| id: GO-2020-0036 |
| modules: |
| - module: gopkg.in/yaml.v2 |
| versions: |
| - fixed: 2.2.8 |
| vulnerable_at: 2.2.7 |
| packages: |
| - package: gopkg.in/yaml.v2 |
| symbols: |
| - yaml_parser_fetch_more_tokens |
| - yaml_parser_save_simple_key |
| - yaml_parser_remove_simple_key |
| - yaml_parser_decrease_flow_level |
| - yaml_parser_fetch_stream_start |
| - yaml_parser_fetch_value |
| derived_symbols: |
| - Decoder.Decode |
| - Unmarshal |
| - UnmarshalStrict |
| - module: github.com/go-yaml/yaml |
| vulnerable_at: 2.1.0+incompatible |
| packages: |
| - package: github.com/go-yaml/yaml |
| symbols: |
| - yaml_parser_fetch_more_tokens |
| - yaml_parser_save_simple_key |
| - yaml_parser_remove_simple_key |
| - yaml_parser_decrease_flow_level |
| - yaml_parser_fetch_stream_start |
| - yaml_parser_fetch_value |
| derived_symbols: |
| - Decoder.Decode |
| - Unmarshal |
| - UnmarshalStrict |
| summary: Excessive resource consumption in YAML parsing in gopkg.in/yaml.v2 |
| description: |- |
| Due to unbounded aliasing, a crafted YAML file can cause consumption of |
| significant system resources. If parsing user supplied input, this may be used |
| as a denial of service vector. |
| published: 2021-04-14T20:04:52Z |
| cves: |
| - CVE-2019-11254 |
| ghsas: |
| - GHSA-wxc4-f4m6-wwqv |
| references: |
| - fix: https://github.com/go-yaml/yaml/pull/555 |
| - fix: https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48 |
| - web: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496 |
| review_status: REVIEWED |