Vulnerabilites related to yaml_project - yaml
Vulnerability from fkie_nvd
Published
2023-04-24 15:15
Modified
2024-11-21 07:58
Severity ?
Summary
Uncaught Exception in GitHub repository eemeli/yaml prior to 2.0.0-5.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| yaml_project | yaml | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:yaml_project:yaml:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "50610051-3CA8-4BE1-8F5E-9D463027C628",
"versionEndExcluding": "2.2.2",
"versionStartIncluding": "2.0.0-5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Uncaught Exception in GitHub repository eemeli/yaml prior to 2.0.0-5."
}
],
"id": "CVE-2023-2251",
"lastModified": "2024-11-21T07:58:14.463",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-24T15:15:08.897",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/eemeli/yaml/commit/984f5781ffd807e58cad3b5c8da1f940dab75fba"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/4b494e99-5a3e-40d9-8678-277f3060e96c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/eemeli/yaml/commit/984f5781ffd807e58cad3b5c8da1f940dab75fba"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/4b494e99-5a3e-40d9-8678-277f3060e96c"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-248"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-12-27 22:15
Modified
2024-11-21 07:18
Severity ?
Summary
Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| yaml_project | yaml | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:yaml_project:yaml:*:*:*:*:*:go:*:*",
"matchCriteriaId": "1611FBF4-F2CD-4C5F-A41C-AA70F143DEA7",
"versionEndExcluding": "2.2.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory."
},
{
"lang": "es",
"value": "El an\u00e1lisis de documentos YAML maliciosos o de gran tama\u00f1o puede consumir cantidades excesivas de CPU o memoria."
}
],
"id": "CVE-2022-3064",
"lastModified": "2024-11-21T07:18:44.827",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-12-27T22:15:14.507",
"references": [
{
"source": "security@golang.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5"
},
{
"source": "security@golang.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4"
},
{
"source": "security@golang.org",
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html"
},
{
"source": "security@golang.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/"
},
{
"source": "security@golang.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/"
},
{
"source": "security@golang.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/"
},
{
"source": "security@golang.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/"
},
{
"source": "security@golang.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/"
},
{
"source": "security@golang.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/"
},
{
"source": "security@golang.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://pkg.go.dev/vuln/GO-2022-0956"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://pkg.go.dev/vuln/GO-2022-0956"
}
],
"sourceIdentifier": "security@golang.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-05-19 20:15
Modified
2024-11-21 06:58
Severity ?
Summary
An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/go-yaml/yaml/issues/666 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| cve@mitre.org | https://security.netapp.com/advisory/ntap-20220923-0006/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/go-yaml/yaml/issues/666 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20220923-0006/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| yaml_project | yaml | 3.0.0 | |
| netapp | astra_trident | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:yaml_project:yaml:3.0.0:*:*:*:*:go:*:*",
"matchCriteriaId": "D22E740C-CD95-4E6C-8573-CE265E558607",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netapp:astra_trident:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A4E44A7B-F32A-43F2-B41A-CB3049100DF7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input."
},
{
"lang": "es",
"value": "Un problema en la funci\u00f3n Unmarshal de Go-Yaml versi\u00f3n v3, causa el bloqueo del programa cuando intenta de serializar una entrada no v\u00e1lida"
}
],
"id": "CVE-2022-28948",
"lastModified": "2024-11-21T06:58:14.020",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-19T20:15:10.567",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/go-yaml/yaml/issues/666"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20220923-0006/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/go-yaml/yaml/issues/666"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20220923-0006/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-12-27 22:15
Modified
2024-11-21 06:37
Severity ?
Summary
Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@golang.org | https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241 | Patch, Third Party Advisory | |
| security@golang.org | https://github.com/go-yaml/yaml/pull/375 | Exploit, Patch, Third Party Advisory | |
| security@golang.org | https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html | ||
| security@golang.org | https://pkg.go.dev/vuln/GO-2021-0061 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/go-yaml/yaml/pull/375 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://pkg.go.dev/vuln/GO-2021-0061 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| yaml_project | yaml | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:yaml_project:yaml:*:*:*:*:*:go:*:*",
"matchCriteriaId": "6ADB4662-19BA-4FB2-88FB-0D8309DE5DB0",
"versionEndExcluding": "2.2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector."
},
{
"lang": "es",
"value": "Debido a la b\u00fasqueda ilimitada de alias, un archivo YAML creado con fines malintencionados puede hacer que el sistema consuma importantes recursos. Si se analiza la entrada del usuario, esto se puede utilizar como un vector de denegaci\u00f3n de servicio."
}
],
"id": "CVE-2021-4235",
"lastModified": "2024-11-21T06:37:12.307",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-12-27T22:15:11.960",
"references": [
{
"source": "security@golang.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241"
},
{
"source": "security@golang.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/go-yaml/yaml/pull/375"
},
{
"source": "security@golang.org",
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html"
},
{
"source": "security@golang.org",
"tags": [
"Third Party Advisory"
],
"url": "https://pkg.go.dev/vuln/GO-2021-0061"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/go-yaml/yaml/pull/375"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://pkg.go.dev/vuln/GO-2021-0061"
}
],
"sourceIdentifier": "security@golang.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2021-4235
Vulnerability from cvelistv5
Published
2022-12-27 21:13
Modified
2025-02-13 16:28
Severity ?
