CVE-2022-38752: DoS in SnakeYAML

Q: What is CVE-2022-38752?

CVE-2022-38752 is a vulnerability in the snakeyaml package that allows for a denial of service attack by exploiting a stack-overflow in parsing YAML files.

Q: How severe is CVE-2022-38752?

CVE-2022-38752 has a severity value of 6.5 (medium).

Q: Which software versions are affected by CVE-2022-38752?

The versions affected by CVE-2022-38752 include eap7-snakeyaml 1.33.0-2.SP1_redhat_00001.1.el8ea, eap7-snakeyaml 1.33.0-2.SP1_redhat_00001.1.el9ea, eap7-snakeyaml 1.33.0-2.SP1_redhat_00001.1.el7ea, candlepin 4.2.13-1.el8, rh-sso7-keycloak 18.0.7-1.redhat_00001.1.el7, rh-sso7-keycloak 18.0.7-1.redhat_00001.1.el8, rh-sso7-keycloak 18.0.7-1.redhat_00001.1.el9, Snakeyaml Project Snakeyaml 1.32, IBM Cloud Pak for Business Automation V22.0.2 - V22.0.2-IF001, IBM Cloud Pak for Business Automation V21.0.3 - V21.0.3-IF017, and IBM Cloud Pak for Business Automation V22.0.1 - V22.0.1-IF006 and later fixes, V21.0.2 - V21.0.2-IF012 and later fixes, V21.0.1 - V21.0.1-IF007 and later fixes, V20.0.1 - V20.0.3 and later fixes, V19.0.1 - V19.0.3 and later fixes, V18.0.0 - V18.0.2 and later fixes.

Q: How can I fix CVE-2022-38752?

To fix CVE-2022-38752, update to the recommended versions: eap7-snakeyaml 1.33.0-2.SP1_redhat_00001.1.el8ea, eap7-snakeyaml 1.33.0-2.SP1_redhat_00001.1.el9ea, eap7-snakeyaml 1.33.0-2.SP1_redhat_00001.1.el7ea, candlepin 4.2.13-1.el8, rh-sso7-keycloak 18.0.7-1.redhat_00001.1.el7, rh-sso7-keycloak 18.0.7-1.redhat_00001.1.el8, rh-sso7-keycloak 18.0.7-1.redhat_00001.1.el9, or follow the provided patches for IBM Cloud Pak for Business Automation versions.

Q: What is the Common Weakness Enumeration (CWE) for CVE-2022-38752?

The Common Weakness Enumeration (CWE) for CVE-2022-38752 includes CWE-787 (Out-of-bounds Write) and CWE-121 (Stack-based Buffer Overflow).

Published Sep 5, 2022

Updated

A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.

Other sources

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DoS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

