Miggo Logo
Miggo Vulnerability Database
CVE-2022-38749

CVE-2022-38749: snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-38749
GHSA ID
GHSA-c4r9-r8fh-9vj2
EPSS Score
0.67904%
CWE
CWE-121
Published
9/6/2022
Updated
3/15/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.yaml:snakeyamlmaven< 1.311.31
be.cylab:snakeyamlmaven= 1.25.1
com.alipay.sofa.acts:acts-common-utilmaven= 1.0.0
io.prometheus.jmx:jmx_prometheus_httpservermaven= 0.17.0
io.prometheus.jmx:jmx_prometheus_httpserver_java6maven<= 0.18.0
org.testifyproject.external:external-snakeyamlmaven<= 1.0.6
pl.droidsonroids.yaml:snakeyamlmaven<= 1.18.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from uncontrolled recursion during YAML parsing of nested structures. The Composer class methods composeSequenceNode and composeMappingNode are core recursive processing points that lacked depth validation in vulnerable versions. Stack traces during exploitation would show repeated calls to these methods until stack overflow occurs. The patch adding depth limits (commit fc30078) confirms these as the vulnerable entry points. composeNode appears in traces as the parent caller but isn't directly vulnerable itself.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Usin* sn*k*Y*ML to p*rs* untrust** Y*ML *il*s m*y ** vuln*r**l* to **ni*l o* S*rvi** *tt**ks (*OS). I* t** p*rs*r is runnin* on us*r suppli** input, *n *tt**k*r m*y supply *ont*nt t**t **us*s t** p*rs*r to *r*s* *y st**kov*r*low.

Reasoning

T** vuln*r**ility st*ms *rom un*ontroll** r**ursion *urin* Y*ML p*rsin* o* n*st** stru*tur*s. T** `*ompos*r` *l*ss m*t*o*s `*ompos*S*qu*n**No**` *n* `*ompos*M*ppin*No**` *r* *or* r**ursiv* pro**ssin* points t**t l**k** **pt* v*li**tion in vuln*r**l*