Vulnerability Name:

CVE-2022-38749 (CCN-235313)

Assigned:2022-04-28
Published:2022-04-28
Updated:2023-05-21
Summary:SnakeYAML is vulnerable to a denial of service, caused by a stack-overflow in parsing YAML files. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS v3 Severity:6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
5.9 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
3.3 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
3.0 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:1.7 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2022-38749

Source: CCN
Type: Bitbucket Web site
Got StackOverflowError for many open unmatched brackets

Source: cve-coordination@google.com
Type: Third Party Advisory
cve-coordination@google.com

Source: CCN
Type: Bitbucket Web site
Stackoverflow [OSS-Fuzz - 47027]

Source: cve-coordination@google.com
Type: Third Party Advisory
cve-coordination@google.com

Source: XF
Type: UNKNOWN
snakeyaml-cve202238749-dos(235313)

Source: cve-coordination@google.com
Type: Mailing List, Third Party Advisory
cve-coordination@google.com

Source: cve-coordination@google.com
Type: UNKNOWN
cve-coordination@google.com

Source: CCN
Type: IBM Security Bulletin 6831339 (Voice Gateway)
Multiple Vulnerabilities in java packages affect IBM Voice Gateway

Source: CCN
Type: IBM Security Bulletin 6844719 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container DesignerAuthoring and IntegrationServer operands that process YAML data may be vulnerable to denial of service due to CVE-2022-38749, CVE-2022-38750, CVE-2022-38751 and CVE-2022-38752

Source: CCN
Type: IBM Security Bulletin 6845796 (Business Automation Workflow containers)
Multiple security vulnerabilities in IBM Business Automation Workflow Event Emitters

Source: CCN
Type: IBM Security Bulletin 6845824 (MQ)
IBM MQ Blockchain bridge dependencies are vulnerable to issues in SnakeYAML (CVE-2022-38749, CVE-2022-38750, CVE-2022-38751 & CVE-2022-38752)

Source: CCN
Type: IBM Security Bulletin 6846157 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities including remote code execution in Apache Commons Text 1.9

Source: CCN
Type: IBM Security Bulletin 6846257 (Cloud Transformation Advisor)
IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6849213 (App Connect Enterprise)
IBM App Connect Enterprise and IBM Integration Bus are vulnerable to denial of service due to the package org.yaml:snakeyaml and jackson-databind

Source: CCN
Type: IBM Security Bulletin 6853463 (Robotic Process Automation for Cloud Pak)
Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak.

Source: CCN
Type: IBM Security Bulletin 6854713 (Voice Gateway)
Multiple Vulnerabilities in Java and Node.js packages affect IBM Voice Gateway

Source: CCN
Type: IBM Security Bulletin 6890683 (Workload Scheduler)
IBM Workload Scheduler potentially affected by multiple vulnerabilities in Java package org.yaml:snakeyaml

Source: CCN
Type: IBM Security Bulletin 6909433 (Cloud Pak for Multicloud Management Monitoring)
IBM Cloud Pak for Multicloud Management is vulnerable to denial of service attacks due to snakeYAML

Source: CCN
Type: IBM Security Bulletin 6910171 (Integration Designer)
Multiple CVEs affect IBM Integration Designer

Source: CCN
Type: IBM Security Bulletin 6955579 (Sterling B2B Integrator)
IBM Sterling B2B Integrator vulnerable to multiple issues due to SnakeYAML

Source: CCN
Type: IBM Security Bulletin 6958062 (Cloud Pak for Business Automation)
Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for Febuary 2023

Source: CCN
Type: IBM Security Bulletin 6958693 (Business Automation Workflow traditional)
Multiple security vulnerabilities are reported for snakeyaml and jackson-databind in IBM Business Automation Workflow

Source: CCN
Type: IBM Security Bulletin 6967012 (Cloud Pak for Watson AIOps)
Multiple Vulnerabilities in CloudPak for Watson AIOPs

Source: CCN
Type: IBM Security Bulletin 6967519 (Log Analysis)
Multiple Vulnerabilities related to SnakeYAML in Logstash shipped with IBM Operations Analytics - Log Analysis (CVE-2022-38750, CVE-2022-38751, CVE-2022-38752, CVE-2022-38749)

Source: CCN
Type: IBM Security Bulletin 6969753 (Log Analysis)
Multiple Vulnerabilities related to SnakeYAML in Logstash shipped with IBM Operations Analytics - Log Analysis

