data/reports/GO-2020-0036.yaml - vulndb - Git at Google

 modules:
   - module: gopkg.in/yaml.v2
     versions:
       - fixed: 2.2.8
     vulnerable_at: 2.2.7
     packages:
       - package: gopkg.in/yaml.v2
         symbols:
           - yaml_parser_fetch_more_tokens
           - yaml_parser_save_simple_key
           - yaml_parser_remove_simple_key
           - yaml_parser_decrease_flow_level
           - yaml_parser_fetch_stream_start
           - yaml_parser_fetch_value
         derived_symbols:
           - Decoder.Decode
           - Unmarshal
           - UnmarshalStrict
   - module: github.com/go-yaml/yaml
     vulnerable_at: 2.1.0+incompatible
     packages:
       - package: github.com/go-yaml/yaml
         symbols:
           - yaml_parser_fetch_more_tokens
           - yaml_parser_save_simple_key
           - yaml_parser_remove_simple_key
           - yaml_parser_decrease_flow_level
           - yaml_parser_fetch_stream_start
           - yaml_parser_fetch_value
         derived_symbols:
           - Decoder.Decode
           - Unmarshal
           - UnmarshalStrict
 description: |
     Due to unbounded aliasing, a crafted YAML file can cause consumption
     of significant system resources. If parsing user supplied input, this
     may be used as a denial of service vector.
 published: 2021-04-14T20:04:52Z
 cves:
   - CVE-2019-11254
 ghsas:
   - GHSA-wxc4-f4m6-wwqv
 references:
   - fix: https://github.com/go-yaml/yaml/pull/555
   - fix: https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48
   - web: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496
	modules:
	- module: gopkg.in/yaml.v2
	versions:
	- fixed: 2.2.8
	vulnerable_at: 2.2.7
	packages:
	- package: gopkg.in/yaml.v2
	symbols:
	- yaml_parser_fetch_more_tokens
	- yaml_parser_save_simple_key
	- yaml_parser_remove_simple_key
	- yaml_parser_decrease_flow_level
	- yaml_parser_fetch_stream_start
	- yaml_parser_fetch_value
	derived_symbols:
	- Decoder.Decode
	- Unmarshal
	- UnmarshalStrict
	- module: github.com/go-yaml/yaml
	vulnerable_at: 2.1.0+incompatible
	packages:
	- package: github.com/go-yaml/yaml
	symbols:
	- yaml_parser_fetch_more_tokens
	- yaml_parser_save_simple_key
	- yaml_parser_remove_simple_key
	- yaml_parser_decrease_flow_level
	- yaml_parser_fetch_stream_start
	- yaml_parser_fetch_value
	derived_symbols:
	- Decoder.Decode
	- Unmarshal
	- UnmarshalStrict
	description: \|
	Due to unbounded aliasing, a crafted YAML file can cause consumption
	of significant system resources. If parsing user supplied input, this
	may be used as a denial of service vector.
	published: 2021-04-14T20:04:52Z
	cves:
	- CVE-2019-11254
	ghsas:
	- GHSA-wxc4-f4m6-wwqv
	references:
	- fix: https://github.com/go-yaml/yaml/pull/555
	- fix: https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48
	- web: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496