PT-2023-21575 · Kaml · Kaml
Gdude2002
·
Published
2023-03-20
·
Updated
2023-03-24
·
CVE-2023-28118
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
kaml versions prior to 0.53.0
Description
The issue affects applications that use kaml to parse untrusted input containing anchors and aliases, potentially leading to excessive memory consumption and crashes. This is related to a class of vulnerability known as a "billion laughs attack", which is explained on Wikipedia. There are no known workarounds for this issue.
Recommendations
For versions prior to 0.53.0, update to version 0.53.0 or later, which defaults to refusing to parse YAML documents containing anchors and aliases. As a temporary workaround, consider avoiding the use of anchors and aliases in YAML documents until the issue is resolved.
Exploit
Fix
XML Entity Expansion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Kaml