blob: 976ba353da2bbc3fcc90c0d90148472c5897b6e8 [file] [log] [blame]
module: gopkg.in/yaml.v2
additional_packages:
# all of the incompatible versions of github.com/go-yaml/yaml
# are affected
- module: github.com/go-yaml/yaml
versions:
- fixed: v2.2.8
description: |
Due to unbounded aliasing, a crafted YAML file can cause consumption
of significant system resources. If parsing user supplied input, this
may be used as a denial of service vector.
published: 2021-04-14T12:00:00Z
cve: CVE-2019-11254
symbols:
- yaml_parser_fetch_more_tokens
links:
pr: https://github.com/go-yaml/yaml/pull/555
commit: https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48
context:
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496