CVE-2023-28118

EUVD-2023-0975
kaml provides YAML support for kotlinx.serialization. Prior to version 0.53.0, applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash. Version 0.53.0 and later default to refusing to parse YAML documents containing anchors and aliases. There are no known workarounds.
XML Entity Expansion
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_MCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 46%
Affected Products (NVD)
VendorProductVersion
kaml_projectkaml
𝑥
< 0.53.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/charleskorn/kaml/commit/5f82a2d7e00bfc307afca05d1dc4d7c50593531a
https://github.com/charleskorn/kaml/releases/tag/0.53.0
https://github.com/charleskorn/kaml/security/advisories/GHSA-c24f-2j3g-rg48
https://github.com/charleskorn/kaml/commit/5f82a2d7e00bfc307afca05d1dc4d7c50593531a
https://github.com/charleskorn/kaml/releases/tag/0.53.0
https://github.com/charleskorn/kaml/security/advisories/GHSA-c24f-2j3g-rg48