{"api_version":"1","generated_at":"2026-04-23T00:42:07+00:00","cve":"CVE-2022-38752","urls":{"html":"https://cve.report/CVE-2022-38752","api":"https://cve.report/api/cve/CVE-2022-38752.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-38752","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-38752"},"summary":{"title":"CVE-2022-38752","description":"Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.","state":"PUBLIC","assigner":"security@google.com","published_at":"2022-09-05 10:15:00","updated_at":"2024-03-15 11:15:00"},"problem_types":["CWE-787"],"metrics":[],"references":[{"url":"https://security.gentoo.org/glsa/202305-28","name":"GLSA-202305-28","refsource":"GENTOO","tags":[],"title":"snakeyaml: Multiple Vulnerabilities (GLSA 202305-28) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20240315-0009/","name":"https://security.netapp.com/advisory/ntap-20240315-0009/","refsource":"","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081","name":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081","refsource":"MISC","tags":[],"title":"47081 - \n \n \n oss-fuzz -\n \n \n OSS-Fuzz: Fuzzing the planet - \n \n Monorail","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081","name":"https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081","refsource":"MISC","tags":[],"title":"snakeyaml / snakeyaml \n  / issues \n  / #531 - Stackoverflow [OSS-Fuzz - 47081]\n\n — Bitbucket","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-38752","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38752","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"38752","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"snakeyaml_project","cpe5":"snakeyaml","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"38752","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"snakeyaml_project","cpe5":"snakeyaml","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-38752","qid":"182585","title":"Debian Security Update for snakeyaml (CVE-2022-38752)"},{"cve":"CVE-2022-38752","qid":"20396","title":"IBM DB2 Multiple Vulnerabilities (7095807)"},{"cve":"CVE-2022-38752","qid":"241301","title":"Red Hat Update for JBoss Enterprise Application Platform 7.4.1 on RHEL 7 (RHSA-2023:1512)"},{"cve":"CVE-2022-38752","qid":"241302","title":"Red Hat Update for JBoss Enterprise Application Platform 7.4.1 on RHEL 8 (RHSA-2023:1513)"},{"cve":"CVE-2022-38752","qid":"241303","title":"Red Hat Update for JBoss Enterprise Application Platform 7.4.1 on RHEL 9 (RHSA-2023:1514)"},{"cve":"CVE-2022-38752","qid":"241405","title":"Red Hat Update for Satellite 6.13 (RHSA-2023:2097)"},{"cve":"CVE-2022-38752","qid":"356386","title":"Amazon Linux Security Advisory for snakeyaml : ALAS2023-2023-375"},{"cve":"CVE-2022-38752","qid":"357078","title":"Amazon Linux Security Advisory for snakeyaml : ALAS2-2024-2450"},{"cve":"CVE-2022-38752","qid":"710729","title":"Gentoo Linux snakeyaml Multiple Vulnerabilities (GLSA 202305-28)"},{"cve":"CVE-2022-38752","qid":"753357","title":"SUSE Enterprise Linux Security Update for snakeyaml (SUSE-SU-2022:3397-1)"},{"cve":"CVE-2022-38752","qid":"904055","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for snakeyaml (11026)"},{"cve":"CVE-2022-38752","qid":"960924","title":"Rocky Linux Security Update for Satellite (RLSA-2023:2097)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@google.com","ID":"CVE-2022-38752","STATE":"PUBLIC","TITLE":"DoS in SnakeYAML"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"SnakeYAML","version":{"version_data":[{"version_affected":"<=","version_value":"1.31"}]}}]},"vendor_name":"snakeyaml"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-121 Stack-based Buffer Overflow"}]}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081","name":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081"},{"refsource":"MISC","url":"https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081","name":"https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081"},{"refsource":"GENTOO","name":"GLSA-202305-28","url":"https://security.gentoo.org/glsa/202305-28"}]},"source":{"discovery":"INTERNAL"}},"nvd":{"publishedDate":"2022-09-05 10:15:00","lastModifiedDate":"2024-03-15 11:15:00","problem_types":["CWE-787"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:snakeyaml_project:snakeyaml:*:*:*:*:*:*:*:*","versionEndExcluding":"1.32","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}