{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-25857", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "dateUpdated": "2024-09-16T21:57:41.551Z", "dateReserved": "2022-02-24T00:00:00", "datePublished": "2022-08-30T05:05:11.588462Z"}, "containers": {"cna": {"title": "Denial of Service (DoS)", "datePublic": "2022-08-30T00:00:00", "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-03-15T11:06:01.014562"}, "descriptions": [{"lang": "en", "value": "The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections."}], "affected": [{"vendor": "n/a", "product": "org.yaml:snakeyaml", "versions": [{"version": "0", "status": "affected", "lessThan": "unspecified", "versionType": "custom"}, {"version": "unspecified", "lessThan": "1.31", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360"}, {"url": "https://bitbucket.org/snakeyaml/snakeyaml/commits/fc300780da21f4bb92c148bc90257201220cf174"}, {"url": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174"}, {"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"}, {"name": "[debian-lts-announce] 20221002 [SECURITY] [DLA 3132-1] snakeyaml security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html"}, {"url": "https://security.netapp.com/advisory/ntap-20240315-0010/"}], "credits": [{"lang": "en", "value": "unknown"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Denial of Service (DoS)"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:49:44.292Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360", "tags": ["x_transferred"]}, {"url": "https://bitbucket.org/snakeyaml/snakeyaml/commits/fc300780da21f4bb92c148bc90257201220cf174", "tags": ["x_transferred"]}, {"url": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174", "tags": ["x_transferred"]}, {"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20221002 [SECURITY] [DLA 3132-1] snakeyaml security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html"}, {"url": "https://security.netapp.com/advisory/ntap-20240315-0010/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:snakeyaml_project:snakeyaml:*:*:*:*:*:*:*:*", "matchCriteriaId": "4911A85B-287B-4900-8ACE-5BA60949D7BE", "versionEndExcluding": "1.31", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections."}, {"lang": "es", "value": "El paquete org.yaml:snakeyaml versiones desde 0 y anteriores a 1.31, son vulnerables a una Denegaci\u00f3n de Servicio (DoS) debido a una falta de limitaci\u00f3n de profundidad anidada para las colecciones"}], "id": "CVE-2022-25857", "lastModified": "2024-03-15T11:15:07.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2022-08-30T05:15:07.667", "references": [{"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://bitbucket.org/snakeyaml/snakeyaml/commits/fc300780da21f4bb92c148bc90257201220cf174"}, {"source": "report@snyk.io", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174"}, {"source": "report@snyk.io", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html"}, {"source": "report@snyk.io", "url": "https://security.netapp.com/advisory/ntap-20240315-0010/"}, {"source": "report@snyk.io", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-776"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:7697", "cpe": "cpe:/a:redhat:amq_clients:2023_q4", "package": "snakeyaml", "product_name": "AMQ Clients", "release_date": "2023-12-07T00:00:00Z"}, {"advisory": "RHSA-2023:6172", "cpe": "cpe:/a:redhat:ocp_tools:4.12::el8", "package": "jenkins-2-plugins-0:4.12.1698294000-1.el8", "product_name": "OCP-Tools-4.12-RHEL-8", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:0778", "cpe": "cpe:/a:redhat:ocp_tools:4.12::el8", "package": "jenkins-2-plugins-0:4.12.1706515741-1.el8", "product_name": "OCP-Tools-4.12-RHEL-8", "release_date": "2024-02-12T00:00:00Z"}, {"advisory": "RHSA-2023:6179", "cpe": "cpe:/a:redhat:ocp_tools:4.13::el8", "package": "jenkins-2-plugins-0:4.13.1698292274-1.el8", "product_name": "OCP-Tools-4.13-RHEL-8", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:0776", "cpe": "cpe:/a:redhat:ocp_tools:4.13::el8", "package": "jenkins-2-plugins-0:4.13.1706516346-1.el8", "product_name": "OCP-Tools-4.13-RHEL-8", "release_date": "2024-02-12T00:00:00Z"}, {"advisory": "RHSA-2023:7288", "cpe": "cpe:/a:redhat:ocp_tools:4.14::el8", "package": "jenkins-2-plugins-0:4.14.1699356715-1.el8", "product_name": "OCP-Tools-4.14-RHEL-8", "release_date": "2023-11-16T00:00:00Z"}, {"advisory": "RHSA-2024:0777", "cpe": "cpe:/a:redhat:ocp_tools:4.14::el8", "package": "jenkins-2-plugins-0:4.14.1706516441-1.el8", "product_name": "OCP-Tools-4.14-RHEL-8", "release_date": "2024-02-12T00:00:00Z"}, {"advisory": "RHSA-2023:3198", "cpe": "cpe:/a:redhat:ocp_tools:4.11::el8", "package": "jenkins-2-plugins-0:4.11.1683009941-1.el8", "product_name": "OpenShift