snakeyaml-1.31-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12308 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z snakeyaml-1.31-1.1 on GA media These are all security issues fixed in the snakeyaml-1.31-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12308 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:12308 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2020-13936/ SUSE CVE CVE-2020-13936 page https://www.suse.com/security/cve/CVE-2022-25857/ SUSE CVE CVE-2022-25857 page https://www.suse.com/security/cve/CVE-2022-38749/ SUSE CVE CVE-2022-38749 page https://www.suse.com/security/cve/CVE-2022-38750/ SUSE CVE CVE-2022-38750 page https://www.suse.com/security/cve/CVE-2022-38751/ SUSE CVE CVE-2022-38751 page https://www.suse.com/security/cve/CVE-2022-38752/ SUSE CVE CVE-2022-38752 page openSUSE Tumbleweed snakeyaml-1.31-1.1 snakeyaml-javadoc-1.31-1.1 snakeyaml-1.31-1.1 as a component of openSUSE Tumbleweed snakeyaml-javadoc-1.31-1.1 as a component of openSUSE Tumbleweed An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2. CVE-2020-13936 openSUSE Tumbleweed:snakeyaml-1.31-1.1 openSUSE Tumbleweed:snakeyaml-javadoc-1.31-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-13936.html CVE-2020-13936 https://bugzilla.suse.com/1183360 SUSE Bug 1183360 The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections. CVE-2022-25857 openSUSE Tumbleweed:snakeyaml-1.31-1.1 openSUSE Tumbleweed:snakeyaml-javadoc-1.31-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-25857.html CVE-2022-25857 https://bugzilla.suse.com/1202932 SUSE Bug 1202932 Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. CVE-2022-38749 openSUSE Tumbleweed:snakeyaml-1.31-1.1 openSUSE Tumbleweed:snakeyaml-javadoc-1.31-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-38749.html CVE-2022-38749 https://bugzilla.suse.com/1203149 SUSE Bug 1203149 Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. CVE-2022-38750 openSUSE Tumbleweed:snakeyaml-1.31-1.1 openSUSE Tumbleweed:snakeyaml-javadoc-1.31-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-38750.html CVE-2022-38750 https://bugzilla.suse.com/1203158 SUSE Bug 1203158 Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. CVE-2022-38751 openSUSE Tumbleweed:snakeyaml-1.31-1.1 openSUSE Tumbleweed:snakeyaml-javadoc-1.31-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-38751.html CVE-2022-38751 https://bugzilla.suse.com/1203153 SUSE Bug 1203153 Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow. CVE-2022-38752 openSUSE Tumbleweed:snakeyaml-1.31-1.1 openSUSE Tumbleweed:snakeyaml-javadoc-1.31-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-38752.html CVE-2022-38752 https://bugzilla.suse.com/1203154 SUSE Bug 1203154