Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00095.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Fedoraproject
  • Fedora
Redhat
  • Amq Clients
  • Camel Spring Boot
  • Jboss Enterprise Application Platform
  • Jboss Enterprise Bpms Platform
  • Jboss Fuse
  • Migration Toolkit Applications
  • Migration Toolkit Runtimes
  • Ocp Tools
  • Openshift Application Runtimes
  • Red Hat Single Sign On
  • Rhosemc
Snakeyaml Project
  • Snakeyaml

Configuration 1 [-]

cpe:2.3:a:snakeyaml_project:snakeyaml:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
Package CPE Advisory Released Date
AMQ Clients
dev-java-snakeyaml cpe:/a:redhat:amq_clients:2023_q4 RHSA-2023:7697 2023-12-07T00:00:00Z
EAP 7.4.10 release
dev-java-snakeyaml cpe:/a:redhat:jboss_enterprise_application_platform:7.4 RHSA-2023:1516 2023-03-29T00:00:00Z
Migration Toolkit for Runtimes 1 on RHEL 8
mtr/mtr-web-container-rhel8:1.1-7 cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8 RHSA-2023:3373 2023-05-31T00:00:00Z
MTA-6.2-RHEL-9
mta/mta-windup-addon-rhel9:6.2.0-11 cpe:/a:redhat:migration_toolkit_applications:6.2::el9 RHSA-2023:4627 2023-08-14T00:00:00Z
OCP-Tools-4.12-RHEL-8
ocp-tools-4/jenkins-agent-base-rhel8:v4.12.0-1683009711 cpe:/a:redhat:ocp_tools:4.12::el8 RHBA-2023:3300 2023-05-24T00:00:00Z
ocp-tools-4/jenkins-rhel8:v4.12.0-1683010621 cpe:/a:redhat:ocp_tools:4.12::el8 RHBA-2023:3300 2023-05-24T00:00:00Z
Red Hat build of Eclipse Vert.x 4.3.7
dev-java-snakeyaml cpe:/a:redhat:openshift_application_runtimes:1.0 RHSA-2023:0577 2023-02-16T00:00:00Z
Red Hat Fuse 7.12
dev-java-snakeyaml cpe:/a:redhat:jboss_fuse:7 RHSA-2023:3954 2023-06-29T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
eap7-snakeyaml-0:1.33.0-2.SP1_redhat_00001.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 RHSA-2023:1513 2023-03-29T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9
eap7-snakeyaml-0:1.33.0-2.SP1_redhat_00001.1.el9eap cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 RHSA-2023:1514 2023-03-29T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
eap7-snakeyaml-0:1.33.0-2.SP1_redhat_00001.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 RHSA-2023:1512 2023-03-29T00:00:00Z
Red Hat Single Sign-On 7
dev-java-snakeyaml cpe:/a:redhat:red_hat_single_sign_on:7.6.3 RHSA-2023:2713 2023-05-10T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 7
rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el7sso cpe:/a:redhat:red_hat_single_sign_on:7.6::el7 RHSA-2023:2705 2023-05-10T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 8
rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el8sso cpe:/a:redhat:red_hat_single_sign_on:7.6::el8 RHSA-2023:2706 2023-05-10T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 9
rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el9sso cpe:/a:redhat:red_hat_single_sign_on:7.6::el9 RHSA-2023:2707 2023-05-10T00:00:00Z
RHEL-8 based Middleware Containers
rh-sso-7/sso76-openshift-rhel8:7.6-22 cpe:/a:redhat:rhosemc:1.0::el8 RHSA-2023:2710 2023-05-10T00:00:00Z
RHINT Camel-Springboot 3.18.3.P2
cpe:/a:redhat:camel_spring_boot:3.18 RHSA-2023:3641 2023-06-15T00:00:00Z
RHINT Camel-Springboot 3.20.1
dev-java-snakeyaml cpe:/a:redhat:camel_spring_boot:3.20.1 RHSA-2023:2100 2023-05-03T00:00:00Z
RHPAM 7.13.4 async
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13 RHSA-2023:4983 2023-09-05T00:00:00Z

No data.

Advisories
Source ID Title
EUVD EUVD EUVD-2022-7446 Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.
Github GHSA Github GHSA GHSA-w37g-rhq8-7m4j Snakeyaml vulnerable to Stack overflow leading to denial of service
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355 cve-icon
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355 cve-icon cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3DDXEXXWAZGF5AVHIPGFPXIWL6TSMKJE/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MKE4XWRXTH32757H7QJU4ACS67DYDCR/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSPAJ5Y45A4ZDION2KN5RDWLHK4XKY2J/ cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2022-41854 cve-icon
https://security.netapp.com/advisory/ntap-20240315-0009/ cve-icon cve-icon
https://security.netapp.com/advisory/ntap-20240621-0006/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2022-41854 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: Google

Published:

Updated: 2024-09-16T16:24:11.627Z

Reserved: 2022-09-30T00:00:00

Link: CVE-2022-41854

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2022-11-11T13:15:11.003

Modified: 2024-11-21T07:23:56.797

Link: CVE-2022-41854

cve-icon Redhat

Severity : Moderate

Publid Date: 2022-11-13T00:00:00Z

Links: CVE-2022-41854 - Bugzilla

cve-icon OpenCVE Enrichment

No data.