First published: Tue Dec 27 2022(Updated: )
Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.
Credit: security@golang.org security@golang.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/openshift-clients | <0:4.12.0-202301042257.p0.g854f807.assembly.stream.el9 | 0:4.12.0-202301042257.p0.g854f807.assembly.stream.el9 |
ubuntu/golang-yaml.v2 | <0.0+ | 0.0+ |
ubuntu/golang-yaml.v2 | <2.2.2-1ubuntu0.1 | 2.2.2-1ubuntu0.1 |
ubuntu/golang-yaml.v2 | <2.2.3 | 2.2.3 |
ubuntu/golang-yaml.v2 | <0.0+ | 0.0+ |
<2.2.3 | ||
Yaml Project Yaml | <2.2.3 | |
redhat/go-yaml | <2.2.3 | 2.2.3 |
debian/golang-yaml.v2 | <=2.2.2-1 | 2.2.2-1+deb10u1 2.4.0-1 2.4.0-4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2021-4235 is a vulnerability caused by unbounded alias chasing in go-yaml, allowing a maliciously crafted YAML file to consume significant system resources and potentially be used as a denial of service vector.
CVE-2021-4235 can lead to excessive consumption of system resources when parsing user input, potentially causing a denial of service.
The affected software versions include golang-yaml.v2 0.0+ (Ubuntu Bionic), golang-yaml.v2 2.2.2-1ubuntu0.1 (Ubuntu Focal), golang-yaml.v2 2.2.3 (Ubuntu upstream), golang-yaml.v2 0.0+ (Ubuntu Xenial), golang-yaml.v2 2.2.2-1+deb10u1, 2.4.0-1, 2.4.0-4 (Debian), go-yaml 2.2.3 (Red Hat), and openshift-clients 0:4.12.0-202301042257.p0.g854f807.assembly.stream.el9 (Red Hat).
CVE-2021-4235 has a severity level of medium with a CVSS score of 5.5.
To fix CVE-2021-4235, it is recommended to update the affected software to the latest secure version provided by the respective vendors.