First published: Thu May 19 2022(Updated: )
A flaw was found in the Unmarshal function in Go-Yaml. The issue causes the program to crash when attempting to deserialize invalid input.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
go/gopkg.in/yaml.v3 | <3.0.0-20220521103104-8f96da9f5d5e | 3.0.0-20220521103104-8f96da9f5d5e |
Yaml Project Yaml | =3.0.0 | |
Netapp Astra Trident | ||
redhat/golang-gopkg-yaml | <3.0.0 | 3.0.0 |
=3.0.0 | ||
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-28948 is a vulnerability in the Unmarshal function in Go-Yaml v3 that causes the program to crash when attempting to deserialize invalid input.
CVE-2022-28948 has a severity of 7.5 (High).
CVE-2022-28948 affects gopkg.in/yaml.v3 package (version up to 3.0.0-20220521103104-8f96da9f5d5e) in Go, golang-gopkg-yaml package (version up to 3.0.0) in Red Hat, Yaml Project Yaml (version 3.0.0), and Netapp Astra Trident.
To fix CVE-2022-28948, update the affected software packages to version 3.0.0-20220521103104-8f96da9f5d5e for Go, version 3.0.0 for Red Hat, and version 3.0.0 for Yaml Project Yaml.
You can find more information about CVE-2022-28948 on the following sources: - [CVE-2022-28948 on CVE](https://www.cve.org/CVERecord?id=CVE-2022-28948) - [CVE-2022-28948 on NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-28948) - [GitHub Advisory GHSA-hp87-p4gw-j4gq](https://github.com/advisories/GHSA-hp87-p4gw-j4gq)