Vulnerability Details : CVE-2023-28118
kaml provides YAML support for kotlinx.serialization. Prior to version 0.53.0, applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash. Version 0.53.0 and later default to refusing to parse YAML documents containing anchors and aliases. There are no known workarounds.
Products affected by CVE-2023-28118
- cpe:2.3:a:kaml_project:kaml:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-28118
0.16%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 53 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-28118
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2023-28118
-
The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-28118
-
https://github.com/charleskorn/kaml/releases/tag/0.53.0
Release 0.53.0 · charleskorn/kaml · GitHubRelease Notes
-
https://github.com/charleskorn/kaml/commit/5f82a2d7e00bfc307afca05d1dc4d7c50593531a
Default to not parsing anchors and aliases to prevent "billion laughs… · charleskorn/kaml@5f82a2d · GitHubPatch
-
https://github.com/charleskorn/kaml/security/advisories/GHSA-c24f-2j3g-rg48
Potential denial of service while parsing input with anchors and aliases · Advisory · charleskorn/kaml · GitHubVendor Advisory
Jump to