{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-03-26T00:00:00", "descriptions": [{"lang": "en", "value": "Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-12-08T10:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "66478", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/66478"}, {"name": "57836", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/57836"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://puppet.com/security/cve/cve-2014-2525"}, {"name": "MDVSA-2015:060", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:060"}, {"tags": ["x_refsource_MISC"], "url": "http://www.ocert.org/advisories/ocert-2014-003.html"}, {"name": "DSA-2885", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2014/dsa-2885"}, {"name": "USN-2160-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2160-1"}, {"name": "openSUSE-SU-2015:0319", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00078.html"}, {"name": "RHSA-2014:0355", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2014-0355.html"}, {"name": "DSA-2884", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2014/dsa-2884"}, {"name": "RHSA-2014:0354", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2014-0354.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://advisories.mageia.org/MGASA-2014-0150.html"}, {"name": "openSUSE-SU-2014:0500", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2014-04/msg00022.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://support.apple.com/kb/HT6443"}, {"name": "openSUSE-SU-2016:1067", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2016-04/msg00050.html"}, {"name": "RHSA-2014:0353", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2014-0353.html"}, {"name": "57968", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/57968"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/"}, {"name": "57966", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/57966"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-2525", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "66478", "refsource": "BID", "url": "http://www.securityfocus.com/bid/66478"}, {"name": "57836", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/57836"}, {"name": "https://puppet.com/security/cve/cve-2014-2525", "refsource": "CONFIRM", "url": "https://puppet.com/security/cve/cve-2014-2525"}, {"name": "MDVSA-2015:060", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:060"}, {"name": "http://www.ocert.org/advisories/ocert-2014-003.html", "refsource": "MISC", "url": "http://www.ocert.org/advisories/ocert-2014-003.html"}, {"name": "DSA-2885", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2014/dsa-2885"}, {"name": "USN-2160-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2160-1"}, {"name": "openSUSE-SU-2015:0319", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00078.html"}, {"name": "RHSA-2014:0355", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-0355.html"}, {"name": "DSA-2884", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2014/dsa-2884"}, {"name": "RHSA-2014:0354", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-0354.html"}, {"name": "http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/", "refsource": "CONFIRM", "url": "http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/"}, {"name": "https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048", "refsource": "CONFIRM", "url": "https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048"}, {"name": "http://advisories.mageia.org/MGASA-2014-0150.html", "refsource": "CONFIRM", "url": "http://advisories.mageia.org/MGASA-2014-0150.html"}, {"name": "openSUSE-SU-2014:0500", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2014-04/msg00022.html"}, {"name": "http://support.apple.com/kb/HT6443", "refsource": "CONFIRM", "url": "http://support.apple.com/kb/HT6443"}, {"name": "openSUSE-SU-2016:1067", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2016-04/msg00050.html"}, {"name": "RHSA-2014:0353", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-0353.html"}, {"name": "57968", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/57968"}, {"name": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/", "refsource": "CONFIRM", "url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/"}, {"name": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/", "refsource": "CONFIRM", "url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/"}, {"name": "57966", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/57966"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T10:14:26.613Z"}, "title": "CVE Program Container", "references": [{"name": "66478", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/66478"}, {"name": "57836", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/57836"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://puppet.com/security/cve/cve-2014-2525"}, {"name": "MDVSA-2015:060", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:060"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.ocert.org/advisories/ocert-2014-003.html"}, {"name": "DSA-2885", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2014/dsa-2885"}, {"name": "USN-2160-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2160-1"}, {"name": "openSUSE-SU-2015:0319", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00078.html"}, {"name": "RHSA-2014:0355", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2014-0355.html"}, {"name": "DSA-2884", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2014/dsa-2884"}, {"name": "RHSA-2014:0354", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2014-0354.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://advisories.mageia.org/MGASA-2014-0150.html"}, {"name": "openSUSE-SU-2014:0500", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2014-04/msg00022.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://support.apple.com/kb/HT6443"}, {"name": "openSUSE-SU-2016:1067", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2016-04/msg00050.html"}, {"name": "RHSA-2014:0353", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2014-0353.html"}, {"name": "57968", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/57968"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/"}, {"name": "57966", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/57966"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-2525", "datePublished": "2014-03-28T15:00:00", "dateReserved": "2014-03-17T00:00:00", "dateUpdated": "2024-08-06T10:14:26.613Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pyyaml:libyaml:*:*:*:*:*:*:*:*", "matchCriteriaId": "BF15A6D7-D1CD-4B9A-8A90-81E441C531EF", "versionEndIncluding": "0.1.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:pyyaml:libyaml:0.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "7F454F77-1AB1-44CF-8E1F-47BD71966CB8", "vulnerable": true}, {"criteria": "cpe:2.3:a:pyyaml:libyaml:0.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "2F2A3FC6-ADD6-4890-A91E-7B42138CB1B4", "vulnerable": true}, {"criteria": "cpe:2.3:a:pyyaml:libyaml:0.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "A7892D90-243C-4588-92D0-F49B3443B3DB", "vulnerable": true}, {"criteria": "cpe:2.3:a:pyyaml:libyaml:0.