— GitHub

Affected Software

11 affected componentsFixes available

redhat/eap7-snakeyaml<0:1.33.0-2.SP1_redhat_00001.1.el8ea

0:1.33.0-2.SP1_redhat_00001.1.el8ea

redhat/eap7-snakeyaml<0:1.33.0-2.SP1_redhat_00001.1.el9ea

0:1.33.0-2.SP1_redhat_00001.1.el9ea

redhat/eap7-snakeyaml<0:1.33.0-2.SP1_redhat_00001.1.el7ea

0:1.33.0-2.SP1_redhat_00001.1.el7ea

redhat/candlepin<0:4.2.13-1.el8

0:4.2.13-1.el8

redhat/rh-sso7-keycloak<0:18.0.7-1.redhat_00001.1.el7

0:18.0.7-1.redhat_00001.1.el7

redhat/rh-sso7-keycloak<0:18.0.7-1.redhat_00001.1.el8

0:18.0.7-1.redhat_00001.1.el8

redhat/rh-sso7-keycloak<0:18.0.7-1.redhat_00001.1.el9

0:18.0.7-1.redhat_00001.1.el9

maven/org.yaml:snakeyaml<1.32

1.32

Snakeyaml Project Snakeyaml<1.32

Microsoft cbl2 snakeyaml

Patch available

IBM watsonx.data intelligence<=5.2.0, 5.2.1, 5.3.0, 5.3.1

Event History

Sep 5, 2022

CVE Published

via MITRE·12:00 AM

Data Sourced

via MITRE·12:00 AM

DescriptionSeverityWeakness

Sep 6, 2022

Advisory Published

via GitHub·12:00 AM

Sep 26, 2022

Data Sourced

via Red Hat·06:03 AM

DescriptionSeverityAffected Software

Oct 1, 2025

Data Sourced

via Microsoft·11:11 PM

DescriptionSeverityWeakness

Data Sourced

via Microsoft·11:11 PM

Affected Software

Updated

via Microsoft·11:11 PM

DescriptionSeverity

Apr 27, 2026

Data Sourced

via IBM·12:00 AM

DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Frequently Asked Questions

What is CVE-2022-38752?

CVE-2022-38752 is a vulnerability in the snakeyaml package that allows for a denial of service attack by exploiting a stack-overflow in parsing YAML files.

How severe is CVE-2022-38752?

CVE-2022-38752 has a severity value of 6.5 (medium).

Which software versions are affected by CVE-2022-38752?

The versions affected by CVE-2022-38752 include eap7-snakeyaml 1.33.0-2.SP1_redhat_00001.1.el8ea, eap7-snakeyaml 1.33.0-2.SP1_redhat_00001.1.el9ea, eap7-snakeyaml 1.33.0-2.SP1_redhat_00001.1.el7ea, candlepin 4.2.13-1.el8, rh-sso7-keycloak 18.0.7-1.redhat_00001.1.el7, rh-sso7-keycloak 18.0.7-1.redhat_00001.1.el8, rh-sso7-keycloak 18.0.7-1.redhat_00001.1.el9, Snakeyaml Project Snakeyaml 1.32, IBM Cloud Pak for Business Automation V22.0.2 - V22.0.2-IF001, IBM Cloud Pak for Business Automation V21.0.3 - V21.0.3-IF017, and IBM Cloud Pak for Business Automation V22.0.1 - V22.0.1-IF006 and later fixes, V21.0.2 - V21.0.2-IF012 and later fixes, V21.0.1 - V21.0.1-IF007 and later fixes, V20.0.1 - V20.0.3 and later fixes, V19.0.1 - V19.0.3 and later fixes, V18.0.0 - V18.0.2 and later fixes.

How can I fix CVE-2022-38752?

To fix CVE-2022-38752, update to the recommended versions: eap7-snakeyaml 1.33.0-2.SP1_redhat_00001.1.el8ea, eap7-snakeyaml 1.33.0-2.SP1_redhat_00001.1.el9ea, eap7-snakeyaml 1.33.0-2.SP1_redhat_00001.1.el7ea, candlepin 4.2.13-1.el8, rh-sso7-keycloak 18.0.7-1.redhat_00001.1.el7, rh-sso7-keycloak 18.0.7-1.redhat_00001.1.el8, rh-sso7-keycloak 18.0.7-1.redhat_00001.1.el9, or follow the provided patches for IBM Cloud Pak for Business Automation versions.

What is the Common Weakness Enumeration (CWE) for CVE-2022-38752?

The Common Weakness Enumeration (CWE) for CVE-2022-38752 includes CWE-787 (Out-of-bounds Write) and CWE-121 (Stack-based Buffer Overflow).

CVE-2022-38752: DoS in SnakeYAML

Other sources

Affected Software

Event History

Parent advisories

Don't miss critical vulnerabilities

Frequently Asked Questions

What is CVE-2022-38752?

How severe is CVE-2022-38752?

Which software versions are affected by CVE-2022-38752?

How can I fix CVE-2022-38752?

What is the Common Weakness Enumeration (CWE) for CVE-2022-38752?

Company

Resources

Contact