Vulnerability Details : CVE-2022-41854
Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.
Vulnerability category: Denial of service
Products affected by CVE-2022-41854
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
- cpe:2.3:a:snakeyaml_project:snakeyaml:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-41854
1.33%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 86 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-41854
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.8
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H |
1.3
|
4.0
|
Google Inc. | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2022-41854
-
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).Assigned by: cve-coordination@google.com (Secondary)
-
The product writes data past the end, or before the beginning, of the intended buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-41854
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MKE4XWRXTH32757H7QJU4ACS67DYDCR/
[SECURITY] Fedora 37 Update: snakeyaml-1.32-1.fc37 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7MKE4XWRXTH32757H7QJU4ACS67DYDCR/
[SECURITY] Fedora 37 Update: snakeyaml-1.32-1.fc37 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3DDXEXXWAZGF5AVHIPGFPXIWL6TSMKJE/
[SECURITY] Fedora 38 Update: picocli-4.7.4-1.fc38 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DDXEXXWAZGF5AVHIPGFPXIWL6TSMKJE/
[SECURITY] Fedora 38 Update: picocli-4.7.4-1.fc38 - package-announce - Fedora Mailing-Lists
-
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355
50355 - snakeyaml:YamlFuzzer: Security exception in java.base/java.util.AbstractSet.hashCode - oss-fuzzExploit;Issue Tracking;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20240315-0009/
SnakeYAML 1.32 Vulnerabilities in NetApp Products | NetApp Product Security
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSPAJ5Y45A4ZDION2KN5RDWLHK4XKY2J/
[SECURITY] Fedora 36 Update: snakeyaml-1.32-1.fc36 - package-announce - Fedora Mailing-Lists
-
https://security.netapp.com/advisory/ntap-20240621-0006/
February 2024 IBM Cognos Analytics Vulnerabilities in NetApp Products | NetApp Product Security
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSPAJ5Y45A4ZDION2KN5RDWLHK4XKY2J/
[SECURITY] Fedora 36 Update: snakeyaml-1.32-1.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
Jump to