[MAVEN:GHSA-C24F-2J3G-RG48] kaml has potential denial of service while parsing input with anchors and aliases
Severity
High
Affected Packages
1
Fixed Packages
1
CVEs
1
Impact
Applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash.
Patches
Version 0.53.0 and later default to refusing to parse YAML documents containing anchors and aliases.
Workarounds
None.
References
Wikipedia has an explanation of this class of vulnerability: billion laughs attack
Acknowledgements
Thank you to @gdude2002 for reporting this issue.
| Package | Affected Version |
|---|---|
 pkg:maven/com.charleskorn.kaml/kaml
|
< 0.53.0 |
| Package | Fixed Version |
|---|---|
|
pkg:maven/com.charleskorn.kaml/kaml
|
= 0.53.0 |
- ID
- MAVEN:GHSA-C24F-2J3G-RG48
- Severity
- high
- URL
- https://github.com/advisories/GHSA-c24f-2j3g-rg48
- Published
-
2023-03-20T21:26:59
(18 months ago) - Modified
-
2023-03-20T21:27:00
(18 months ago) - Rights
- Maven Security Team
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |