CVE-2018-20993

High

An issue was discovered in the yaml-rust crate before 0.4.1 for Rust. There is uncontrolled recursion during deserialization.

mitre·CWE-674·Published 2019-08-26

CVSS

7.5

EPSS

0.01

KEV

Exploits

cve.orgen

125 chars

An issue was discovered in the yaml-rust crate before 0.4.1 for Rust. There is uncontrolled recursion during deserialization.

NVDen

125 chars

An issue was discovered in the yaml-rust crate before 0.4.1 for Rust. There is uncontrolled recursion during deserialization.

Affected versions of this crate did not prevent deep recursion while deserializing data structures. This allows an attacker to make a YAML file with deeply nested structures that causes an abort while deserializing it. The flaw was corrected by checking the recursion depth. Note: `clap 2.33` is not affected by this because it uses `yaml-rust` in a way that doesn't trigger the vulnerability. More specifically: 1. The input to the YAML parser is always trusted - is included at compile time via `include_str!`. 2. The nesting level is never deep enough to trigger the overflow in practice (at most 5).

GHSAen

274 chars

NVDes

165 chars

Se descubrió un problema en el paquete (crate) yaml-rust versiones anteriores a 0.4.1 para Rust. Se presenta una recursión no controlada durante la deserialización.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
2.0	Primary	NVD	5.0	10.0	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P
3.0	Primary	NVD	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
3.1	Secondary	GHSA	7.5	—	—	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H