EPSS score ?
Summary
Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | gopkg.in/yaml.v2 | gopkg.in/yaml.v2 |
Version: 0 ≤ |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:23:09.096Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/go-yaml/yaml/pull/375"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2021-0061"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "gopkg.in/yaml.v2",
"product": "gopkg.in/yaml.v2",
"programRoutines": [
{
"name": "decoder.unmarshal"
},
{
"name": "Decoder.Decode"
},
{
"name": "Unmarshal"
},
{
"name": "UnmarshalStrict"
}
],
"vendor": "gopkg.in/yaml.v2",
"versions": [
{
"lessThan": "2.2.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "affected",
"packageName": "github.com/go-yaml/yaml",
"product": "github.com/go-yaml/yaml",
"programRoutines": [
{
"name": "decoder.unmarshal"
},
{
"name": "Decoder.Decode"
},
{
"name": "Unmarshal"
},
{
"name": "UnmarshalStrict"
}
],
"vendor": "github.com/go-yaml/yaml"
}
],
"credits": [
{
"lang": "en",
"value": "@simonferquel"
}
],
"descriptions": [
{
"lang": "en",
"value": "Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE 400: Uncontrolled Resource Consumption",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-05T23:06:18.281Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://github.com/go-yaml/yaml/pull/375"
},
{
"url": "https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241"
},
{
"url": "https://pkg.go.dev/vuln/GO-2021-0061"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html"
}
],
"title": "Denial of service in gopkg.in/yaml.v2"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2021-4235",
"datePublished": "2022-12-27T21:13:42.393Z",
"dateReserved": "2022-07-29T18:56:20.415Z",
"dateUpdated": "2025-02-13T16:28:37.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2251
Vulnerability from cvelistv5
Published
2023-04-24 00:00
Modified
2025-02-04 17:12
Severity ?
EPSS score ?
Summary
Uncaught Exception in GitHub repository eemeli/yaml prior to 2.0.0-5.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| eemeli | eemeli/yaml |
Version: unspecified < 2.0.0-5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:19:14.055Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/4b494e99-5a3e-40d9-8678-277f3060e96c"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/eemeli/yaml/commit/984f5781ffd807e58cad3b5c8da1f940dab75fba"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2251",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T17:12:14.351498Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T17:12:26.377Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "eemeli/yaml",
"vendor": "eemeli",
"versions": [
{
"lessThan": "2.0.0-5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Uncaught Exception in GitHub repository eemeli/yaml prior to 2.0.0-5."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "CWE-248 Uncaught Exception",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-08T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/4b494e99-5a3e-40d9-8678-277f3060e96c"
},
{
"url": "https://github.com/eemeli/yaml/commit/984f5781ffd807e58cad3b5c8da1f940dab75fba"
}
],
"source": {
"advisory": "4b494e99-5a3e-40d9-8678-277f3060e96c",
"discovery": "EXTERNAL"
},
"title": "Uncaught Exception in eemeli/yaml"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-2251",
"datePublished": "2023-04-24T00:00:00.000Z",
"dateReserved": "2023-04-24T00:00:00.000Z",
"dateUpdated": "2025-02-04T17:12:26.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-28948
Vulnerability from cvelistv5
Published
2022-05-19 19:59
Modified
2024-08-03 06:10
Severity ?
EPSS score ?
Summary
An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/go-yaml/yaml/issues/666 | x_refsource_MISC | |
| https://security.netapp.com/advisory/ntap-20220923-0006/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:10:57.622Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/go-yaml/yaml/issues/666"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220923-0006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-23T14:06:21",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/go-yaml/yaml/issues/666"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220923-0006/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-28948",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/go-yaml/yaml/issues/666",
"refsource": "MISC",
"url": "https://github.com/go-yaml/yaml/issues/666"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220923-0006/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220923-0006/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-28948",
"datePublished": "2022-05-19T19:59:30",
"dateReserved": "2022-04-11T00:00:00",
"dateUpdated": "2024-08-03T06:10:57.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-3064
Vulnerability from cvelistv5
Published
2022-12-27 21:17
Modified
2025-02-13 16:32
Severity ?
EPSS score ?
Summary
Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| gopkg.in/yaml.v2 | gopkg.in/yaml.v2 |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.262Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2022-0956"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "gopkg.in/yaml.v2",
"product": "gopkg.in/yaml.v2",
"programRoutines": [
{
"name": "decoder.unmarshal"
},
{
"name": "yaml_parser_increase_flow_level"
},
{
"name": "yaml_parser_roll_indent"
},
{
"name": "Decoder.Decode"
},
{
"name": "Unmarshal"
},
{
"name": "UnmarshalStrict"
}
],
"vendor": "gopkg.in/yaml.v2",
"versions": [
{
"lessThan": "2.2.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE 400: Uncontrolled Resource Consumption",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-15T20:06:24.297Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5"
},
{
"url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4"
},
{
"url": "https://pkg.go.dev/vuln/GO-2022-0956"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/"
}
],
"title": "Excessive resource consumption in gopkg.in/yaml.v2"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2022-3064",
"datePublished": "2022-12-27T21:17:41.860Z",
"dateReserved": "2022-08-30T15:40:50.104Z",
"dateUpdated": "2025-02-13T16:32:40.805Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}