blob: 95b19803b64ef5f66a7dee98208ace8b18d02871 [file] [log] [blame]
id: GO-2020-0036
modules:
- module: gopkg.in/yaml.v2
versions:
- fixed: 2.2.8
vulnerable_at: 2.2.7
packages:
- package: gopkg.in/yaml.v2
symbols:
- yaml_parser_fetch_more_tokens
- yaml_parser_save_simple_key
- yaml_parser_remove_simple_key
- yaml_parser_decrease_flow_level
- yaml_parser_fetch_stream_start
- yaml_parser_fetch_value
derived_symbols:
- Decoder.Decode
- Unmarshal
- UnmarshalStrict
- module: github.com/go-yaml/yaml
vulnerable_at: 2.1.0+incompatible
packages:
- package: github.com/go-yaml/yaml
symbols:
- yaml_parser_fetch_more_tokens
- yaml_parser_save_simple_key
- yaml_parser_remove_simple_key
- yaml_parser_decrease_flow_level
- yaml_parser_fetch_stream_start
- yaml_parser_fetch_value
derived_symbols:
- Decoder.Decode
- Unmarshal
- UnmarshalStrict
summary: Excessive resource consumption in YAML parsing in gopkg.in/yaml.v2
description: |-
Due to unbounded aliasing, a crafted YAML file can cause consumption of
significant system resources. If parsing user supplied input, this may be used
as a denial of service vector.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2019-11254
ghsas:
- GHSA-wxc4-f4m6-wwqv
references:
- fix: https://github.com/go-yaml/yaml/pull/555
- fix: https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48
- web: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496
review_status: REVIEWED