PT-2014-1902 · Libyaml+3 · Libyaml+3

Published

2014-03-28

Updated

2024-06-15

CVE-2014-2525

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions LibYAML versions prior to 0.1.6

Description The issue is related to a heap-based buffer overflow in the yaml parser scan uri escapes function. This allows attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file. The vulnerability can be exploited remotely and may lead to a breach of confidentiality, integrity, and availability of protected information.

Recommendations For LibYAML versions prior to 0.1.6, update to version 0.1.6 or later to resolve the issue. As a temporary workaround, consider restricting the use of YAML files with long sequences of percent-encoded characters in URIs until a patch is applied. Avoid using the yaml parser scan uri escapes function with untrusted input until the issue is resolved.

Exploit

Fix

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-119

Related Identifiers

ALT-PU-2014-1470

BDU:2015-09768

CESA-2014_0355

CVE-2014-2525

DSA-2884-1

DSA-2885-1

MGASA-2014-0150

MGASA-2014-0154

OPENSUSE-SU-2024:10029-1

OPENSUSE-SU-2024:10520-1

RHSA-2014:0353

RHSA-2014:0354

RHSA-2014:0355

RHSA-2014:0364

RHSA-2014:0415

SUSE-SU-2015:0953-1

SUSE-SU-2015:0953-2

Affected Products

Alt Linux

Centos

Libyaml

Suse

PT-2014-1902 · Libyaml+3 · Libyaml+3

CVE-2014-2525

Weakness Enumeration

Related Identifiers

Affected Products

References · 59