It was discovered that SnakeYAML did not limit the maximal nested depth for collections when parsing YAML data. If a user or automated system were tricked into opening a specially crafted YAML file, an attacker could possibly use this issue to cause applications using SnakeYAML to crash, resulting in a denial of service. (CVE-2022-25857, CVE-2022-38749, CVE-2022-38750) It was discovered that SnakeYAML did not limit the maximal data matched with regular expressions when parsing YAML data. If a user or automated system were tricked into opening a specially crafted YAML file, an attacker could possibly use this issue to cause applications using SnakeYAML to crash, resulting in a denial of service. (CVE-2022-38751)
Continue reading...
Continue reading...
