CVE-2017-18640 - Denial of Service (DoS)

Severity: Low2021-12-08

Security Advisories


SnakeYAML is vulnerable to a denial of service, caused by an entity expansion in Alias feature during a load operation.

The Oxygen XML products incorporates the SnakeYAML as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion 4.1 and olderLow Oxygen Content Fusion 4.1.2 build 2021112414





Severity: high

CVSS Score: 7.5

The SnakeYAML third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2017-18640 vulnerability description. However, the Oxygen XML software products use SnakeYAML only to generate YAML files, not to parse YAML files. Therefore Oxygen XML software products are not impacted by CVE-2017-18640.

Starting with Oxygen Content Fusion version 4.1, the SnakeYAML library was removed.

List of Security Advisories