CVE-2023-24620: 
Java vulnerability analysis and mitigation

A vulnerability was discovered in Esoteric YamlBeans through version 1.15, identified as CVE-2023-24620. The vulnerability allows attackers to perform an XML Entity Expansion attack against YamlBeans YamlReader by exploiting the Anchor feature in YAML. This can result in a small YAML document being expanded to a large size during processing (NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 5.5 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The issue is related to CWE-611 (Improper Restriction of XML External Entity Reference). When processing YAML documents, the YamlReader component fails to properly restrict entity expansion, allowing for the creation of documents that exponentially expand when processed (NVD).

When exploited, this vulnerability can cause significant CPU and memory consumption, potentially leading to Java Out-of-Memory exceptions. The impact occurs when the malicious YAML document is processed, particularly during data traversal operations such as toString() calls or recursive traversing of the data structure (GitHub Security).

Users are advised to avoid using versions 1.15 and earlier of the com.esotericsoftware.yamlbeans/yamlbeans package (FortiGuard).