CVE-2017-18640
XML External Entity (XXE) vulnerability in snakeyaml (Maven)
What is CVE-2017-18640 About?
This vulnerability is an XML External Entity (XXE) injection, specifically an entity expansion issue, in the Alias feature of SnakeYAML versions up to 1.18 during a load operation. It can lead to resource consumption or information disclosure. Exploitation is achieved by injecting malicious YAML aliases.
Affected Software
Technical Details
The vulnerability is present in the Alias feature of SnakeYAML, prior to version 1.18. It is a variant of an XML External Entity (XXE) injection attack, often referred to as entity expansion. An attacker can craft a malicious YAML document that includes deeply nested or rapidly expanding entity aliases. When SnakeYAML processes this crafted document during a load operation, the parser attempts to resolve and expand these entities. This can lead to excessive memory or CPU consumption, causing a Denial of Service, or in some XXE related cases, allow for local file disclosure by referencing system entities.
What is the Impact of CVE-2017-18640?
Successful exploitation may allow attackers to cause a denial of service by exhausting system resources or potentially disclose local files and sensitive information.
What is the Exploitability of CVE-2017-18640?
Exploitation requires the attacker to submit a specially crafted YAML document that is then processed by the vulnerable SnakeYAML library. The complexity is moderate, requiring an understanding of YAML syntax and entity expansion attacks. No authentication is typically required if the application accepts untrusted YAML input directly. This is generally a remote exploitation scenario, assuming the attacker can send the malicious YAML payload. The primary risk factor is the processing of untrusted YAML input without disabling or properly configuring the alias resolution feature.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-18640?
Available Upgrade Options
- org.yaml:snakeyaml
- <1.26 → Upgrade to 1.26
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/r6c91e52b3cc9f4e64afe0f34f20507143fd1f756d12681a56a9b38da@%3Ccommits.pulsar.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKN7VGIKTYBCAKYBRG55QHXAY5UDZ7HA/
- https://lists.apache.org/thread.html/r22ac2aa053b7d9c6b75a49db78125c9316499668d0f4a044f3402e2f@%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r1703a402f30c8a2ee409f8c6f393e95a63f8c952cc9ee5bf9dd586dc%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/rb0e033d5ec8233360203431ad96580cf2ec56f47d9a425d894e279c2%40%3Cpr.cassandra.apache.org%3E
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://lists.apache.org/thread.html/re851bbfbedd47c690b6e01942acb98ee08bd00df1a94910b905bc8cd%40%3Cdev.atlas.apache.org%3E
- https://lists.apache.org/thread.html/r666f29a7d0e1f98fa1425ca01efcfa86e6e3856e01d300828aa7c6ea%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r1aab47b48a757c70e40fc0bcb1fcf1a3951afa6a17aee7cd66cf79f8@%3Ccommon-commits.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r5510f0125ba409fc1cabd098ab8b457741e5fa314cbd0e61e4339422@%3Cdev.atlas.apache.org%3E
What are Similar Vulnerabilities to CVE-2017-18640?
Similar Vulnerabilities: CVE-2021-26296 , CVE-2020-2555 , CVE-2017-1000049 , CVE-2017-5648 , CVE-2016-3092
