Vulnerability Description
kaml provides YAML support for kotlinx.serialization. Prior to version 0.53.0, applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash. Version 0.53.0 and later default to refusing to parse YAML documents containing anchors and aliases. There are no known workarounds.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kaml Project | Kaml | < 0.53.0 |
Related Weaknesses (CWE)
References
- https://github.com/charleskorn/kaml/commit/5f82a2d7e00bfc307afca05d1dc4d7c505935Patch
- https://github.com/charleskorn/kaml/releases/tag/0.53.0Release Notes
- https://github.com/charleskorn/kaml/security/advisories/GHSA-c24f-2j3g-rg48Vendor Advisory
- https://github.com/charleskorn/kaml/commit/5f82a2d7e00bfc307afca05d1dc4d7c505935Patch
- https://github.com/charleskorn/kaml/releases/tag/0.53.0Release Notes
- https://github.com/charleskorn/kaml/security/advisories/GHSA-c24f-2j3g-rg48Vendor Advisory
FAQ
What is CVE-2023-28118?
CVE-2023-28118 is a vulnerability with a CVSS score of 7.5 (HIGH). kaml provides YAML support for kotlinx.serialization. Prior to version 0.53.0, applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash...
How severe is CVE-2023-28118?
CVE-2023-28118 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-28118?
Check the references section above for vendor advisories and patch information. Affected products include: Kaml Project Kaml.