OESA-2023-1163

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1163
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2023-1163.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2023-1163
Upstream
Published
2023-03-17T11:05:02Z
Modified
2025-08-12T05:13:08.216627Z
Summary
snakeyaml security update
Details

SnakeYAML is a YAML parser and emitter for the Java Virtual Machine. YAML is a data serialization format designed for human readability and interaction with scripting languages.

Security Fix(es):

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.(CVE-2022-25857)

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.(CVE-2022-38749)

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.(CVE-2022-38750)

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.(CVE-2022-38751)

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.(CVE-2022-38752)

Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.(CVE-2022-41854)

Database specific 
{
    "severity": "High"
}
References

Affected packages

openEuler:22.03-LTS-SP1 / snakeyaml

Package

Name
snakeyaml
Purl
pkg:rpm/openEuler/snakeyaml&distro=openEuler-22.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.32-1.oe2203sp1

Ecosystem specific 

{
    "src": [
        "snakeyaml-1.32-1.oe2203sp1.src.rpm"
    ],
    "noarch": [
        "snakeyaml-1.32-1.oe2203sp1.noarch.rpm",
        "snakeyaml-javadoc-1.32-1.oe2203sp1.noarch.rpm"
    ]
}