Use of Externally-Controlled Format String Affecting libyaml-libyaml-perl package, versions <0.38-2


Severity

Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
2.43% (83rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DEBIANUNSTABLE-LIBYAMLLIBYAMLPERL-323480
  • published9 Sept 2012
  • disclosed9 Sept 2012

Introduced: 9 Sep 2012

CVE-2012-1152  (opens in a new tab)
CWE-134  (opens in a new tab)

How to fix?

Upgrade Debian:unstable libyaml-libyaml-perl to version 0.38-2 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream libyaml-libyaml-perl package and not the libyaml-libyaml-perl package as distributed by Debian. See How to fix? for Debian:unstable relevant fixed versions and status.

Multiple format string vulnerabilities in the error reporting functionality in the YAML::LibYAML (aka YAML-LibYAML and perl-YAML-LibYAML) module 0.38 for Perl allow remote attackers to cause a denial of service (process crash) via format string specifiers in a (1) YAML stream to the Load function, (2) YAML node to the load_node function, (3) YAML mapping to the load_mapping function, or (4) YAML sequence to the load_sequence function.

CVSS Base Scores

version 3.1