CVE-2022-38751

Published: Sep 5, 2022Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Affected (2)

Products: Snakeyaml Project: Snakeyaml · Debian: Debian Linux

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Snakeyaml Project Snakeyaml	Before 1.31

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0

Related CWEs

CWE-121

Stack-based Buffer Overflow

A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

CWE-787

Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

References (10)

https://bitbucket.org/snakeyaml/snakeyaml/issues/530/stackoverflow-oss-fuzz-47039

Source: cve-coordination@google.com

Third Party Advisory

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039

Source: cve-coordination@google.com

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html

Source: cve-coordination@google.com

Mailing ListThird Party Advisory

https://security.gentoo.org/glsa/202305-28

Source: cve-coordination@google.com

https://security.netapp.com/advisory/ntap-20240315-0010/

Source: cve-coordination@google.com

https://bitbucket.org/snakeyaml/snakeyaml/issues/530/stackoverflow-oss-fuzz-47039