ALT-PU-2025-16285-5

BDU:2023-00013

CRITICAL9.8

Уязвимость библиотеки для сериализации и десериализации YAML-документов SnakeYAML, связанная с восстановлением в памяти недостоверной структуры данных, позволяющая нарушителю выполнить произвольный код

Published: 2023-01-03Modified: 2026-02-10

CVSS 3.xCRITICAL 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2022-1471

BDU:2023-05608

MEDIUM6.5

Уязвимость библиотеки для сериализации и десериализации YAML-документов SnakeYAML, связанная с переполнением буфера на стеке, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2023-09-14Modified: 2026-02-10

CVSS 3.xMEDIUM 6.5

CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:C

References

CVE-2022-38749

BDU:2023-05609

MEDIUM6.5

Уязвимость библиотеки для сериализации и десериализации YAML-документов SnakeYAML, связанная с переполнением буфера на стеке, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2023-09-14Modified: 2026-02-10

CVSS 3.xMEDIUM 6.5

CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:C

References

CVE-2022-38751

BDU:2023-05610

MEDIUM6.5

Уязвимость библиотеки для сериализации и десериализации YAML-документов SnakeYAML, связанная с переполнением буфера на стеке, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2023-09-14Modified: 2026-02-10

CVSS 3.xMEDIUM 6.5

CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:C

References

CVE-2022-38752

BDU:2023-05611

MEDIUM6.5

Уязвимость библиотеки для сериализации и десериализации YAML-документов SnakeYAML, связанная с переполнением буфера на стеке, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2023-09-14Modified: 2026-02-10

CVSS 3.xMEDIUM 6.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:C

References

CVE-2022-41854

BDU:2023-05620

MEDIUM6.5

Уязвимость библиотеки для сериализации и десериализации YAML-документов SnakeYAML, связанная с переполнением буфера на стеке, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2023-09-14Modified: 2026-02-10

CVSS 3.xMEDIUM 6.5

CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:C

References

CVE-2022-38750

BDU:2023-05621

HIGH7.5

Уязвимость пакета org.yaml:snakeyaml библиотеки для сериализации и десериализации YAML-документов SnakeYAML, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2023-09-14Modified: 2026-02-10

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2022-25857

CVE-2022-1471

CRITICAL9.8

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Published: 2022-12-01Modified: 2025-06-18

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2022-25857

HIGH7.5

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Published: 2022-08-30Modified: 2024-11-21

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2022-38749

MEDIUM6.5

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Published: 2022-09-05Modified: 2024-11-21

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

CVE-2022-38750

MEDIUM5.5

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Published: 2022-09-05Modified: 2024-11-21

CVSS 3.xMEDIUM 5.5

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

CVE-2022-38751

MEDIUM6.5

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Published: 2022-09-05Modified: 2024-11-21

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

CVE-2022-38752

MEDIUM6.5

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

Published: 2022-09-05Modified: 2024-11-21

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

CVE-2022-41854

MEDIUM6.5

Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.

Published: 2022-11-11Modified: 2024-11-21

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

GHSA-3mc7-4q67-w48m

HIGH7.5

Uncontrolled Resource Consumption in snakeyaml

Published: 2022-08-31Modified: 2024-03-15

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

GHSA-98wm-3w3q-mw94

MEDIUM6.5

snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write

Published: 2022-09-06Modified: 2024-03-15

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

GHSA-9w3m-gqgf-c4p9

MEDIUM6.5

snakeYAML before 1.32 vulnerable to Denial of Service due to Out-of-bounds Write

Published: 2022-09-06Modified: 2024-03-15

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

GHSA-c4r9-r8fh-9vj2

MEDIUM6.5

snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write

Published: 2022-09-06Modified: 2024-03-15

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

GHSA-hhhw-99gj-p3c3

MEDIUM5.5

snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write

Published: 2022-09-06Modified: 2024-03-15

CVSS 3.xMEDIUM 5.5

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

GHSA-mjmj-j48q-9wg2

HIGH8.3

SnakeYaml Constructor Deserialization Remote Code Execution

Published: 2022-12-13Modified: 2025-06-18

CVSS 3.xHIGH 8.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

References

GHSA-w37g-rhq8-7m4j

MEDIUM6.5

Snakeyaml vulnerable to Stack overflow leading to denial of service

Published: 2022-11-11Modified: 2024-06-22

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

Package update snakeyaml in branch sisyphus

Closed issues (21)

Уязвимость пакета org.yaml:snakeyaml библиотеки для сериализации и десериализации YAML-документов SnakeYAML, позволяющая нарушителю вызвать отказ в обслуживании

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.

Uncontrolled Resource Consumption in snakeyaml

snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write

snakeYAML before 1.32 vulnerable to Denial of Service due to Out-of-bounds Write

snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write

snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write

SnakeYaml Constructor Deserialization Remote Code Execution

Snakeyaml vulnerable to Stack overflow leading to denial of service