Bug 13314

Summary: [CVE 21] snakeyaml 1.25 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: RESOLVED WONTFIX QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: m.novosyolov, s.matveev, y.tumanov
Version: AllFlags: y.tumanov: secteam_verified?
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: CVE-2017-18640, CVE-2022-1471, CVE-2022-25857, CVE-2022-38749, CVE-2022-38750, CVE-2022-38751, CVE-2022-38752, CVE-2022-41854,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-05-03 18:02:46 MSK 
Please patch CVEs for package snakeyaml version 1.25
  
INFO (CVEs are): snakeyaml 1.25
 cves found
CVE-2017-18640
Desc: The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
Link: https://nvd.nist.gov/vuln/detail/CVE-2017-18640
Severity: HIGH
CVE-2022-1471
Desc: SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Link: https://nvd.nist.gov/vuln/detail/CVE-2022-1471
Severity: CRITICAL
CVE-2022-25857
Desc: The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-25857
Severity: HIGH
CVE-2022-38749
Desc: Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-38749
Severity: MEDIUM
CVE-2022-38750
Desc: Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-38750
Severity: MEDIUM
CVE-2022-38751
Desc: Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-38751
Severity: MEDIUM
CVE-2022-38752
Desc: Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-38752
Severity: MEDIUM
CVE-2022-41854
Desc: Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-41854
Severity: MEDIUM
Comment 1 Mikhail Novosyolov 2023-05-15 15:27:08 MSK 
В этом пакете пока не будем исправлять CVE в связи с отсутствием его широкого применения и сложностью их закрытия.