CVE-2023-28118: 
Java vulnerability analysis and mitigation

CVE-2023-28118 affects kaml, a YAML support library for kotlinx.serialization. The vulnerability was discovered and disclosed on March 20, 2023, and patched in version 0.53.0. The vulnerability allows applications that use kaml to parse untrusted input containing anchors and aliases to consume excessive memory and crash (GitHub Advisory).

The vulnerability is related to the parsing of YAML documents containing anchors and aliases, which could lead to excessive memory consumption similar to a billion laughs attack. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified as CWE-776: Improper Restriction of Recursive Entity References in DTDs (NVD).

When exploited, this vulnerability can cause denial of service through excessive memory consumption, potentially leading to application crashes. The vulnerability only affects applications that process untrusted YAML input containing anchors and aliases (GitHub Advisory).

The vulnerability has been fixed in version 0.53.0, which defaults to refusing to parse YAML documents containing anchors and aliases. If your application needs to support anchors and aliases, you can enable them by setting YamlConfiguration.allowAnchorsAndAliases to true. There are no known workarounds for affected versions (GitHub Release).