REDHAT-BUG-2129710
First published: Mon Sep 26 2022(Updated: )
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow. <a href="https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081">https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081</a> <a href="https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081">https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SnakeYaml |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081
- https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2130444
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2130445
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2130443
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2130446
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2130447
- https://access.redhat.com/errata/RHSA-2022:6757
- https://access.redhat.com/errata/RHSA-2022:8524
- https://access.redhat.com/security/cve/cve-2022-38752
- https://access.redhat.com/errata/RHSA-2023:0189
- https://access.redhat.com/errata/RHSA-2023:1514
- https://access.redhat.com/errata/RHSA-2023:1513
- https://access.redhat.com/errata/RHSA-2023:1512
- https://access.redhat.com/errata/RHSA-2023:1516
- https://access.redhat.com/errata/RHSA-2023:2097
- https://access.redhat.com/errata/RHSA-2023:2100
- https://access.redhat.com/errata/RHSA-2023:2706
- https://access.redhat.com/errata/RHSA-2023:2707
- https://access.redhat.com/errata/RHSA-2023:2705
- https://access.redhat.com/errata/RHSA-2023:2713
- https://access.redhat.com/errata/RHSA-2023:2710
- https://access.redhat.com/errata/RHSA-2023:3641
- https://bugzilla.redhat.com/show_bug.cgi?id=2129710
Frequently Asked Questions
What is the severity of REDHAT-BUG-2129710?
The severity of REDHAT-BUG-2129710 is classified as critical due to its potential for Denial of Service attacks.
How do I fix REDHAT-BUG-2129710?
To fix REDHAT-BUG-2129710, upgrade to the latest version of SnakeYAML that addresses this vulnerability.
What vulnerabilities are associated with REDHAT-BUG-2129710?
REDHAT-BUG-2129710 is associated with stack overflow vulnerabilities in SnakeYAML when parsing untrusted YAML files.
Who is affected by REDHAT-BUG-2129710?
Users of SnakeYAML who parse untrusted YAML files are affected by REDHAT-BUG-2129710.
What are the potential impacts of REDHAT-BUG-2129710?
The potential impacts of REDHAT-BUG-2129710 include crashes and service outages due to Denial of Service conditions.
- agent/references
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-38752
- agent/source
- agent/severity
- agent/description
- agent/event
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/snakeyaml
- canonical/snakeyaml