Vulnerabilities > CVE-2023-24620 - XXE vulnerability in Esotericsoftware Yamlbeans

CVSS 5.5 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

local

low complexity

esotericsoftware

CWE-611

NVD

Published: 2023-08-25

Updated: 2023-08-31

Summary

An issue was discovered in Esoteric YamlBeans through 1.15. A crafted YAML document is able perform am XML Entity Expansion attack against YamlBeans YamlReader. By exploiting the Anchor feature in YAML, it is possible to generate a small YAML document that, when read, is expanded to a large size, causing CPU and memory consumption, such as a Java Out-of-Memory exception.

Vulnerable Configurations

Part	Description	Count
Application	Esotericsoftware Esotericsoftware Yamlbeans 1.05 Esotericsoftware Yamlbeans 1.06 Esotericsoftware Yamlbeans 1.07 Esotericsoftware Yamlbeans 1.08 Esotericsoftware Yamlbeans 1.09 Esotericsoftware Yamlbeans 1.10 Esotericsoftware Yamlbeans 1.11 Esotericsoftware Yamlbeans 1.12 Esotericsoftware Yamlbeans 1.13 Esotericsoftware Yamlbeans 1.14 Esotericsoftware Yamlbeans 1.15	11

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References