Potential Denial Of Service in welcome channel module, making use of user-specified YAML

High

NoComment1105 published GHSA-7vfm-9766-h7hg

Mar 18, 2023

Package

org.hyacinthbots:LilyBot (GitHub Actions)

Affected versions

v4.3.0 - v4.8.2

Patched versions

>=v4.8.3

Description

Impact

Lily makes use of Cozy's Welcome Channel module, which contains the affected dependency

Patches

In the latest LilyBot version (v4.8.3) we bump our dependency on the welcome channel module to 1.0.1-SNAPSHOT which contains the fixed versions

Workarounds

None.

References

Security advisory for the Cozy Modules (QuiltMC/cozy-discord, GHSA-4725-965f-99mw)
Security advisory for the YAML parser (charleskorn/kaml, GHSA-c24f-2j3g-rg48)
Wikipedia explanation of the Billion Laughs Attack, which is the vulnerability in question here.

Severity

High

7.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H