CWE-121 — Stack-based Buffer Overflow CWE-787 — Out-of-bounds Write8 documents7 sources

Severity

6.5MEDIUMNVD

CNA5.8

EPSS

0.1%

top 76.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Snakeyaml Snakeyaml Project Snakeyaml Fedoraproject Fedora

Timeline

PublishedNov 11

Latest updateNov 13

Description

Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5snakeyaml/snakeyamlunspecified — 1.32

▶NVDsnakeyaml_project/snakeyaml< 1.32

Also affects: Fedora 36, 37

🔴Vulnerability Details

CVEList

Stack Overflow in Snakeyaml↗2022-11-11

▶

GHSA

Snakeyaml vulnerable to Stack overflow leading to denial of service↗2022-11-11

▶

OSV

Snakeyaml vulnerable to Stack overflow leading to denial of service↗2022-11-11

▶

OSV

CVE-2022-41854: Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS)↗2022-11-11

▶

📋Vendor Advisories

Red Hat

dev-java/snakeyaml: DoS via stack overflow↗2022-11-13

▶

Microsoft

Stack Overflow in Snakeyaml↗2022-11-08

▶

Debian

CVE-2022-41854: snakeyaml - Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial ...↗2022

▶