CVE-2023-28118
First published: Mon Mar 20 2023(Updated: )
kaml provides YAML support for kotlinx.serialization. Prior to version 0.53.0, applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash. Version 0.53.0 and later default to refusing to parse YAML documents containing anchors and aliases. There are no known workarounds.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Kaml Project Kaml | <0.53.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-28118?
CVE-2023-28118 is a vulnerability in kaml, a library that provides YAML support for kotlinx.serialization. It allows attackers to cause a denial of service (DoS) by consuming excessive memory and crashing the application.
Which applications are affected by CVE-2023-28118?
Applications that use kaml prior to version 0.53.0 are affected by CVE-2023-28118.
What is the severity of CVE-2023-28118?
CVE-2023-28118 has a severity rating of 7.5 (high).
How do I fix CVE-2023-28118?
To fix CVE-2023-28118, upgrade to version 0.53.0 or later of kaml library.
Where can I find more information about CVE-2023-28118?
You can find more information about CVE-2023-28118 in the following references: [GitHub Commit](https://github.com/charleskorn/kaml/commit/5f82a2d7e00bfc307afca05d1dc4d7c50593531a), [GitHub Release](https://github.com/charleskorn/kaml/releases/tag/0.53.0), [GitHub Security Advisory](https://github.com/charleskorn/kaml/security/advisories/GHSA-c24f-2j3g-rg48).
- collector/nvd-index
- vendor/kaml project
- canonical/kaml project kaml