{ "threat_severity" : "Moderate", "public_date" : "2022-11-13T00:00:00Z", "bugzilla" : { "description" : "dev-java/snakeyaml: DoS via stack overflow", "id" : "2151988", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2151988" }, "cvss3" : { "cvss3_base_score" : "6.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-787", "details" : [ "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack." ], "affected_release" : [ { "product_name" : "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date" : "2023-05-31T00:00:00Z", "advisory" : "RHSA-2023:3373", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package" : "mtr/mtr-web-container-rhel8:1.1-7" }, { "product_name" : "MTA-6.2-RHEL-9", "release_date" : "2023-08-14T00:00:00Z", "advisory" : "RHSA-2023:4627", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package" : "mta/mta-windup-addon-rhel9:6.2.0-11" }, { "product_name" : "OCP-Tools-4.12-RHEL-8", "release_date" : "2023-05-24T00:00:00Z", "advisory" : "RHBA-2023:3300", "cpe" : "cpe:/a:redhat:ocp_tools:4.12::el8", "package" : "ocp-tools-4/jenkins-agent-base-rhel8:v4.12.0-1683009711" }, { "product_name" : "OCP-Tools-4.12-RHEL-8", "release_date" : "2023-05-24T00:00:00Z", "advisory" : "RHBA-2023:3300", "cpe" : "cpe:/a:redhat:ocp_tools:4.12::el8", "package" : "ocp-tools-4/jenkins-rhel8:v4.12.0-1683010621" }, { "product_name" : "Red Hat AMQ Clients", "release_date" : "2023-12-07T00:00:00Z", "advisory" : "RHSA-2023:7697", "cpe" : "cpe:/a:redhat:amq_clients:2023_q4", "package" : "dev-java-snakeyaml" }, { "product_name" : "Red Hat build of Eclipse Vert.x 4.3.7", "release_date" : "2023-02-16T00:00:00Z", "advisory" : "RHSA-2023:0577", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0", "package" : "dev-java-snakeyaml" }, { "product_name" : "Red Hat Fuse 7.12", "release_date" : "2023-06-29T00:00:00Z", "advisory" : "RHSA-2023:3954", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "dev-java-snakeyaml" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "release_date" : "2023-03-29T00:00:00Z", "advisory" : "RHSA-2023:1516", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package" : "dev-java-snakeyaml" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date" : "2023-03-29T00:00:00Z", "advisory" : "RHSA-2023:1513", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package" : "eap7-snakeyaml-0:1.33.0-2.SP1_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date" : "2023-03-29T00:00:00Z", "advisory" : "RHSA-2023:1514", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package" : "eap7-snakeyaml-0:1.33.0-2.SP1_redhat_00001.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date" : "2023-03-29T00:00:00Z", "advisory" : "RHSA-2023:1512", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package" : "eap7-snakeyaml-0:1.33.0-2.SP1_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat Single Sign-On 7", "release_date" : "2023-05-10T00:00:00Z", "advisory" : "RHSA-2023:2713", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6.3", "package" : "dev-java-snakeyaml" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 7", "release_date" : "2023-05-10T00:00:00Z", "advisory" : "RHSA-2023:2705", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", "package" : "rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el7sso" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 8", "release_date" : "2023-05-10T00:00:00Z", "advisory" : "RHSA-2023:2706", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", "package" : "rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el8sso" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 9", "release_date" : "2023-05-10T00:00:00Z", "advisory" : "RHSA-2023:2707", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", "package" : "rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el9sso" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2023-05-10T00:00:00Z", "advisory" : "RHSA-2023:2710", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rh-sso-7/sso76-openshift-rhel8:7.6-22" }, { "product_name" : "RHINT Camel-Springboot 3.18.3.P2", "release_date" : "2023-06-15T00:00:00Z", "advisory" : "RHSA-2023:3641", "cpe" : "cpe:/a:redhat:camel_spring_boot:3.18" }, { "product_name" : "RHINT Camel-Springboot 3.20.1", "release_date" : "2023-05-03T00:00:00Z", "advisory" : "RHSA-2023:2100", "cpe" : "cpe:/a:redhat:camel_spring_boot:3.20.1", "package" : "dev-java-snakeyaml" }, { "product_name" : "RHPAM 7.13.4 async", "release_date" : "2023-09-05T00:00:00Z", "advisory" : "RHSA-2023:4983", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Affected", "package_name" : "dev-java-snakeyaml", "cpe" : "cpe:/a:redhat:a_mq_clients:2", "impact" : "low" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/elasticsearch6-rhel8", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Not affected", "package_name" : "dev-java-snakeyaml", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat A-MQ Online", "fix_state" : "Not affected", "package_name" : "dev-java-snakeyaml", "cpe" : "cpe:/a:redhat:amq_online:1" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Not affected", "package_name" : "dev-java-snakeyaml", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat build of Debezium 1", "fix_state" : "Will not fix", "package_name" : "dev-java-snakeyaml", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Not affected", "package_name" : "dev-java-snakeyaml", "cpe" : "cpe:/a:redhat:quarkus:2" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "dev-java-snakeyaml", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Out of support scope", "package_name" : "dev-java-snakeyaml", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "snakeyaml", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "log4j:2/log4j", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "impact" : "low" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "jackson-jaxrs-providers", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "impact" : "low" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "log4j", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "impact" : "low" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Affected", "package_name" : "dev-java-snakeyaml", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat Integration Camel Quarkus 1", "fix_state" : "Not affected", "package_name" : "dev-java-snakeyaml", "cpe" : "cpe:/a:redhat:camel_quarkus:2" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Out of support scope", "package_name" : "dev-java-snakeyaml", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Out of support scope", "package_name" : "dev-java-snakeyaml", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "dev-java-snakeyaml", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "eap6-snakeyaml", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "jbossas-modules-eap", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "jboss-on", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "keycloak-adapter-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "keycloak-adapter-sso7_2-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "keycloak-adapter-sso7_3-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "keycloak-adapter-sso7_4-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "keycloak-adapter-sso7_5-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Affected", "package_name" : "dev-java-snakeyaml", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "dev-java-snakeyaml", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Out of support scope", "package_name" : "dev-java-snakeyaml", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat OpenShift Application Runtimes", "fix_state" : "Affected", "package_name" : "dev-java-snakeyaml", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Out of support scope", "package_name" : "jenkins-2-plugins", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Out of support scope", "package_name" : "openshift3/metrics-cassandra", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Out of support scope", "package_name" : "openshift3/metrics-hawkular-metrics", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Out of support scope", "package_name" : "openshift3/ose-metrics-cassandra", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Out of support scope", "package_name" : "openshift3/ose-metrics-hawkular-metrics", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "jenkins-2-plugins", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Affected", "package_name" : "devspaces/idea-rhel8", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Affected", "package_name" : "devspaces/udi-rhel8", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Out of support scope", "package_name" : "dev-java-snakeyaml", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "dev-java-snakeyaml", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "puppetserver", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "satellite-capsule:el8/puppetserver", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "satellite:el8/puppetserver", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Will not fix", "package_name" : "rh-maven36-byte-buddy", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" }, { "product_name" : "Red Hat support for Spring Boot", "fix_state" : "Affected", "package_name" : "dev-java-snakeyaml", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-41854\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-41854\nhttps://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355" ], "name" : "CVE-2022-41854", "csaw" : false }