CVE-2023-24620: Esoteric YamlBeans XML Entity Expansion vulnerability

August 25, 2023

An issue was discovered in Esoteric YamlBeans through 1.15. A crafted YAML document is able perform am XML Entity Expansion attack against YamlBeans YamlReader. By exploiting the Anchor feature in YAML, it is possible to generate a small YAML document that, when read, is expanded to a large size, causing CPU and memory consumption, such as a Java Out-of-Memory exception.

References

github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md
github.com/advisories/GHSA-vj49-j7rc-h54f
nvd.nist.gov/vuln/detail/CVE-2023-24620

Code Behaviors & Features

Detect and mitigate CVE-2023-24620 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →