| id: GO-2022-0956 |
| modules: |
| - module: gopkg.in/yaml.v2 |
| versions: |
| - fixed: 2.2.4 |
| vulnerable_at: 2.2.3 |
| packages: |
| - package: gopkg.in/yaml.v2 |
| symbols: |
| - decoder.unmarshal |
| - yaml_parser_increase_flow_level |
| - yaml_parser_roll_indent |
| derived_symbols: |
| - Decoder.Decode |
| - Unmarshal |
| - UnmarshalStrict |
| summary: Excessive resource consumption in gopkg.in/yaml.v2 |
| description: |- |
| Parsing malicious or large YAML documents can consume excessive amounts of CPU |
| or memory. |
| published: 2022-08-29T22:15:46Z |
| ghsas: |
| - GHSA-6q6q-88xp-6f2r |
| references: |
| - fix: https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5 |
| - web: https://github.com/go-yaml/yaml/releases/tag/v2.2.4 |
| cve_metadata: |
| id: CVE-2022-3064 |
| cwe: 'CWE 400: Uncontrolled Resource Consumption' |
| references: |
| - https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/ |
| review_status: REVIEWED |