CVE-2023-28118

EPSS 0.97%
Veröffentlicht 20.03.2023 13:15:11
Zuletzt bearbeitet 21.11.2024 07:54:26
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

kaml has potential denial of service while parsing input with anchors and aliases

kaml provides YAML support for kotlinx.serialization. Prior to version 0.53.0, applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash. Version 0.53.0 and later default to refusing to parse YAML documents containing anchors and aliases. There are no known workarounds.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Kaml Project ≫ Kaml Version < 0.53.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.97%	0.574

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

https://github.com/charleskorn/kaml/commit/5f82a2d7e00bfc307afca05d1dc4d7c50593531a

Patch

https://github.com/charleskorn/kaml/releases/tag/0.53.0

Release Notes

https://github.com/charleskorn/kaml/security/advisories/GHSA-c24f-2j3g-rg48

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-28118

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-28118

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-28118

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-28118