Reported

September 17, 2018

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

yaml-rust (crates.io)

Type

Vulnerability

Keywords

#crash

Aliases

• CVE-2018-20993
• GHSA-hv87-47h9-jcvq

References

• https://github.com/chyh1990/yaml-rust/pull/109

CVSS Score

7.5 HIGH

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

None

Integrity Impact

None

Availability Impact

High

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

• >=0.4.1

Description

Affected versions of this crate did not prevent deep recursion while deserializing data structures.

This allows an attacker to make a YAML file with deeply nested structures that causes an abort while deserializing it.

The flaw was corrected by checking the recursion depth.

Note: clap 2.33 is not affected by this because it uses yaml-rust in a way that doesn't trigger the vulnerability. More specifically:

1. The input to the YAML parser is always trusted - is included at compile time via include_str!.

2. The nesting level is never deep enough to trigger the overflow in practice (at most 5).

Advisory available under CC0-1.0 license.