| id: GO-2021-0061 |
| modules: |
| - module: gopkg.in/yaml.v2 |
| versions: |
| - fixed: 2.2.3 |
| vulnerable_at: 2.2.2 |
| packages: |
| - package: gopkg.in/yaml.v2 |
| symbols: |
| - decoder.unmarshal |
| derived_symbols: |
| - Decoder.Decode |
| - Unmarshal |
| - UnmarshalStrict |
| - module: github.com/go-yaml/yaml |
| vulnerable_at: 2.1.0+incompatible |
| packages: |
| - package: github.com/go-yaml/yaml |
| symbols: |
| - decoder.unmarshal |
| derived_symbols: |
| - Decoder.Decode |
| - Unmarshal |
| - UnmarshalStrict |
| summary: Denial of service in gopkg.in/yaml.v2 |
| description: |- |
| Due to unbounded alias chasing, a maliciously crafted YAML file can cause the |
| system to consume significant system resources. If parsing user input, this may |
| be used as a denial of service vector. |
| published: 2021-04-14T20:04:52Z |
| ghsas: |
| - GHSA-r88r-gmrh-7j83 |
| credits: |
| - '@simonferquel' |
| references: |
| - fix: https://github.com/go-yaml/yaml/pull/375 |
| - fix: https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241 |
| cve_metadata: |
| id: CVE-2021-4235 |
| cwe: 'CWE 400: Uncontrolled Resource Consumption' |
| references: |
| - https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html |
| review_status: REVIEWED |