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "9759A8FD-7010-4D10-9E26-A03FDDDA187B", "vulnerable": true}, {"criteria": "cpe:2.3:a:pyyaml:libyaml:0.1.4:*:*:*:*:*:*:*", "matchCriteriaId": "7AE63A49-551A-4C0F-8ED9-AE1DB049B141", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*", "matchCriteriaId": "4863BE36-D16A-4D75-90D9-FD76DB5B48B7", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", "matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", "matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file."}, {"lang": "es", "value": "Desbordamiento de buffer basado en memoria din\u00e1mica en la funci\u00f3n yaml_parser_scan_uri_escapes en LibYAML anterior a 0.1.6 permite a atacantes dependientes de contexto ejecutar c\u00f3digo arbitrario a trav\u00e9s de una secuencia larga de caracteres codificados de porcentaje en una URI en un archivo YAML."}], "id": "CVE-2014-2525", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-03-28T15:55:08.670", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://advisories.mageia.org/MGASA-2014-0150.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2014-04/msg00022.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00078.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2016-04/msg00050.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2014-0353.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2014-0354.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2014-0355.html"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/57836"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/57966"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/57968"}, {"source": "cve@mitre.org", "url": "http://support.apple.com/kb/HT6443"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2014/dsa-2884"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2014/dsa-2885"}, {"source": "cve@mitre.org", "url": "http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/"}, {"source": "cve@mitre.org", "url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/"}, {"source": "cve@mitre.org", "url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/"}, {"source": "cve@mitre.org", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:060"}, {"source": "cve@mitre.org", "tags": ["US Government Resource"], "url": "http://www.ocert.org/advisories/ocert-2014-003.html"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/66478"}, {"source": "cve@mitre.org", "url": "http://www.ubuntu.com/usn/USN-2160-1"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch"], "url": "https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048"}, {"source": "cve@mitre.org", "url": "https://puppet.com/security/cve/cve-2014-2525"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://advisories.mageia.org/MGASA-2014-0150.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2014-04/msg00022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00078.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2016-04/msg00050.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2014-0353.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2014-0354.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2014-0355.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/57836"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/57966"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/57968"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://support.apple.com/kb/HT6443"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2014/dsa-2884"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2014/dsa-2885"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:060"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["US Government Resource"], "url": "http://www.ocert.org/advisories/ocert-2014-003.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/66478"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-2160-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch"], "url": "https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://puppet.com/security/cve/cve-2014-2525"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank oCERT for reporting this issue.", "affected_release": [{"advisory": "RHSA-2014:0353", "cpe": "cpe:/a:redhat:openstack:3::el6", "package": "libyaml-0:0.1.3-1.4.el6", "product_name": "OpenStack 3 for RHEL 6", "release_date": "2014-04-02T00:00:00Z"}, {"advisory": "RHSA-2014:0364", "cpe": "cpe:/a:redhat:openstack:3::el6", "package": "ruby193-libyaml-0:0.1.4-5.1.el6", "product_name": "OpenStack 3 for RHEL 6", "release_date": "2014-04-03T00:00:00Z"}, {"advisory": "RHSA-2014:0354", "cpe": "cpe:/a:redhat:openstack:4::el6", "package": "libyaml-0:0.1.3-1.4.el6", "product_name": "OpenStack 4 for RHEL 6", "release_date": "2014-04-02T00:00:00Z"}, {"advisory": "RHSA-2014:0415", "cpe": "cpe:/a:redhat:rhel_common:6::el6", "package": "libyaml-0:0.1.3-1.4.el6", "product_name": "Red Hat Common for RHEL 6", "release_date": "2014-04-17T00:00:00Z"}, {"advisory": "RHSA-2014:0355", "cpe": "cpe:/a:redhat:rhel_software_collections:1::el6", "package": "ruby193-libyaml-0:0.1.4-5.1.el6", "product_name": "Red Hat Software Collections for RHEL-6", "release_date": "2014-04-02T00:00:00Z"}], "bugzilla": {"description": "libyaml: heap-based buffer overflow when parsing URLs", "id": "1078083", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1078083"}, "csaw": false, "cvss": {"cvss_base_score": "6.8", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "verified"}, "cwe": "CWE-122", "details": ["Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2014-2525", "package_state": [{"cpe": "cpe:/a:redhat:cloudforms_managementengine:5", "fix_state": "Not affected", "package_name": "ruby193-libyaml", "product_name": "CloudForms Management Engine 5"}, {"cpe": "cpe:/a:redhat:openshift:1", "fix_state": "Will not fix", "package_name": "ruby193-libyaml", "product_name": "OpenShift Enterprise 1"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "libyaml", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "libyaml", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:enterprise_mrg:1", "fix_state": "Will not fix", "package_name": "libyaml", "product_name": "Red Hat Enterprise MRG 1"}, {"cpe": "cpe:/a:redhat:enterprise_mrg:2", "fix_state": "Will not fix", "package_name": "libyaml", "product_name": "Red Hat Enterprise MRG 2"}, {"cpe": "cpe:/a:redhat:network_satellite:5.3", "fix_state": "Will not fix", "package_name": "libyaml", "product_name": "Red Hat Satellite 5.3"}, {"cpe": "cpe:/a:redhat:network_satellite:5.4", "fix_state": "Will not fix", "package_name": "libyaml", "product_name": "Red Hat Satellite 5.4"}, {"cpe": "cpe:/a:redhat:network_satellite:5.5", "fix_state": "Will not fix", "package_name": "libyaml", "product_name": "Red Hat Satellite 5.5"}, {"cpe": "cpe:/a:redhat:network_satellite:5.6", "fix_state": "Not affected", "package_name": "libyaml", "product_name": "Red Hat Satellite 5.6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "libyaml", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:1", "fix_state": "Not affected", "package_name": "libyaml", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Affected", "package_name": "libyaml", "product_name": "Red Hat Subscription Asset Manager"}, {"cpe": "cpe:/a:redhat:rhui:2", "fix_state": "Will not fix", "package_name": "libyaml", "product_name": "RHUI for RHEL 6"}], "public_date": "2014-03-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-2525\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-2525"], "statement": "Redhat satellite does not ship libyaml package but instead consumes the package from the RHEL distribution which is why it has been marked as not affected.", "threat_severity": "Important"}