data/reports/GO-2020-0036.yaml - vulndb - Git at Google

 id: GO-2020-0036
 modules:
     - module: gopkg.in/yaml.v2
       versions:
         - fixed: 2.2.8
       vulnerable_at: 2.2.7
       packages:
         - package: gopkg.in/yaml.v2
           symbols:
             - yaml_parser_fetch_more_tokens
             - yaml_parser_save_simple_key
             - yaml_parser_remove_simple_key
             - yaml_parser_decrease_flow_level
             - yaml_parser_fetch_stream_start
             - yaml_parser_fetch_value
           derived_symbols:
             - Decoder.Decode
             - Unmarshal
             - UnmarshalStrict
     - module: github.com/go-yaml/yaml
       vulnerable_at: 2.1.0+incompatible
       packages:
         - package: github.com/go-yaml/yaml
           symbols:
             - yaml_parser_fetch_more_tokens
             - yaml_parser_save_simple_key
             - yaml_parser_remove_simple_key
             - yaml_parser_decrease_flow_level
             - yaml_parser_fetch_stream_start
             - yaml_parser_fetch_value
           derived_symbols:
             - Decoder.Decode
             - Unmarshal
             - UnmarshalStrict
 summary: Excessive resource consumption in YAML parsing in gopkg.in/yaml.v2
 description: |-
     Due to unbounded aliasing, a crafted YAML file can cause consumption of
     significant system resources. If parsing user supplied input, this may be used
     as a denial of service vector.
 published: 2021-04-14T20:04:52Z
 cves:
     - CVE-2019-11254
 ghsas:
     - GHSA-wxc4-f4m6-wwqv
 references:
     - fix: https://github.com/go-yaml/yaml/pull/555
     - fix: https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48
     - web: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496
	id: GO-2020-0036
	modules:
	- module: gopkg.in/yaml.v2
	versions:
	- fixed: 2.2.8
	vulnerable_at: 2.2.7
	packages:
	- package: gopkg.in/yaml.v2
	symbols:
	- yaml_parser_fetch_more_tokens
	- yaml_parser_save_simple_key
	- yaml_parser_remove_simple_key
	- yaml_parser_decrease_flow_level
	- yaml_parser_fetch_stream_start
	- yaml_parser_fetch_value
	derived_symbols:
	- Decoder.Decode
	- Unmarshal
	- UnmarshalStrict
	- module: github.com/go-yaml/yaml
	vulnerable_at: 2.1.0+incompatible
	packages:
	- package: github.com/go-yaml/yaml
	symbols:
	- yaml_parser_fetch_more_tokens
	- yaml_parser_save_simple_key
	- yaml_parser_remove_simple_key
	- yaml_parser_decrease_flow_level
	- yaml_parser_fetch_stream_start
	- yaml_parser_fetch_value
	derived_symbols:
	- Decoder.Decode
	- Unmarshal
	- UnmarshalStrict
	summary: Excessive resource consumption in YAML parsing in gopkg.in/yaml.v2
	description: \|-
	Due to unbounded aliasing, a crafted YAML file can cause consumption of
	significant system resources. If parsing user supplied input, this may be used
	as a denial of service vector.
	published: 2021-04-14T20:04:52Z
	cves:
	- CVE-2019-11254
	ghsas:
	- GHSA-wxc4-f4m6-wwqv
	references:
	- fix: https://github.com/go-yaml/yaml/pull/555
	- fix: https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48
	- web: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496