{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"snakeyaml security update", "category":"general", "title":"Synopsis" }, { "text":"An update for snakeyaml is now available for openEuler-20.03-LTS-SP1.", "category":"general", "title":"Summary" }, { "text":"SnakeYAML is a YAML parser and emitter for the Java Virtual Machine. YAML is a data serialization format designed for human readability and interaction with scripting languages.\n\nSecurity Fix(es):\n\nThe package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.(CVE-2022-25857)\n\nUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.(CVE-2022-38749)\n\nUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.(CVE-2022-38750)\n\nUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.(CVE-2022-38751)\n\nUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.(CVE-2022-38752)\n\nThose using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.(CVE-2022-41854)", "category":"general", "title":"Description" }, { "text":"An update for snakeyaml is now available for openEuler-20.03-LTS-SP1.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"snakeyaml", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2023-1164", "category":"self", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1164" }, { "summary":"CVE-2022-25857", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2022-25857&packageName=snakeyaml" }, { "summary":"CVE-2022-38749", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2022-38749&packageName=snakeyaml" }, { "summary":"CVE-2022-38750", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2022-38750&packageName=snakeyaml" }, { "summary":"CVE-2022-38751", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2022-38751&packageName=snakeyaml" }, { "summary":"CVE-2022-38752", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2022-38752&packageName=snakeyaml" }, { "summary":"CVE-2022-41854", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2022-41854&packageName=snakeyaml" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25857" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38749" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38750" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38751" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38752" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41854" }, { "summary":"openEuler-SA-2023-1164 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2023/csaf-openeuler-sa-2023-1164.json" } ], "title":"An update for snakeyaml is now available for openEuler-20.03-LTS-SP1", "tracking":{ "initial_release_date":"2023-03-17T14:16:31+08:00", "revision_history":[ { "date":"2023-03-17T14:16:31+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T14:16:31+08:00", "summary":"final", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T14:16:31+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T14:16:31+08:00", "id":"openEuler-SA-2023-1164", "version":"2.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"openEuler-20.03-LTS-SP1", "name":"openEuler-20.03-LTS-SP1" }, "name":"openEuler-20.03-LTS-SP1", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"snakeyaml-javadoc-1.32-1.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"snakeyaml-javadoc-1.32-1.oe1.noarch.rpm" }, "name":"snakeyaml-javadoc-1.32-1.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"snakeyaml-1.32-1.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"snakeyaml-1.32-1.oe1.noarch.rpm" }, "name":"snakeyaml-1.32-1.oe1.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"snakeyaml-1.32-1.oe1.src.rpm(20.03-LTS-SP1)", "name":"snakeyaml-1.32-1.oe1.src.rpm" }, "name":"snakeyaml-1.32-1.oe1.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"snakeyaml-javadoc-1.32-1.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:snakeyaml-javadoc-1.32-1.oe1.noarch", "name":"snakeyaml-javadoc-1.32-1.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"snakeyaml-1.32-1.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.noarch", "name":"snakeyaml-1.32-1.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"snakeyaml-1.32-1.oe1.src.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.src", "name":"snakeyaml-1.32-1.oe1.src as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2022-25857", "notes":[ { "text":"The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP1:snakeyaml-javadoc-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.src" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP1:snakeyaml-javadoc-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.src" ], "details":"snakeyaml security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1164" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP1:snakeyaml-javadoc-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.src" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2022-25857" }, { "cve":"CVE-2022-38749", "notes":[ { "text":"Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP1:snakeyaml-javadoc-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.src" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP1:snakeyaml-javadoc-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.src" ], "details":"snakeyaml security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1164" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":6.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP1:snakeyaml-javadoc-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.src" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2022-38749" }, { "cve":"CVE-2022-38750", "notes":[ { "text":"Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP1:snakeyaml-javadoc-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.src" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP1:snakeyaml-javadoc-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.src" ], "details":"snakeyaml security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1164" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.5, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP1:snakeyaml-javadoc-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.src" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2022-38750" }, { "cve":"CVE-2022-38751", "notes":[ { "text":"Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP1:snakeyaml-javadoc-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.src" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP1:snakeyaml-javadoc-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.src" ], "details":"snakeyaml security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1164" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":6.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP1:snakeyaml-javadoc-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.src" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2022-38751" }, { "cve":"CVE-2022-38752", "notes":[ { "text":"Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP1:snakeyaml-javadoc-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.src" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP1:snakeyaml-javadoc-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.src" ], "details":"snakeyaml security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1164" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":6.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP1:snakeyaml-javadoc-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.src" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2022-38752" }, { "cve":"CVE-2022-41854", "notes":[ { "text":"Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP1:snakeyaml-javadoc-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.src" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP1:snakeyaml-javadoc-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.src" ], "details":"snakeyaml security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1164" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":6.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP1:snakeyaml-javadoc-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.noarch", "openEuler-20.03-LTS-SP1:snakeyaml-1.32-1.oe1.src" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2022-41854" } ] }