{"api_version":"1","generated_at":"2026-04-23T00:42:06+00:00","cve":"CVE-2022-38750","urls":{"html":"https://cve.report/CVE-2022-38750","api":"https://cve.report/api/cve/CVE-2022-38750.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-38750","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-38750"},"summary":{"title":"CVE-2022-38750","description":"Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.","state":"PUBLIC","assigner":"security@google.com","published_at":"2022-09-05 10:15:00","updated_at":"2024-03-15 11:15:00"},"problem_types":["CWE-787"],"metrics":[],"references":[{"url":"https://security.gentoo.org/glsa/202305-28","name":"GLSA-202305-28","refsource":"GENTOO","tags":[],"title":"snakeyaml: Multiple Vulnerabilities (GLSA 202305-28) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20240315-0010/","name":"https://security.netapp.com/advisory/ntap-20240315-0010/","refsource":"","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html","name":"[debian-lts-announce] 20221002 [SECURITY] [DLA 3132-1] snakeyaml security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3132-1] snakeyaml security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027","name":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027","refsource":"MISC","tags":[],"title":"47027 - \n \n \n oss-fuzz -\n \n \n OSS-Fuzz: Fuzzing the planet - \n \n Monorail","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027","name":"https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027","refsource":"MISC","tags":[],"title":"snakeyaml / snakeyaml \n  / issues \n  / #526 - Stackoverflow [OSS-Fuzz - 47027]\n\n — Bitbucket","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-38750","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38750","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"38750","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"38750","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"snakeyaml_project","cpe5":"snakeyaml","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-38750","qid":"181092","title":"Debian Security Update for snakeyaml (DLA 3132-1)"},{"cve":"CVE-2022-38750","qid":"182029","title":"Debian Security Update for snakeyaml (CVE-2022-38750)"},{"cve":"CVE-2022-38750","qid":"199232","title":"Ubuntu Security Notification for SnakeYAML Vulnerabilities (USN-5944-1)"},{"cve":"CVE-2022-38750","qid":"20396","title":"IBM DB2 Multiple Vulnerabilities (7095807)"},{"cve":"CVE-2022-38750","qid":"241405","title":"Red Hat Update for Satellite 6.13 (RHSA-2023:2097)"},{"cve":"CVE-2022-38750","qid":"355419","title":"Amazon Linux Security Advisory for snakeyaml : ALAS2023-2023-200"},{"cve":"CVE-2022-38750","qid":"710729","title":"Gentoo Linux snakeyaml Multiple Vulnerabilities (GLSA 202305-28)"},{"cve":"CVE-2022-38750","qid":"753357","title":"SUSE Enterprise Linux Security Update for snakeyaml (SUSE-SU-2022:3397-1)"},{"cve":"CVE-2022-38750","qid":"903844","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for snakeyaml (10894)"},{"cve":"CVE-2022-38750","qid":"960924","title":"Rocky Linux Security Update for Satellite (RLSA-2023:2097)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@google.com","ID":"CVE-2022-38750","STATE":"PUBLIC","TITLE":"DoS in SnakeYAML"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"SnakeYAML","version":{"version_data":[{"version_affected":"<","version_value":"1.31"}]}}]},"vendor_name":"snakeyaml"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-121 Stack-based Buffer Overflow"}]}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027","name":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027"},{"refsource":"MISC","url":"https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027","name":"https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027"},{"refsource":"MLIST","name":"[debian-lts-announce] 20221002 [SECURITY] [DLA 3132-1] snakeyaml security update","url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html"},{"refsource":"GENTOO","name":"GLSA-202305-28","url":"https://security.gentoo.org/glsa/202305-28"}]},"source":{"discovery":"INTERNAL"}},"nvd":{"publishedDate":"2022-09-05 10:15:00","lastModifiedDate":"2024-03-15 11:15:00","problem_types":["CWE-787"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":5.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.8,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:snakeyaml_project:snakeyaml:*:*:*:*:*:*:*:*","versionEndExcluding":"1.31","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}