[Bugs] [Bug 13314] New: [CVE 21] snakeyaml 1.25 CVEs found

bugzilla bugzilla на rosalinux.ru
Ср Май 3 17:02:46 MSK 2023 

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13314

          Platform: 2021.1
            Bug ID: 13314
           Summary: [CVE 21] snakeyaml 1.25  CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2017-18640, CVE-2022-1471, CVE-2022-25857,
                    CVE-2022-38749, CVE-2022-38750, CVE-2022-38751,
                    CVE-2022-38752, CVE-2022-41854,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: s.matveev на rosalinux.ru, y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package snakeyaml version 1.25

INFO (CVEs are): snakeyaml 1.25
 cves found
CVE-2017-18640
Desc: The Alias feature in SnakeYAML before 1.26 allows entity expansion during
a load operation, a related issue to CVE-2003-1564.
Link: https://nvd.nist.gov/vuln/detail/CVE-2017-18640
Severity: HIGH
CVE-2022-1471
Desc: SnakeYaml's Constructor() class does not restrict types which can be
instantiated during deserialization. Deserializing yaml content provided by an
attacker can lead to remote code execution. We recommend using SnakeYaml's
SafeConsturctor when parsing untrusted content to restrict deserialization. We
recommend upgrading to version 2.0 and beyond.

Link: https://nvd.nist.gov/vuln/detail/CVE-2022-1471
Severity: CRITICAL
CVE-2022-25857
Desc: The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to
Denial of Service (DoS) due missing to nested depth limitation for collections.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-25857
Severity: HIGH
CVE-2022-38749
Desc: Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial
of Service attacks (DOS). If the parser is running on user supplied input, an
attacker may supply content that causes the parser to crash by stackoverflow.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-38749
Severity: MEDIUM
CVE-2022-38750
Desc: Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial
of Service attacks (DOS). If the parser is running on user supplied input, an
attacker may supply content that causes the parser to crash by stackoverflow.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-38750
Severity: MEDIUM
CVE-2022-38751
Desc: Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial
of Service attacks (DOS). If the parser is running on user supplied input, an
attacker may supply content that causes the parser to crash by stackoverflow.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-38751
Severity: MEDIUM
CVE-2022-38752
Desc: Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial
of Service attacks (DOS). If the parser is running on user supplied input, an
attacker may supply content that causes the parser to crash by stack-overflow.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-38752
Severity: MEDIUM
CVE-2022-41854
Desc: Those using Snakeyaml to parse untrusted YAML files may be vulnerable to
Denial of Service attacks (DOS). If the parser is running on user supplied
input, an attacker may supply content that causes the parser to crash by stack
overflow. This effect may support a denial of service attack.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-41854
Severity: MEDIUM

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230503/f0d8907d/attachment-0001.html>

Подробная информация о списке рассылки Bugs