Source: CCN
Type: IBM Security Bulletin 6985689 (Db2 Graph)
Multiple vulnerabilities affect IBM Db2 Graph

Source: CCN
Type: IBM Security Bulletin 6987499 (Business Automation Workflow traditional)
Multiple vulnerabilities in DITA may affect IBM Business Automation Workflow and IBM Case Manager

Source: CCN
Type: Mend Vulnerability Database
CVE-2022-38749

Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:ibm:app_connect:11.0.0.1:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_transformation_advisor:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:log_analysis:1.3.5.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:log_analysis:1.3.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:log_analysis:1.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:log_analysis:1.3.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:integration_designer:20.0.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:workload_scheduler:9.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise:12.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:20.0.0.1:-:*:*:containers:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:20.0.0.1:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:20.0.0.2:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:21.0.1:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:21.0.2:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:21.0.3:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:20.0.0.2:-:*:*:containers:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.1:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.2:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.3:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:21.0.2:-:*:*:containers:*:*:*
  • OR cpe:/a:ibm:case_manager:5.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:22.0.1:-:*:*:containers:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:22.0.1:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:22.0.1:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.0:*:*:*:lts:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise:11.0.0.19:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:integration_bus:10.0.0.12:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.1.2.0:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:22.0.2:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:22.0.2:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.0.3.7:*:*:*:standard:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8065
    P
    		snakeyaml-1.33-150200.3.12.4 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:780
    P
    		Security update for snakeyaml (Important)
    2022-09-26
    BACK
    ibm app connect 11.0.0.1
    ibm sterling b2b integrator 6.0.0.0
    ibm voice gateway 1.0.2
    ibm voice gateway 1.0.3
    ibm cloud transformation advisor 2.0.1
    ibm voice gateway 1.0.2.4
    ibm voice gateway 1.0.4
    ibm voice gateway 1.0.5
    ibm log analysis 1.3.5.3
    ibm log analysis 1.3.6.0
    ibm log analysis 1.3.6
    ibm log analysis 1.3.6.1
    ibm voice gateway 1.0.6
    ibm sterling b2b integrator 6.1.0.0
    ibm integration designer 20.0.0.2
    ibm voice gateway 1.0.7
    ibm workload scheduler 9.5
    ibm app connect enterprise 12.0.1.0
    ibm business automation workflow 20.0.0.1 -
    ibm business automation workflow 20.0.0.1
    ibm business automation workflow 20.0.0.2
    ibm business automation workflow 21.0.1
    ibm business automation workflow 21.0.2
    ibm business automation workflow 21.0.3
    ibm business automation workflow 20.0.0.2 -
    ibm cloud pak for business automation 18.0.0
    ibm cloud pak for business automation 18.0.2
    ibm cloud pak for business automation 19.0.1
    ibm cloud pak for business automation 19.0.3
    ibm cloud pak for business automation 20.0.1
    ibm cloud pak for business automation 20.0.3
    ibm cloud pak for business automation 21.0.1 -
    ibm cloud pak for business automation 21.0.2 -
    ibm cloud pak for business automation 21.0.3 -
    ibm business automation workflow 21.0.2 -
    ibm case manager 5.3.3
    ibm app connect enterprise certified container 4.1
    ibm app connect enterprise certified container 4.2
    ibm robotic process automation for cloud pak 21.0.1
    ibm robotic process automation for cloud pak 21.0.2
    ibm robotic process automation for cloud pak 21.0.3
    ibm business automation workflow 22.0.1 -
    ibm business automation workflow 22.0.1
    ibm cloud pak for business automation 22.0.1 -
    ibm app connect enterprise certified container 5.0
    ibm app connect enterprise certified container 5.1
    ibm app connect enterprise certified container 5.2
    ibm app connect enterprise certified container 6.0
    ibm app connect enterprise certified container 6.1
    ibm app connect enterprise 11.0.0.19
    ibm integration bus 10.0.0.12
    ibm sterling b2b integrator 6.1.2.0
    ibm robotic process automation for cloud pak 21.0.5
    ibm robotic process automation for cloud pak 21.0.4
    ibm business automation workflow 22.0.2
    ibm cloud pak for business automation 22.0.2 -
    ibm sterling b2b integrator 6.0.3.7