Developer Tools and Services for OCP 4.11", "release_date": "2023-05-17T00:00:00Z"}, {"advisory": "RHSA-2022:8876", "cpe": "cpe:/a:redhat:amq_broker:7", "impact": "moderate", "package": "snakeyaml", "product_name": "Red Hat AMQ Broker 7", "release_date": "2022-12-07T00:00:00Z"}, {"advisory": "RHSA-2022:6757", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "snakeyaml", "product_name": "Red Hat build of Eclipse Vert.x 4.3.3", "release_date": "2022-10-05T00:00:00Z"}, {"advisory": "RHSA-2022:6941", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "snakeyaml", "product_name": "Red Hat build of Quarkus Platform 2.7.6.SP1", "release_date": "2022-10-13T00:00:00Z"}, {"advisory": "RHSA-2022:8524", "cpe": "cpe:/a:redhat:jboss_data_grid:8", "package": "snakeyaml", "product_name": "Red Hat Data Grid 8.4.0", "release_date": "2022-11-17T00:00:00Z"}, {"advisory": "RHSA-2022:6820", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "moderate", "package": "prometheus-jmx-exporter-0:0.12.0-8.el8_6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-10-06T00:00:00Z"}, {"advisory": "RHSA-2022:8652", "cpe": "cpe:/a:redhat:jboss_fuse:7", "impact": "moderate", "package": "snakeyaml", "product_name": "Red Hat Fuse 7.11.1", "release_date": "2022-11-28T00:00:00Z"}, {"advisory": "RHSA-2022:6825", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package": "snakeyaml", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1.0", "release_date": "2022-10-05T00:00:00Z"}, {"advisory": "RHSA-2022:6822", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-snakeyaml-0:1.31.0-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2022-10-05T00:00:00Z"}, {"advisory": "RHSA-2022:6823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-snakeyaml-0:1.31.0-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2022-10-05T00:00:00Z"}, {"advisory": "RHSA-2022:6821", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-snakeyaml-0:1.31.0-1.redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2022-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:0560", "cpe": "cpe:/a:redhat:openshift:4.10::el8", "package": "jenkins-2-plugins-0:4.10.1675144701-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.10", "release_date": "2023-02-08T00:00:00Z"}, {"advisory": "RHSA-2023:0777", "cpe": "cpe:/a:redhat:openshift:4.9::el8", "package": "jenkins-2-plugins-0:4.9.1675668922-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.9", "release_date": "2023-02-23T00:00:00Z"}, {"advisory": "RHSA-2023:2097", "cpe": "cpe:/a:redhat:satellite:6.13::el8", "impact": "moderate", "package": "candlepin-0:4.2.13-1.el8sat", "product_name": "Red Hat Satellite 6.13 for RHEL 8", "release_date": "2023-05-03T00:00:00Z"}, {"advisory": "RHSA-2023:1049", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6", "impact": "low", "package": "snakeyaml", "product_name": "Red Hat Single Sign-On 7", "release_date": "2023-03-01T00:00:00Z"}, {"advisory": "RHSA-2023:1043", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", "impact": "low", "package": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 7", "release_date": "2023-03-01T00:00:00Z"}, {"advisory": "RHSA-2023:1044", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", "impact": "low", "package": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 8", "release_date": "2023-03-01T00:00:00Z"}, {"advisory": "RHSA-2023:1045", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", "impact": "low", "package": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 9", "release_date": "2023-03-01T00:00:00Z"}, {"advisory": "RHSA-2023:1047", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "rh-sso-7/sso76-openshift-rhel8:7.6-20", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2023-03-01T00:00:00Z"}, {"advisory": "RHSA-2023:3641", "cpe": "cpe:/a:redhat:camel_spring_boot:3.18", "impact": "moderate", "package": "snakeyaml", "product_name": "RHINT