CVE-2023-24620

Name of the Vulnerable Software and Affected Versions Esoteric YamlBeans versions through 1.15

Description An issue was discovered in Esoteric YamlBeans where a crafted YAML document can perform an XML Entity Expansion attack against YamlBeans YamlReader. By exploiting the Anchor feature in YAML, it is possible to generate a small YAML document that, when read, is expanded to a large size, causing CPU and memory consumption, such as a Java Out-of-Memory exception.

Recommendations For Esoteric YamlBeans versions through 1.15, consider disabling the YamlReader function until a patch is available to prevent XML Entity Expansion attacks. Restrict the processing of crafted YAML documents to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.