CVE-2023-47163 – remarshal

Package

Manager: pip
Name: remarshal
Vulnerable Version: >=0 <0.17.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00076 pctl0.23408

Details

Remarshal expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack Remarshal prior to v0.17.1 expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack. Processing untrusted YAML files may cause a denial-of-service (DoS) condition.

Metadata

Created: 2023-11-13T03:30:37Z
Modified: 2024-10-26T18:35:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-gw7g-qr8w-3448/GHSA-gw7g-qr8w-3448.json
CWE IDs: ["CWE-400", "CWE-674"]
Alternative ID: GHSA-gw7g-qr8w-3448
Finding: F067
Auto approve: 1