CVE-2013-6393

libyaml: heap-based buffer overflow when parsing YAML tags

Severity Score

8.6

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggers a heap-based buffer overflow.

La función yaml_parser_scan_tag_uri en scanner.c en LibYAML anterior a 0.1.5 lleva a cabo un "cast" incorrecto, lo que permite a atacantes remotos causar una denegación de servicio (caída de la aplicación) y probablemente ejecutar código arbitrario a través de etiquetas manipuladas en YAML.

Florian Weimer of the Red Hat Product Security Team discovered a heap-based buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a YAML document with a specially-crafted tag that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. Ivan Fratric of the Google Security Team discovered a heap-based buffer overflow vulnerability in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a specially-crafted YAML document that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. An assertion failure was found in the way the libyaml library parsed wrapped strings. An attacker able to load specially crafted YAML input into an application using libyaml could cause the application to crash.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

Attack Vector

Adjacent

Attack Complexity

High

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2013-11-04 CVE Reserved
2014-02-01 CVE Published
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-122: Heap-based Buffer Overflow

CAPEC

References (22)

URL	Tag	Source
http://advisories.mageia.org/MGASA-2014-0040.html	Third Party Advisory
http://osvdb.org/102716	Vdb Entry
http://www.securityfocus.com/bid/65258	Third Party Advisory
https://bitbucket.org/xi/libyaml/commits/tag/0.1.5	Issue Tracking
https://bugzilla.redhat.com/attachment.cgi?id=847926&action=diff	Issue Tracking
https://puppet.com/security/cve/cve-2013-6393	X_refsource_confirm
https://support.apple.com/kb/HT6536	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://bugzilla.redhat.com/show_bug.cgi?id=1033990	2014-04-17

URL	Date	SRC
http://archives.neohapsis.com/archives/bugtraq/2014-04/0134.html	2018-10-30
http://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html	2018-10-30
http://lists.opensuse.org/opensuse-updates/2014-02/msg00064.html	2018-10-30
http://lists.opensuse.org/opensuse-updates/2014-02/msg00065.html	2018-10-30
http://lists.opensuse.org/opensuse-updates/2015-02/msg00078.html	2018-10-30
http://lists.opensuse.org/opensuse-updates/2016-04/msg00050.html	2018-10-30
http://rhn.redhat.com/errata/RHSA-2014-0353.html	2018-10-30
http://rhn.redhat.com/errata/RHSA-2014-0354.html	2018-10-30
http://rhn.redhat.com/errata/RHSA-2014-0355.html	2018-10-30
http://www.debian.org/security/2014/dsa-2850	2018-10-30
http://www.debian.org/security/2014/dsa-2870	2018-10-30
http://www.mandriva.com/security/advisories?name=MDVSA-2015:060	2018-10-30
http://www.ubuntu.com/usn/USN-2098-1	2018-10-30
https://access.redhat.com/security/cve/CVE-2013-6393	2014-04-17

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Pyyaml Search vendor "Pyyaml"		Libyaml Search vendor "Pyyaml" for product "Libyaml"				<= 0.1.4 Search vendor "Pyyaml" for product "Libyaml" and version " <= 0.1.4"		-		Affected
Pyyaml Search vendor "Pyyaml"		Libyaml Search vendor "Pyyaml" for product "Libyaml"				0.0.1 Search vendor "Pyyaml" for product "Libyaml" and version "0.0.1"		-		Affected
Pyyaml Search vendor "Pyyaml"		Libyaml Search vendor "Pyyaml" for product "Libyaml"				0.1.1 Search vendor "Pyyaml" for product "Libyaml" and version "0.1.1"		-		Affected
Pyyaml Search vendor "Pyyaml"		Libyaml Search vendor "Pyyaml" for product "Libyaml"				0.1.2 Search vendor "Pyyaml" for product "Libyaml" and version "0.1.2"		-		Affected
Pyyaml Search vendor "Pyyaml"		Libyaml Search vendor "Pyyaml" for product "Libyaml"				0.1.3 Search vendor "Pyyaml" for product "Libyaml" and version "0.1.3"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				12.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.10"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				13.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "13.10"		-		Affected
Redhat Search vendor "Redhat"		Openstack Search vendor "Redhat" for product "Openstack"				3.0 Search vendor "Redhat" for product "Openstack" and version "3.0"		-		Affected
Redhat Search vendor "Redhat"		Openstack Search vendor "Redhat" for product "Openstack"				4.0 Search vendor "Redhat" for product "Openstack" and version "4.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				6.0 Search vendor "Debian" for product "Debian Linux" and version "6.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				42.1 Search vendor "Opensuse" for product "Leap" and version "42.1"		-		Affected
Opensuse Search vendor "Opensuse"		Opensuse Search vendor "Opensuse" for product "Opensuse"				11.4 Search vendor "Opensuse" for product "Opensuse" and version "11.4"		-		Affected
Opensuse Search vendor "Opensuse"		Opensuse Search vendor "Opensuse" for product "Opensuse"				13.1 Search vendor "Opensuse" for product "Opensuse" and version "13.1"		-		Affected
Opensuse Search vendor "Opensuse"		Opensuse Search vendor "Opensuse" for product "Opensuse"				13.2 Search vendor "Opensuse" for product "Opensuse" and version "13.2"		-		Affected