Bugzilla – Bug 1222284
VUL-0: REJECTED: CVE-2024-3205: libyaml,perl-YAML-LibYAML: heap-based buffer overflow in yaml_emitter_emit_flow_sequence_item() in src/emitter.c
Last modified: 2024-05-27 15:27:12 UTC
A vulnerability was found in yaml libyaml up to 0.2.5 and classified as critical. Affected by this issue is the function yaml_emitter_emit_flow_sequence_item of the file /src/libyaml/src/emitter.c. The manipulation leads to heap-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259052. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-3205 https://www.cve.org/CVERecord?id=CVE-2024-3205 https://drive.google.com/drive/folders/1lwNEs8wqwkUV52f3uQNYMPrxRuXPtGQs?usp=sharing https://vuldb.com/?ctiid.259052 https://vuldb.com/?id.259052 https://vuldb.com/?submit.304561 https://bugzilla.redhat.com/show_bug.cgi?id=2272889
Two issues related to this vulnerability has been opened in the upstream GitHub repository: https://github.com/yaml/libyaml/issues/258 (created Nov. 2022) https://github.com/yaml/libyaml/issues/289 (created April 2024) Related to the above issues there is the following PR: https://github.com/yaml/libyaml/pull/259
New GitHub PR: https://github.com/yaml/libyaml/pull/290
I contacted VulDB to reject the CVE. They just replied and confirmed that the CVE is rejected: https://www.cve.org/CVERecord https://vuldb.com/?diff.259052 What else is to be done here for us?
CVE rejected, closing.