CVE-2023-28118 : Security Advisory and Response

This CVE record involves a potential denial of service vulnerability in the

kaml

library while parsing input with anchors and aliases.

Understanding CVE-2023-28118

This vulnerability, assigned by GitHub_M, highlights a specific issue in the

kaml

library that could lead to a denial of service attack when parsing input with anchors and aliases.

What is CVE-2023-28118?

The

kaml

library provides YAML support for kotlinx.serialization. Prior to version 0.53.0, applications using

kaml

to parse untrusted input containing anchors and aliases may experience excessive memory consumption, leading to crashes. Starting from version 0.53.0,

kaml

defaults to refusing to parse YAML documents containing anchors and aliases. At the moment, there are no known workarounds for this vulnerability.

The Impact of CVE-2023-28118

The impact of CVE-2023-28118 is rated as high, with a CVSS v3.1 base score of 7.5. The attack complexity is low, carried out over a network, and results in high availability impact. However, there is no impact on confidentiality or integrity, and no privileges are required for exploitation.

Technical Details of CVE-2023-28118

This section provides more detailed technical information about the vulnerability in the

kaml

library.

Vulnerability Description

The vulnerability in

kaml

arises from improper restriction of recursive entity references in Document Type Definitions (DTDs), specifically regarding XML Entity Expansion (CWE-776).

Affected Systems and Versions

The

kaml

library versions prior to 0.53.0 are affected by this vulnerability. Specifically, any application using

kaml

with a version less than 0.53.0 is at risk of experiencing denial of service due to memory consumption issues while parsing input containing anchors and aliases.

Exploitation Mechanism

Exploiting CVE-2023-28118 involves submitting malicious YAML documents containing anchors and aliases to applications utilizing the vulnerable versions of the

kaml

library. This can lead to excessive memory usage, potentially causing the application to crash.

Mitigation and Prevention

To address CVE-2023-28118 and prevent potential denial of service attacks, certain steps should be taken by affected users and developers.

Immediate Steps to Take

Users should update the

kaml

library to version 0.53.0 or newer, where the default behavior is to reject parsing YAML documents with anchors and aliases.
Developers should review and modify their applications to ensure compatibility with the new version of

kaml

and avoid parsing untrusted input that may trigger the vulnerability.

Long-Term Security Practices

Implement secure coding practices to mitigate the risk of denial of service vulnerabilities in libraries and dependencies.
Regularly monitor for security advisories and updates related to the

kaml

library and other components used in applications to stay informed about potential risks.

Patching and Updates

Ensure that all systems and applications using the

kaml

library are kept up to date with the latest patches and versions. Regularly check for security advisories and release notes from the library maintainers to stay informed about any security fixes or updates that may address vulnerabilities like CVE-2023-28118.