CVE-2022-3064 - OpenCVE

Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Yaml Project	Yaml

Configuration 1 [-]

cpe:2.3:a:yaml_project:yaml:*:*:*:*:*:go:*:*

References

Link	Resource
https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5	Patch Third Party Advisory
https://github.com/go-yaml/yaml/releases/tag/v2.2.4	Release Notes Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/
https://pkg.go.dev/vuln/GO-2022-0956	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Go

Published: 2022-12-27T21:17:41.860Z

Updated: 2023-06-12T19:05:17.299Z

Reserved: 2022-08-30T15:40:50.104Z

Link: CVE-2022-3064

JSON object: View

NVD Information

Status : Modified

Published: 2022-12-27T22:15:14.507

Modified: 2023-09-15T21:15:08.483

Link: CVE-2022-3064

JSON object: View

Redhat Information

No data.

CWE

CWE-400

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2022-3064", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2022-08-30T15:40:50.104Z", "datePublished": "2022-12-27T21:17:41.860Z", "dateUpdated": "2023-06-12T19:05:17.299Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2023-06-12T19:05:17.299Z"}, "title": "Excessive resource consumption in gopkg.in/yaml.v2", "descriptions": [{"lang": "en", "value": "Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory."}], "affected": [{"vendor": "gopkg.in/yaml.v2", "product": "gopkg.in/yaml.v2", "collectionURL": "https://pkg.go.dev", "packageName": "gopkg.in/yaml.v2", "versions": [{"version": "0", "lessThan": "2.2.4", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "decoder.unmarshal"}, {"name": "yaml_parser_increase_flow_level"}, {"name": "yaml_parser_roll_indent"}, {"name": "Decoder.Decode"}, {"name": "Unmarshal"}, {"name": "UnmarshalStrict"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE 400: Uncontrolled Resource Consumption"}]}], "references": [{"url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5"}, {"url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4"}, {"url": "https://pkg.go.dev/vuln/GO-2022-0956"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/"}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yaml_project:yaml:*:*:*:*:*:go:*:*", "matchCriteriaId": "1611FBF4-F2CD-4C5F-A41C-AA70F143DEA7", "versionEndExcluding": "2.2.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory."}, {"lang": "es", "value": "El an\u00e1lisis de documentos YAML maliciosos o de gran tama\u00f1o puede consumir cantidades excesivas de CPU o memoria."}], "id": "CVE-2022-3064", "lastModified": "2023-09-15T21:15:08.483", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-27T22:15:14.507", "references": [{"source": "security@golang.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5"}, {"source": "security@golang.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4"}, {"source": "security@golang.org", "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html"}, {"source": "security@golang.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/"}, {"source": "security@golang.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/"}, {"source": "security@golang.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/"}, {"source": "security@golang.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/"}, {"source": "security@golang.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/"}, {"source": "security@golang.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/"}, {"source": "security@golang.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2022-0956"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}]}