{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36609?format=json","vulnerability_id":"VCID-xsxy-eu7e-k3cq","summary":"Remarshal prior to v0.17.1 expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack. Processing untrusted YAML files may cause a denial-of-service (DoS) condition.","aliases":[{"alias":"CVE-2023-47163"},{"alias":"GHSA-gw7g-qr8w-3448"},{"alias":"PYSEC-2023-236"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/37852?format=json","purl":"pkg:pypi/remarshal@0.17.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/remarshal@0.17.1"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/37837?format=json","purl":"pkg:pypi/remarshal@0.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xsxy-eu7e-k3cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/remarshal@0.8.0"},{"url":"http://public2.vulnerablecode.io/api/packages/37838?format=json","purl":"pkg:pypi/remarshal@0.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xsxy-eu7e-k3cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/remarshal@0.9.0"},{"url":"http://public2.vulnerablecode.io/api/packages/37839?format=json","purl":"pkg:pypi/remarshal@0.9.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xsxy-eu7e-k3cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/remarshal@0.9.1"},{"url":"http://public2.vulnerablecode.io/api/packages/37840?format=json","purl":"pkg:pypi/remarshal@0.9.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xsxy-eu7e-k3cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/remarshal@0.9.2"},{"url":"http://public2.vulnerablecode.io/api/packages/37841?format=json","purl":"pkg:pypi/remarshal@0.10.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xsxy-eu7e-k3cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/remarshal@0.10.0"},{"url":"http://public2.vulnerablecode.io/api/packages/37842?format=json","purl":"pkg:pypi/remarshal@0.11.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xsxy-eu7e-k3cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/remarshal@0.11.0"},{"url":"http://public2.vulnerablecode.io/api/packages/37843?format=json","purl":"pkg:pypi/remarshal@0.11.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xsxy-eu7e-k3cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/remarshal@0.11.1"},{"url":"http://public2.vulnerablecode.io/api/packages/37844?format=json","purl":"pkg:pypi/remarshal@0.11.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xsxy-eu7e-k3cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/remarshal@0.11.2"},{"url":"http://public2.vulnerablecode.io/api/packages/37845?format=json","purl":"pkg:pypi/remarshal@0.12.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xsxy-eu7e-k3cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/remarshal@0.12.0"},{"url":"http://public2.vulnerablecode.io/api/packages/37846?format=json","purl":"pkg:pypi/remarshal@0.14.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xsxy-eu7e-k3cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/remarshal@0.14.0"},{"url":"http://public2.vulnerablecode.io/api/packages/37847?format=json","purl":"pkg:pypi/remarshal@0.15.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xsxy-eu7e-k3cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/remarshal@0.15.0"},{"url":"http://public2.vulnerablecode.io/api/packages/37848?format=json","purl":"pkg:pypi/remarshal@0.15.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xsxy-eu7e-k3cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/remarshal@0.15.1"},{"url":"http://public2.vulnerablecode.io/api/packages/37849?format=json","purl":"pkg:pypi/remarshal@0.16.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xsxy-eu7e-k3cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/remarshal@0.16.0"},{"url":"http://public2.vulnerablecode.io/api/packages/37850?format=json","purl":"pkg:pypi/remarshal@0.16.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xsxy-eu7e-k3cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/remarshal@0.16.1"},{"url":"http://public2.vulnerablecode.io/api/packages/37851?format=json","purl":"pkg:pypi/remarshal@0.17.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xsxy-eu7e-k3cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/remarshal@0.17.0"}],"references":[{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/remarshal/PYSEC-2023-236.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/remarshal/PYSEC-2023-236.yaml"},{"reference_url":"https://github.com/remarshal-project/remarshal","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/remarshal-project/remarshal"},{"reference_url":"https://github.com/remarshal-project/remarshal/commit/fd6ac799a02f533c3fc243b49cdd6d21aa7ee494","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://github.com/remarshal-project/remarshal/commit/fd6ac799a02f533c3fc243b49cdd6d21aa7ee494"},{"reference_url":"https://github.com/remarshal-project/remarshal/releases/tag/v0.17.1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://github.com/remarshal-project/remarshal/releases/tag/v0.17.1"},{"reference_url":"https://jvn.jp/en/jp/JVN86156389","reference_id":"","reference_type":"","scores":[],"url":"https://jvn.jp/en/jp/JVN86156389"},{"reference_url":"https://jvn.jp/en/jp/JVN86156389/","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://jvn.jp/en/jp/JVN86156389/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-47163","reference_id":"CVE-2023-47163","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-47163"},{"reference_url":"https://github.com/advisories/GHSA-gw7g-qr8w-3448","reference_id":"GHSA-gw7g-qr8w-3448","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-gw7g-qr8w-3448"}],"weaknesses":[{"cwe_id":400,"name":"Uncontrolled Resource Consumption","description":"The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources."},{"cwe_id":674,"name":"Uncontrolled Recursion","description":"The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":"7.5 - 7.5","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xsxy-eu7e-k3cq"}