#VU36237 Resource exhaustion in yaml-cpp


Published: 2019-01-15 | Updated: 2020-08-08

Vulnerability identifier: #VU36237

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-6292

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
yaml-cpp
Other software / Other software solutions

Vendor: jbeder (Jesse Beder)

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

An issue was discovered in singledocparser.cpp in yaml-cpp (aka LibYaml-C++) 0.6.2. Stack Exhaustion occurs in YAML::SingleDocParser, and there is a stack consumption problem caused by recursive stack frames: HandleCompactMap, HandleMap, HandleFlowSequence, HandleSequence, HandleNode. Remote attackers could leverage this vulnerability to cause a denial-of-service via a cpp file.

Mitigation
Install update from vendor's website.

Vulnerable software versions

yaml-cpp: 0.6.2

External links
http://github.com/jbeder/yaml-cpp/issues/657

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell Cloud Tiering Appliance
SUSE update for yaml-cpp
SUSE update for yaml-cpp
SUSE update for yaml-cpp
SUSE update for yaml-cpp
Multiple vulnerabilities in yaml-cpp