| modules: |
| - module: gopkg.in/yaml.v2 |
| versions: |
| - fixed: 2.2.8 |
| packages: |
| - package: gopkg.in/yaml.v2 |
| symbols: |
| - yaml_parser_fetch_more_tokens |
| derived_symbols: |
| - Decoder.Decode |
| - Unmarshal |
| - UnmarshalStrict |
| - module: github.com/go-yaml/yaml |
| packages: |
| - package: github.com/go-yaml/yaml |
| symbols: |
| - yaml_parser_fetch_more_tokens |
| derived_symbols: |
| - Decoder.Decode |
| - Unmarshal |
| - UnmarshalStrict |
| description: | |
| Due to unbounded aliasing, a crafted YAML file can cause consumption |
| of significant system resources. If parsing user supplied input, this |
| may be used as a denial of service vector. |
| published: 2021-04-14T20:04:52Z |
| cves: |
| - CVE-2019-11254 |
| ghsas: |
| - GHSA-wxc4-f4m6-wwqv |
| references: |
| - fix: https://github.com/go-yaml/yaml/pull/555 |
| - fix: https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48 |
| - web: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496 |
