Vulnerability Description
The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggers a heap-based buffer overflow.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pyyaml | Libyaml | <= 0.1.4 |
| Canonical | Ubuntu Linux | 12.04 |
| Redhat | Openstack | 3.0 |
| Debian | Debian Linux | 6.0 |
| Opensuse | Leap | 42.1 |
| Opensuse | Opensuse | 11.4 |
Related Weaknesses (CWE)
References
- http://advisories.mageia.org/MGASA-2014-0040.htmlThird Party Advisory
- http://archives.neohapsis.com/archives/bugtraq/2014-04/0134.htmlBroken Link
- http://archives.neohapsis.com/archives/bugtraq/2014-10/0103.htmlBroken Link
- http://lists.opensuse.org/opensuse-updates/2014-02/msg00064.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-updates/2014-02/msg00065.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-updates/2015-02/msg00078.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-updates/2016-04/msg00050.htmlThird Party Advisory
- http://osvdb.org/102716
- http://rhn.redhat.com/errata/RHSA-2014-0353.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2014-0354.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2014-0355.htmlThird Party Advisory
- http://www.debian.org/security/2014/dsa-2850Third Party Advisory
- http://www.debian.org/security/2014/dsa-2870Third Party Advisory
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:060Third Party Advisory
- http://www.securityfocus.com/bid/65258Third Party AdvisoryVDB Entry
FAQ
What is CVE-2013-6393?
CVE-2013-6393 is a vulnerability with a CVSS score of 6.8 (MEDIUM). The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execu...
How severe is CVE-2013-6393?
CVE-2013-6393 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-6393?
Check the references section above for vendor advisories and patch information. Affected products include: Pyyaml Libyaml, Canonical Ubuntu Linux, Redhat Openstack, Debian Debian Linux, Opensuse Leap.