CVE-2022-25857 : The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial o

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Published 2022-08-30 05:15:08

Updated 2024-03-15 11:15:08

Source Snyk

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2022-25857

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Snakeyaml Project » Snakeyaml
Versions before (<) 1.31
cpe:2.3:a:snakeyaml_project:snakeyaml:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-25857

EPSS FAQ

0.29%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 52 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-25857

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	Snyk
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2022-25857

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.

Assigned by: nvd@nist.gov (Primary)
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-25857

https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174

Restrict nested depth for collections to avoid DoS attacks · snakeyaml/snakeyaml@fc30078 · GitHub
Patch;Third Party Advisory
https://security.netapp.com/advisory/ntap-20240315-0010/

SnakeYAML 1.31 Vulnerabilities in NetApp Products | NetApp Product Security

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html

[SECURITY] [DLA 3132-1] snakeyaml security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360

Denial of Service (DoS) in org.yaml:snakeyaml | CVE-2022-25857 | Snyk
Exploit;Patch;Third Party Advisory
https://bitbucket.org/snakeyaml/snakeyaml/issues/525

snakeyaml / snakeyaml / issues / #525 - Got StackOverflowError for many open unmatched brackets — Bitbucket
Exploit;Issue Tracking;Third Party Advisory
https://bitbucket.org/snakeyaml/snakeyaml/commits/fc300780da21f4bb92c148bc90257201220cf174

snakeyaml / snakeyaml / commit / fc300780da21 — Bitbucket
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-25857

Products affected by CVE-2022-25857

Exploit prediction scoring system (EPSS) score for CVE-2022-25857

CVSS scores for CVE-2022-25857

CWE ids for CVE-2022-25857

References for CVE-2022-25857