Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2014-2525

Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file.

Published

2014-03-28T15:55:08.670

Last Modified

2025-04-12T10:46:40.837

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 6.8 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

6.4

Weaknesses

Type: Primary
CWE-119

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	pyyaml	libyaml	≤ 0.1.5	Yes
Application	pyyaml	libyaml	0.0.1	Yes
Application	pyyaml	libyaml	0.1.1	Yes
Application	pyyaml	libyaml	0.1.2	Yes
Application	pyyaml	libyaml	0.1.3	Yes
Application	pyyaml	libyaml	0.1.4	Yes
Operating System	opensuse	leap	42.1	Yes
Operating System	opensuse	opensuse	13.1	Yes
Operating System	opensuse	opensuse	13.2	Yes

References

http://advisories.mageia.org/MGASA-2014-0150.html Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-updates/2014-04/msg00022.html Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-updates/2015-02/msg00078.html Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-updates/2016-04/msg00050.html Third Party Advisory ([email protected])
http://rhn.redhat.com/errata/RHSA-2014-0353.html ([email protected])
http://rhn.redhat.com/errata/RHSA-2014-0354.html ([email protected])
http://rhn.redhat.com/errata/RHSA-2014-0355.html ([email protected])
http://secunia.com/advisories/57836 ([email protected])
http://secunia.com/advisories/57966 ([email protected])
http://secunia.com/advisories/57968 ([email protected])
http://support.apple.com/kb/HT6443 ([email protected])
http://www.debian.org/security/2014/dsa-2884 ([email protected])
http://www.debian.org/security/2014/dsa-2885 ([email protected])
http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/ ([email protected])
http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/ ([email protected])
http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/ ([email protected])
http://www.mandriva.com/security/advisories?name=MDVSA-2015:060 ([email protected])
http://www.ocert.org/advisories/ocert-2014-003.html US Government Resource ([email protected])
http://www.securityfocus.com/bid/66478 ([email protected])
http://www.ubuntu.com/usn/USN-2160-1 ([email protected])
https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048 Exploit, Patch ([email protected])
https://puppet.com/security/cve/cve-2014-2525 ([email protected])
http://advisories.mageia.org/MGASA-2014-0150.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-updates/2014-04/msg00022.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-updates/2015-02/msg00078.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-updates/2016-04/msg00050.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2014-0353.html (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2014-0354.html (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2014-0355.html (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/57836 (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/57966 (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/57968 (af854a3a-2127-422b-91ae-364da2661108)
http://support.apple.com/kb/HT6443 (af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2014/dsa-2884 (af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2014/dsa-2885 (af854a3a-2127-422b-91ae-364da2661108)
http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/ (af854a3a-2127-422b-91ae-364da2661108)
http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/ (af854a3a-2127-422b-91ae-364da2661108)
http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/ (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDVSA-2015:060 (af854a3a-2127-422b-91ae-364da2661108)
http://www.ocert.org/advisories/ocert-2014-003.html US Government Resource (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/66478 (af854a3a-2127-422b-91ae-364da2661108)
http://www.ubuntu.com/usn/USN-2160-1 (af854a3a-2127-422b-91ae-364da2661108)
https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048 Exploit, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://puppet.com/security/cve/cve-2014-2525 (af854a3a-2127-422b-91ae-364da2661108)