First published: Mon Aug 29 2022(Updated: )
A flaw was found in go-yaml. This issue causes the consumption of excessive amounts of CPU or memory when attempting to parse a large or maliciously crafted YAML document.
Credit: security@golang.org security@golang.org security@golang.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/etcd | <0:3.3.23-12.el8 | 0:3.3.23-12.el8 |
redhat/etcd | <0:3.4.14-3.el9 | 0:3.4.14-3.el9 |
ubuntu/golang-yaml.v2 | <2.2.4 | 2.2.4 |
ubuntu/golang-yaml.v2 | <0.0+ | 0.0+ |
ubuntu/golang-yaml.v2 | <2.2.2-1ubuntu0.1 | 2.2.2-1ubuntu0.1 |
ubuntu/golang-yaml.v2 | <0.0+ | 0.0+ |
Yaml Project Yaml | <2.2.4 | |
<2.2.4 | ||
go/gopkg.in/yaml.v2 | <2.2.4 | 2.2.4 |
redhat/gopkg.in/yaml.v2 | <2.2.4 | 2.2.4 |
debian/golang-yaml.v2 | <=2.2.2-1 | 2.2.2-1+deb10u1 2.4.0-1 2.4.0-4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2022-3064 is a vulnerability that can cause the consumption of excessive amounts of CPU or memory when attempting to parse a large or maliciously crafted YAML document.
The severity of CVE-2022-3064 is high, with a CVSS score of 7.5.
The affected software includes go-yaml version up to 2.2.4, golang-yaml.v2 up to version 2.2.4 on Ubuntu, golang-yaml.v2 version up to 2.2.2-1ubuntu0.1 on Ubuntu Focal, golang-yaml.v2 version up to 0.0+ on Ubuntu Xenial, golang-yaml.v2 version up to 0.0+ on Ubuntu Bionic, golang-yaml.v2 version up to 2.2.2-1 on Debian, gopkg.in/yaml.v2 version up to 2.2.4 on Red Hat, etcd version up to 3.3.23-12.el8 on Red Hat, etcd version up to 3.4.14-3.el9 on Red Hat, and gopkg.in/yaml.v2 version up to 2.2.4 on Go.
To fix CVE-2022-3064 in go-yaml, you should update to version 2.2.4 or later.
You can find more information about CVE-2022-3064 at the following references: [Link 1](https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5), [Link 2](https://github.com/go-yaml/yaml/releases/tag/v2.2.4), [Link 3](https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html).