Camel-Springboot 3.18.3.P2", "release_date": "2023-06-15T00:00:00Z"}, {"advisory": "RHSA-2023:2100", "cpe": "cpe:/a:redhat:camel_spring_boot:3.20.1", "impact": "moderate", "package": "snakeyaml", "product_name": "RHINT Camel-Springboot 3.20.1", "release_date": "2023-05-03T00:00:00Z"}, {"advisory": "RHSA-2022:6835", "cpe": "cpe:/a:redhat:service_registry:2.3", "package": "snakeyaml", "product_name": "RHINT Service Registry 2.3.0 GA", "release_date": "2022-10-06T00:00:00Z"}, {"advisory": "RHSA-2023:4983", "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", "impact": "moderate", "package": "snakeyaml", "product_name": "RHPAM 7.13.4 async", "release_date": "2023-09-05T00:00:00Z"}], "bugzilla": {"description": "snakeyaml: Denial of Service due to missing nested depth limitation for collections", "id": "2126789", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.", "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections."], "name": "CVE-2022-25857", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Affected", "impact": "low", "package_name": "snakeyaml", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/elasticsearch6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:amq_online:1", "fix_state": "Will not fix", "impact": "moderate", "package_name": "snakeyaml", "product_name": "Red Hat A-MQ Online"}, {"cpe": "cpe:/a:redhat:quarkus:2", "fix_state": "Affected", "package_name": "snakeyaml", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "impact": "moderate", "package_name": "snakeyaml", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Affected", "impact": "moderate", "package_name": "snakeyaml", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Affected", "impact": "moderate", "package_name": "snakeyaml", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "snakeyaml", "product_name": "Red Hat Integration Change Data Capture"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Out of support scope", "package_name": "snakeyaml", "product_name": "Red Hat Integration Service Registry"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "snakeyaml", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Out of support scope", "package_name": "snakeyaml", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "eap6-snakeyaml", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "snakeyaml", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "snakeyaml", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "snakeyaml", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "snakeyaml", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Affected", "package_name": "snakeyaml", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "jenkins-2-plugins", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "openshift3/metrics-cassandra", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "openshift3/metrics-hawkular-metrics", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "openshift3/ose-metrics-cassandra", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "openshift3/ose-metrics-hawkular-metrics", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "fix_state": "Affected", "package_name": "devspaces/idea-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "fix_state": "Affected", "package_name": "devspaces/udi-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "impact": "moderate", "package_name": "puppetserver", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Affected", "impact": "moderate", "package_name": "snakeyaml", "product_name": "Red Hat support for Spring Boot"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Affected", "impact": "moderate", "package_name": "snakeyaml", "product_name": "streams for Apache Kafka"}], "public_date": "2022-08-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-25857\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-25857\nhttps://bitbucket.org/snakeyaml/snakeyaml/issues/525"], "statement": "For RHEL-8 it's downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn't shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it's not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", "threat_severity": "Important", "upstream_fix": "org.yaml.snakeyaml 1.31"}