SnakeYAML vulnerability
Issue date: 21-09-2021Affects versions: 14.6
Security Issue ID
SECURITY-236
Affected Product Version(s)
14.6.0 and previous releases.
Severity
medium
Description
The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CVSSv2:
- Base Score: MEDIUM (5.0)
- Vector: /AV:N/AC:L/Au:N/C:N/I:N/A
CVSSv3:
- Base Score: HIGH (7.5)
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Instructions
Customers using the 14.x major versions are recommended to upgrade to the latest version in that series.