GHSA-r88r-gmrh-7j83

Source

https://github.com/advisories/GHSA-r88r-gmrh-7j83

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-r88r-gmrh-7j83/GHSA-r88r-gmrh-7j83.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-r88r-gmrh-7j83

Aliases

Related

CGA-p836-mcw8-43j4

Published

2022-12-28T00:30:23Z

Modified

2024-09-11T06:12:51.550698Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator

Summary

YAML Go package vulnerable to denial of service

Details

Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.

References

Affected packages

Go / gopkg.in/yaml.v2

Package

Name: gopkg.in/yaml.v2; View open source insights on deps.dev
Purl: pkg:golang/gopkg.in/yaml.v2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.2.3

Go / github.com/go-yaml/yaml

Package

Name: github.com/go-yaml/yaml; View open source insights on deps.dev
Purl: pkg:golang/github.com/go-yaml/yaml

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

2.1.0