https://bugzilla.redhat.com/show_bug.cgi?id=2126789
Bug ID: 2126789 Summary: CVE-2022-25857 snakeyaml: Denial of Service due missing to nested depth limitation for collections. Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: pdelbell@redhat.com CC: fedoraproject.org@bluhm-de.com, jaromir.capik@email.cz, java-sig-commits@lists.fedoraproject.org, jerboaa@gmail.com, mizdebsk@redhat.com, mo@morsi.org Target Milestone: --- Classification: Other
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
https://bugzilla.redhat.com/show_bug.cgi?id=2126789
Patrick Del Bello pdelbell@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2123794
https://bugzilla.redhat.com/show_bug.cgi?id=2126789
Patrick Del Bello pdelbell@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2126793, 2126792, 2126794
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2126792 [Bug 2126792] CVE-2022-25857 snakeyaml: Denial of Service due missing to nested depth limitation for collections. [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2126793 [Bug 2126793] CVE-2022-25857 snakeyaml: Denial of Service due missing to nested depth limitation for collections. [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2126794 [Bug 2126794] CVE-2022-25857 texlive-base: snakeyaml: Denial of Service due missing to nested depth limitation for collections. [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2126789
--- Comment #1 from Patrick Del Bello pdelbell@redhat.com --- Created snakeyaml tracking bugs for this issue:
Affects: epel-all [bug 2126792] Affects: fedora-all [bug 2126793]
Created texlive-base tracking bugs for this issue:
Affects: fedora-all [bug 2126794]
https://bugzilla.redhat.com/show_bug.cgi?id=2126789
--- Doc Text *updated* by Patrick Del Bello pdelbell@redhat.com --- A flaw as found in org.yaml.snakeyaml package which affects versions until 1.30. This flaw allows an attacker to cause Denial of Service (DoS) due missing to nested depth limitation for collections.
https://bugzilla.redhat.com/show_bug.cgi?id=2126789
Sandipan Roy saroy@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2126842, 2126841
https://bugzilla.redhat.com/show_bug.cgi?id=2126789
--- Doc Text *updated* by RaTasha Tillery-Smith rtillery@redhat.com --- A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.
https://bugzilla.redhat.com/show_bug.cgi?id=2126789
Paramvir jindal pjindal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |anstephe@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2126789 Bug 2126789 depends on bug 2126793, which changed state.
Bug 2126793 Summary: CVE-2022-25857 snakeyaml: Denial of Service due missing to nested depth limitation for collections. [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2126793
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |RAWHIDE
java-sig-commits@lists.stg.fedoraproject.org