ExploitCVE-2024-35328
Improper Control of Resource Identifiers ('Resource Injection') (CWE-99)
Summary
libyaml v0.2.5 is vulnerable to a denial of service (DoS) attack. The vulnerability exists in the yaml_parser_parse function of the /src/libyaml/src/parser.c file. An attacker can send specially crafted input that causes excessive resource consumption, leading to a DoS condition.
Impact
A successful exploitation of this vulnerability could lead to a denial of service, causing the affected system or service to become unresponsive or crash. This could result in system downtime and disruption of operations. The vulnerability has a CVSS v3.1 base score of 7.5 (High severity), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. This indicates that the attack vector is network-based, has low attack complexity, requires no privileges or user interaction, and primarily affects the availability of the system.
Exploitation
One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.
Patch
Yes, a patch is available. The vulnerability details include a link to a Bugzilla entry from Red Hat with patch information. The patch was added on 2024-06-13.
Mitigation
Apply the available patches from the respective vendors as soon as possible. If patching is not immediately possible, implement workarounds or mitigations recommended by the vendors, such as input validation or resource limits, to reduce the risk of exploitation. Given the high severity score and the potential for system disruption, prioritize this vulnerability for patching efforts, especially for systems exposed to untrusted network traffic.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Timeline
NVD published the first details for CVE-2024-35328
Feedly found the first article mentioning CVE-2024-35328. See article
Feedly estimated the CVSS score as HIGH
RedHat CVE advisory released a security advisory (CVE-2024-35328).
A CVSS base score of 6.5 has been assigned.
This CVE started to trend in security discussions
EPSS Score was set to: 0.04% (Percentile: 9%)
This CVE stopped trending in security discussions
A CVSS base score of 7.5 has been assigned.