Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jMjRmLTJqM2ctcmc0OM4AAyMi
kaml has potential denial of service while parsing input with anchors and aliases
Impact
Applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash.
Patches
Version 0.53.0 and later default to refusing to parse YAML documents containing anchors and aliases.
Workarounds
None.
References
Wikipedia has an explanation of this class of vulnerability: billion laughs attack
Acknowledgements
Thank you to @gdude2002 for reporting this issue.
Permalink: https://github.com/advisories/GHSA-c24f-2j3g-rg48JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jMjRmLTJqM2ctcmc0OM4AAyMi
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Percentage: 0.00159
EPSS Percentile: 0.53506
Identifiers: GHSA-c24f-2j3g-rg48, CVE-2023-28118
References:
- https://github.com/charleskorn/kaml/security/advisories/GHSA-c24f-2j3g-rg48
- https://nvd.nist.gov/vuln/detail/CVE-2023-28118
- https://github.com/charleskorn/kaml/commit/5f82a2d7e00bfc307afca05d1dc4d7c50593531a
- https://github.com/charleskorn/kaml/releases/tag/0.53.0
- https://github.com/advisories/GHSA-c24f-2j3g-rg48
Blast Radius: 16.7
Affected Packages
maven:com.charleskorn.kaml:kaml
Dependent packages: 8Dependent repositories: 168
Downloads:
Affected Version Ranges: < 0.53.0
Fixed in: 0.53.0
All affected versions: 0.1.0, 0.2.1, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.1, 0.17.0, 0.18.0, 0.18.1, 0.19.0, 0.20.0, 0.21.0, 0.22.0, 0.23.0, 0.24.0, 0.25.0, 0.26.0, 0.27.0, 0.28.0, 0.28.1, 0.28.2, 0.28.3, 0.29.0, 0.30.0, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.35.0, 0.35.1, 0.35.2, 0.35.3, 0.36.0, 0.37.0, 0.38.0, 0.39.0, 0.39.1, 0.40.0, 0.41.0, 0.42.0, 0.43.0, 0.44.0, 0.45.0, 0.46.0, 0.47.0, 0.48.0, 0.49.0, 0.50.0, 0.51.0, 0.52.0
All unaffected versions: 0.53.0, 0.54.0, 0.55.0, 0.56.0, 0.57.0, 0.58.0, 0.59.0, 0.60.0, 0.61.0, 0.62.0, 0.62.1, 0.62.2, 0.63.0, 0.65.0, 0.66.0