зеркало из https://github.com/golang/vulndb.git
47 строки
1.5 KiB
YAML
47 строки
1.5 KiB
YAML
modules:
|
|
- module: gopkg.in/yaml.v2
|
|
versions:
|
|
- fixed: 2.2.8
|
|
vulnerable_at: 2.2.7
|
|
packages:
|
|
- package: gopkg.in/yaml.v2
|
|
symbols:
|
|
- yaml_parser_fetch_more_tokens
|
|
- yaml_parser_save_simple_key
|
|
- yaml_parser_remove_simple_key
|
|
- yaml_parser_decrease_flow_level
|
|
- yaml_parser_fetch_stream_start
|
|
- yaml_parser_fetch_value
|
|
derived_symbols:
|
|
- Decoder.Decode
|
|
- Unmarshal
|
|
- UnmarshalStrict
|
|
- module: github.com/go-yaml/yaml
|
|
vulnerable_at: 2.1.0+incompatible
|
|
packages:
|
|
- package: github.com/go-yaml/yaml
|
|
symbols:
|
|
- yaml_parser_fetch_more_tokens
|
|
- yaml_parser_save_simple_key
|
|
- yaml_parser_remove_simple_key
|
|
- yaml_parser_decrease_flow_level
|
|
- yaml_parser_fetch_stream_start
|
|
- yaml_parser_fetch_value
|
|
derived_symbols:
|
|
- Decoder.Decode
|
|
- Unmarshal
|
|
- UnmarshalStrict
|
|
description: |
|
|
Due to unbounded aliasing, a crafted YAML file can cause consumption
|
|
of significant system resources. If parsing user supplied input, this
|
|
may be used as a denial of service vector.
|
|
published: 2021-04-14T20:04:52Z
|
|
cves:
|
|
- CVE-2019-11254
|
|
ghsas:
|
|
- GHSA-wxc4-f4m6-wwqv
|
|
references:
|
|
- fix: https://github.com/go-yaml/yaml/pull/555
|
|
- fix: https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48
|
|
- web: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496
|