{"id":"CVE-2023-22970","details":"Bottles before 51.0 mishandles YAML load, which allows remote code execution via a crafted file.","modified":"2026-03-15T14:49:26.577296Z","published":"2023-05-26T18:15:13.357Z","references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N24KI3O3FWGKJSLATY35ZM3CHSABJ6WE/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZJZEE4RAAK7OPVQNE4BOWUVQDVSZU6NJ/"},{"type":"REPORT","url":"https://github.com/bottlesdevs/Bottles/issues/2463"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/bottlesdevs/bottles","events":[{"introduced":"0"},{"fixed":"723133c971d115933f7aeb9520c3161e8e9a2d8b"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"51.0"}]}}],"versions":["0.0.1","0.0.2","0.0.3","0.0.4","0.0.5","0.0.6","0.0.7","0.0.8","0.0.9","0.1.0","0.1.1","0.1.2","0.1.3","0.1.4","0.1.5","0.1.7","0.1.8","0.1.9","0.2.0","0.2.1","0.2.2","0.2.3","0.2.4","0.2.5","2.0.0","2.0.1","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.0.7","2.0.8","2.0.8.1","2.0.9","2.0.9.1","2.0.9.2","2.0.9.3","2.0.9.4","2.0.9.5","2.0.9.6","2.0.9.7","2.0.9.8","2021.10.14-treviso","2021.10.14-treviso-1","2021.10.14-treviso-2","2021.10.28-treviso","2021.11.14-treviso","2021.11.14-treviso-1","2021.11.14-treviso-2","2021.11.14-treviso-3","2021.11.14-treviso-4","2021.11.28-treviso","2021.12.14-treviso","2021.12.14-treviso-1","2021.12.14-treviso-2","2021.12.14-treviso-3","2021.12.14-treviso-4","2021.12.28-treviso","2021.7.1-treviso","2021.7.14-treviso","2021.7.2-treviso","2021.7.28-treviso","2021.7.28-treviso-1","2021.7.28-treviso-2","2021.7.3-treviso","2021.8.14-treviso","2021.8.28-treviso","2021.8.28-treviso-1","2021.8.28-treviso-2","2021.8.28-treviso-3","2021.8.28-treviso-4","2021.9.14-treviso","2021.9.28-treviso","2022.1.14-trento","2022.1.14-trento-1","2022.1.14-trento-2","2022.1.14-trento-3","2022.1.14-trento-4","2022.1.28-trento","2022.1.28-trento-1","2022.1.28-trento-2","2022.1.28-trento-3","2022.1.28-trento-4","2022.10.14","2022.10.14.1","2022.11.14","2022.12.14","2022.12.14.1","2022.2.14-trento","2022.2.28-trento","2022.2.28-trento-1","2022.2.28-trento-2","2022.2.28-trento-3","2022.2.28-trento-4","2022.3.14-trento","2022.3.14-trento-1","2022.3.14-trento-2","2022.3.14-trento-3","2022.3.28-trento","2022.3.28-trento-1","2022.4.14-trento","2022.4.14-trento-1","2022.4.14-trento-2","2022.4.28-trento","2022.5.14-trento","2022.5.14-trento-1","2022.5.14-trento-2","2022.5.14-trento-3","2022.5.2-trento","2022.5.2-trento-1","2022.5.2-trento-2","2022.5.2-trento-3","2022.5.28-trento","2022.5.28-trento-1","2022.5.28-trento-2","2022.5.28-trento-3","2022.6.14-brescia","2022.6.14-brescia-1","2022.6.28-brescia","2022.7.14-brescia","2022.7.14-brescia-1","2022.7.14-brescia-2","2022.7.14-brescia-3","2022.7.28-brescia","2022.7.28-brescia-1","2022.7.28-brescia-2","2022.8.14-brescia","2022.8.14-brescia-1","2022.8.28-brescia","2022.8.28-brescia-1","2022.8.28-brescia-2","2022.9.28","2022.9.28.1","3.0","3.0.1","3.0.1.1","3.0.2","3.0.3","3.0.4","3.0.5","3.0.6","3.0.7","3.0.8","3.0.9","3.1.0","3.1.1","3.1.10","3.1.11","3.1.12","3.1.13","3.1.14","3.1.15","3.1.2","3.1.3","3.1.4","3.1.5","3.1.6","3.1.7","3.1.8","3.1.9","50","50.1","continuous-unstable-gh","nightly","snap","unstable"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-22970.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"37"}]},{"events":[{"introduced":"0"},{"last_affected":"38"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}