data/reports/GO-2022-0956.yaml - vulndb - Git at Google

 id: GO-2022-0956
 modules:
     - module: gopkg.in/yaml.v2
       versions:
         - fixed: 2.2.4
       vulnerable_at: 2.2.3
       packages:
         - package: gopkg.in/yaml.v2
           symbols:
             - decoder.unmarshal
             - yaml_parser_increase_flow_level
             - yaml_parser_roll_indent
           derived_symbols:
             - Decoder.Decode
             - Unmarshal
             - UnmarshalStrict
 summary: Excessive resource consumption in gopkg.in/yaml.v2
 description: |-
     Parsing malicious or large YAML documents can consume excessive amounts of CPU
     or memory.
 published: 2022-08-29T22:15:46Z
 ghsas:
     - GHSA-6q6q-88xp-6f2r
 references:
     - fix: https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5
     - web: https://github.com/go-yaml/yaml/releases/tag/v2.2.4
 cve_metadata:
     id: CVE-2022-3064
     cwe: 'CWE 400: Uncontrolled Resource Consumption'
     references:
         - https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/
	id: GO-2022-0956
	modules:
	- module: gopkg.in/yaml.v2
	versions:
	- fixed: 2.2.4
	vulnerable_at: 2.2.3
	packages:
	- package: gopkg.in/yaml.v2
	symbols:
	- decoder.unmarshal
	- yaml_parser_increase_flow_level
	- yaml_parser_roll_indent
	derived_symbols:
	- Decoder.Decode
	- Unmarshal
	- UnmarshalStrict
	summary: Excessive resource consumption in gopkg.in/yaml.v2
	description: \|-
	Parsing malicious or large YAML documents can consume excessive amounts of CPU
	or memory.
	published: 2022-08-29T22:15:46Z
	ghsas:
	- GHSA-6q6q-88xp-6f2r
	references:
	- fix: https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5
	- web: https://github.com/go-yaml/yaml/releases/tag/v2.2.4
	cve_metadata:
	id: CVE-2022-3064
	cwe: 'CWE 400: Uncontrolled Resource Consumption'
	references:
	- https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/