CVE-2022-38749
Denial of Service vulnerability in snakeyaml (Maven)
What is CVE-2022-38749 About?
Using SnakeYAML to parse untrusted YAML files makes an application vulnerable to Denial of Service (DoS) attacks. An attacker can supply specially crafted YAML content that causes the parser to crash due to a stack overflow. This can lead to system unresponsiveness, and exploitation is possible by providing a malicious YAML file.
Affected Software
- org.yaml:snakeyaml
- <1.31
- io.prometheus.jmx:jmx_prometheus_httpserver_java6
- <=0.18.0
- org.testifyproject.external:external-snakeyaml
- <=1.0.6
- pl.droidsonroids.yaml:snakeyaml
- <=1.18.2
Technical Details
The vulnerability in SnakeYAML arises when parsing untrusted YAML files. An attacker can craft a malicious YAML document with deeply nested structures, recursive aliases, or other constructs that, when processed by the parser, cause an excessive number of function calls or memory allocations during recursion. This leads to a stack overflow within the application process parsing the YAML. The consequence is a crash of the parser or the entire application, resulting in a Denial of Service (DoS) condition.
What is the Impact of CVE-2022-38749?
Successful exploitation may allow attackers to cause a denial of service, leading to system unresponsiveness or crashes.
What is the Exploitability of CVE-2022-38749?
Exploitation requires an attacker to be able to supply untrusted YAML input to an application that uses SnakeYAML. The complexity is low to moderate, depending on the specific YAML structure needed to trigger the stack overflow; usually, this involves deeply nested structures. There are no explicit authentication or privilege requirements for exploitation, as it depends on whether the application accepts untrusted YAML from an unauthenticated or low-privileged source. This vulnerability can be exploited remotely if the application processes external YAML files received over a network. A key risk factor is any application that directly or indirectly parses user-provided YAML files without imposing strict limits on recursion depth, document size, or aliasing.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-38749?
Available Upgrade Options
- org.yaml:snakeyaml
- <1.31 → Upgrade to 1.31
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47024
- https://security.netapp.com/advisory/ntap-20240315-0010
- https://bitbucket.org/snakeyaml/snakeyaml/issues/525/got-stackoverflowerror-for-many-open
- https://security.gentoo.org/glsa/202305-28
- https://osv.dev/vulnerability/GHSA-c4r9-r8fh-9vj2
- https://arxiv.org/pdf/2306.05534.pdf
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47024
- https://bitbucket.org/snakeyaml/snakeyaml/issues/525/got-stackoverflowerror-for-many-open
- https://security.netapp.com/advisory/ntap-20240315-0010/
- https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html
What are Similar Vulnerabilities to CVE-2022-38749?
Similar Vulnerabilities: CVE-2022-36033 , CVE-2022-41852 , CVE-2021-43267 , CVE-2021-43268 , CVE-2020-13936
