=====================================================================

                               CERT-Renater

                     Note d'Information No. 2023/VULN275

_____________________________________________________________________

DATE                : 30/08/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Esoteric YamlBeans versions up to
                                     and including 1.15.

=====================================================================
https://github.com/advisories/GHSA-rcx8-48pc-v9q8
https://github.com/advisories/GHSA-jm7r-4pg6-gf26
_____________________________________________________________________

Esoteric YamlBeans XML Entity Expansion vulnerability
Moderate severity GitHub Reviewed Published Aug 25, 2023 to the
GitHub Advisory Database
Vulnerability details

Package
com.esotericsoftware.yamlbeans:yamlbeans (Maven)

Affected versions
<= 1.15

Patched versions
None

Description

An issue was discovered in Esoteric YamlBeans through 1.15. A crafted
YAML document is able perform am XML Entity Expansion attack against
YamlBeans YamlReader. By exploiting the Anchor feature in YAML, it is
possible to generate a small YAML document that, when read, is
expanded to a large size, causing CPU and memory consumption, such
as a Java Out-of-Memory exception.

References

     https://nvd.nist.gov/vuln/detail/CVE-2023-24620
 
https://github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md


Published to the GitHub Advisory Database Aug 25, 2023
Reviewed Aug 25, 2023
Last updated Aug 25, 2023

Severity
Moderate

Weaknesses
CWE-400

CVE ID
CVE-2023-24620

GHSA ID
GHSA-vj49-j7rc-h54f

Source code
EsotericSoftware/yamlbeans

_____________________________________________________________________


Esoteric YamlBeans Unsafe Deserialization vulnerability
High severity GitHub Reviewed Published Aug 25, 2023 to the GitHub
Advisory Database

Vulnerability details

Package
com.esotericsoftware.yamlbeans:yamlbeans (Maven)

Affected versions
<= 1.15

Patched versions
None

Description

An issue was discovered in Esoteric YamlBeans through 1.15. It allows
untrusted deserialisation to Java classes by default, where the data
and class are controlled by the author of the YAML document being
processed.

References

     https://nvd.nist.gov/vuln/detail/CVE-2023-24621
 
https://github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md


Published to the GitHub Advisory Database Aug 25, 2023
Last updated Aug 25, 2023
Reviewed Aug 25, 2023

Severity
High

Weaknesses
CWE-502

CVE ID
CVE-2023-24621

GHSA ID
GHSA-jm7r-4pg6-gf26

Source code
EsotericSoftware/yamlbeans


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================