CVE-2022-28948
First published: Thu May 19 2022(Updated: )
A flaw was found in the Unmarshal function in Go-Yaml. The issue causes the program to crash when attempting to deserialize invalid input.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/gopkg.in/yaml.v3 | <3.0.0-20220521103104-8f96da9f5d5e | 3.0.0-20220521103104-8f96da9f5d5e |
| Yaml Project Yaml | =3.0.0 | |
| Netapp Astra Trident | ||
| redhat/golang-gopkg-yaml | <3.0.0 | 3.0.0 |
| =3.0.0 | ||
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2022-28948
- https://github.com/go-yaml/yaml/issues/666
- https://github.com/go-yaml/yaml/commit/8f96da9f5d5eff988554c1aae1784627c4bf6754
- https://security.netapp.com/advisory/ntap-20220923-0006/
- https://github.com/advisories/GHSA-hp87-p4gw-j4gq (Advisory)
- https://www.cve.org/CVERecord?id=CVE-2022-28948 https://nvd.nist.gov/vuln/detail/CVE-2022-28948 https://github.com/advisories/GHSA-hp87-p4gw-j4gq
- https://bugzilla.redhat.com/show_bug.cgi?id=2088748
- https://access.redhat.com/errata/RHSA-2022:4985
- https://access.redhat.com/security/cve/cve-2022-28948
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2092689
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2092690
- https://security.netapp.com/advisory/ntap-20220923-0006
Frequently Asked Questions
What is CVE-2022-28948?
CVE-2022-28948 is a vulnerability in the Unmarshal function in Go-Yaml v3 that causes the program to crash when attempting to deserialize invalid input.
What is the severity of CVE-2022-28948?
CVE-2022-28948 has a severity of 7.5 (High).
How does CVE-2022-28948 affect the affected software?
CVE-2022-28948 affects gopkg.in/yaml.v3 package (version up to 3.0.0-20220521103104-8f96da9f5d5e) in Go, golang-gopkg-yaml package (version up to 3.0.0) in Red Hat, Yaml Project Yaml (version 3.0.0), and Netapp Astra Trident.
How can I fix CVE-2022-28948?
To fix CVE-2022-28948, update the affected software packages to version 3.0.0-20220521103104-8f96da9f5d5e for Go, version 3.0.0 for Red Hat, and version 3.0.0 for Yaml Project Yaml.
Where can I find more information about CVE-2022-28948?
You can find more information about CVE-2022-28948 on the following sources: - [CVE-2022-28948 on CVE](https://www.cve.org/CVERecord?id=CVE-2022-28948) - [CVE-2022-28948 on NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-28948) - [GitHub Advisory GHSA-hp87-p4gw-j4gq](https://github.com/advisories/GHSA-hp87-p4gw-j4gq)
- collector/redhat-cve
- collector/nvd-index
- agent/author
- agent/type
- agent/first-publish-date
- agent/severity
- agent/remedy
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-28948
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-hp87-p4gw-j4gq
- agent/references
- agent/last-modified-date
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/yaml project
- canonical/yaml project yaml
- version/yaml project yaml/3.0.0
- vendor/netapp
- canonical/netapp astra trident
- package-manager/redhat
- package-manager/go