An update for snakeyaml is now available for openEuler-20.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2023-1164 Final 1.0 1.0 2023-03-17 Initial 2023-03-17 2023-03-17 openEuler SA Tool V1.0 2023-03-17 snakeyaml security update An update for snakeyaml is now available for openEuler-20.03-LTS-SP1. SnakeYAML is a YAML parser and emitter for the Java Virtual Machine. YAML is a data serialization format designed for human readability and interaction with scripting languages. Security Fix(es): The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.(CVE-2022-25857) Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.(CVE-2022-38749) Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.(CVE-2022-38750) Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.(CVE-2022-38751) Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.(CVE-2022-38752) Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.(CVE-2022-41854) An update for snakeyaml is now available for openEuler-20.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High snakeyaml https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1164 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-25857 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-38749 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-38750 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-38751 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-38752 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-41854 https://nvd.nist.gov/vuln/detail/CVE-2022-25857 https://nvd.nist.gov/vuln/detail/CVE-2022-38749 https://nvd.nist.gov/vuln/detail/CVE-2022-38750 https://nvd.nist.gov/vuln/detail/CVE-2022-38751 https://nvd.nist.gov/vuln/detail/CVE-2022-38752 https://nvd.nist.gov/vuln/detail/CVE-2022-41854 openEuler-20.03-LTS-SP1 snakeyaml-javadoc-1.32-1.oe1.noarch.rpm snakeyaml-1.32-1.oe1.noarch.rpm snakeyaml-1.32-1.oe1.src.rpm The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections. 2023-03-17 CVE-2022-25857 openEuler-20.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H snakeyaml security update 2023-03-17 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1164 Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. 2023-03-17 CVE-2022-38749 openEuler-20.03-LTS-SP1 Medium 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H snakeyaml security update 2023-03-17 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1164 Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. 2023-03-17 CVE-2022-38750 openEuler-20.03-LTS-SP1 Medium 5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H snakeyaml security update 2023-03-17 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1164 Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. 2023-03-17 CVE-2022-38751 openEuler-20.03-LTS-SP1 Medium 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H snakeyaml security update 2023-03-17 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1164 Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow. 2023-03-17 CVE-2022-38752 openEuler-20.03-LTS-SP1 Medium 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H snakeyaml security update 2023-03-17 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1164 Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack. 2023-03-17 CVE-2022-41854 openEuler-20.03-LTS-SP1 Medium 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H snakeyaml security update 2023-03-17 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1164