CVE-2023-24620 - OpenCVE

An issue was discovered in Esoteric YamlBeans through 1.15. A crafted YAML document is able perform am XML Entity Expansion attack against YamlBeans YamlReader. By exploiting the Anchor feature in YAML, it is possible to generate a small YAML document that, when read, is expanded to a large size, causing CPU and memory consumption, such as a Java Out-of-Memory exception.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Esotericsoftware	Yamlbeans

Configuration 1 [-]

cpe:2.3:a:esotericsoftware:yamlbeans:*:*:*:*:*:*:*:*

References

Link	Resource
https://contrastsecurity.com	Third Party Advisory
https://github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md	Exploit Third Party Advisory
https://github.com/EsotericSoftware	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2023-08-25T00:00:00

Updated: 2023-08-25T19:50:04.068855

Reserved: 2023-01-30T00:00:00

Link: CVE-2023-24620

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-08-25T20:15:07.893

Modified: 2023-08-31T13:08:07.587

Link: CVE-2023-24620

JSON object: View

Redhat Information

No data.

CWE

CWE-611

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:esotericsoftware:yamlbeans:*:*:*:*:*:*:*:*", "matchCriteriaId": "AA60B6AE-695A-4791-88C5-576BDEEA4FE4", "versionEndIncluding": "1.15", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Esoteric YamlBeans through 1.15. A crafted YAML document is able perform am XML Entity Expansion attack against YamlBeans YamlReader. By exploiting the Anchor feature in YAML, it is possible to generate a small YAML document that, when read, is expanded to a large size, causing CPU and memory consumption, such as a Java Out-of-Memory exception."}, {"lang": "es", "value": "Un problema fue descubierto en Esoteric YamlBeans a trav\u00e9s de 1.15. Un documento YAML manipulado es capaz de realizar un ataque de Expansi\u00f3n de Entidad XML contra YamlReader YamlBeans. Mediante la explotaci\u00f3n de la funci\u00f3n de anclaje en YAML, es posible generar un peque\u00f1o documento YAML que, cuando se lee, se expande a un gran tama\u00f1o, causando el consumo de CPU y memoria, como una excepci\u00f3n Java Out-of-Memory.\n"}], "id": "CVE-2023-24620", "lastModified": "2023-08-31T13:08:07.587", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-25T20:15:07.893", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://contrastsecurity.com"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/EsotericSoftware"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}