reports/GO-2020-0036.yaml - vulndb - Git at Google

 module: gopkg.in/yaml.v2
 additional_packages:
   - module: github.com/go-yaml/yaml
     symbols:
       - yaml_parser_fetch_more_tokens
     derived_symbols:
       - Decoder.Decode
       - Unmarshal
       - UnmarshalStrict
 versions:
   - fixed: v2.2.8
 description: |
     Due to unbounded aliasing, a crafted YAML file can cause consumption
     of significant system resources. If parsing user supplied input, this
     may be used as a denial of service vector.
 published: 2021-04-14T20:04:52Z
 cves:
   - CVE-2019-11254
 ghsas:
   - GHSA-wxc4-f4m6-wwqv
 symbols:
   - yaml_parser_fetch_more_tokens
 derived_symbols:
   - Decoder.Decode
   - Unmarshal
   - UnmarshalStrict
 links:
     pr: https://github.com/go-yaml/yaml/pull/555
     commit: https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48
     context:
       - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496
	module: gopkg.in/yaml.v2
	additional_packages:
	- module: github.com/go-yaml/yaml
	symbols:
	- yaml_parser_fetch_more_tokens
	derived_symbols:
	- Decoder.Decode
	- Unmarshal
	- UnmarshalStrict
	versions:
	- fixed: v2.2.8
	description: \|
	Due to unbounded aliasing, a crafted YAML file can cause consumption
	of significant system resources. If parsing user supplied input, this
	may be used as a denial of service vector.
	published: 2021-04-14T20:04:52Z
	cves:
	- CVE-2019-11254
	ghsas:
	- GHSA-wxc4-f4m6-wwqv
	symbols:
	- yaml_parser_fetch_more_tokens
	derived_symbols:
	- Decoder.Decode
	- Unmarshal
	- UnmarshalStrict
	links:
	pr: https://github.com/go-yaml/yaml/pull/555
	commit: https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48
	context:
	- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496