PT-2019-5799 · Snakeyaml+8 · Snakeyaml+8

Published

2019-11-12

Updated

2025-03-27

CVE-2017-18640

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions SnakeYAML versions prior to 1.26

Description The issue is related to errors in processing XML entities, which can lead to a denial of service when exploited by a remote attacker. The problem is associated with the Alias feature during a load operation, allowing entity expansion.

Recommendations For versions prior to 1.26, update to version 1.26 or later to resolve the issue. As a temporary workaround, consider disabling the Alias feature until a patch is available.

Exploit

Fix

XML Entity Expansion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-776

Related Identifiers

ALSA-2020:4807

ALT-PU-2021-1895

BDU:2021-02625

CESA-2020_4807

CVE-2017-18640

GHSA-RVWF-54QP-4R6V

OPENSUSE-SU-2021:0855-1

OPENSUSE-SU-2021:1876-1

OPENSUSE-SU-2021_1876-1

OPENSUSE-SU-2024:11391-1

RHSA-2020:4807

RHSA-2020_4807

RLSA-2020:4807

SUSE-SU-2021:1876-1

SUSE-SU-2021:1978-1

SUSE-SU-2021:1979-1

SUSE-SU-2021_1876-1

USN-7368-1

Affected Products

Alt Linux

Almalinux

Centos

Linuxmint

Red Hat

Rocky Linux

Snakeyaml

Suse

Ubuntu

PT-2019-5799 · Snakeyaml+8 · Snakeyaml+8

CVE-2017-18640

Weakness Enumeration

Related Identifiers

Affected Products

References · 156