CVE-2023-2251 – Uncaught Exception in eemeli/yaml
https://notcve.org/view.php?id=CVE-2023-2251
Uncaught Exception in GitHub repository eemeli/yaml prior to 2.0.0-5. • https://github.com/eemeli/yaml/commit/984f5781ffd807e58cad3b5c8da1f940dab75fba https://huntr.dev/bounties/4b494e99-5a3e-40d9-8678-277f3060e96c • CWE-248: Uncaught Exception •
CVE-2022-3064 – Excessive resource consumption in gopkg.in/yaml.v2
https://notcve.org/view.php?id=CVE-2022-3064
Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory. El análisis de documentos YAML maliciosos o de gran tamaño puede consumir cantidades excesivas de CPU o memoria. A flaw was found in go-yaml. This issue causes the consumption of excessive amounts of CPU or memory when attempting to parse a large or maliciously crafted YAML document. • https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5 https://github.com/go-yaml/yaml/releases/tag/v2.2.4 https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/mes • CWE-400: Uncontrolled Resource Consumption •
CVE-2021-4235 – Denial of service in gopkg.in/yaml.v2
https://notcve.org/view.php?id=CVE-2021-4235
Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector. Debido a la búsqueda ilimitada de alias, un archivo YAML creado con fines malintencionados puede hacer que el sistema consuma importantes recursos. Si se analiza la entrada del usuario, esto se puede utilizar como un vector de denegación de servicio. A flaw was found in go-yaml. • https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241 https://github.com/go-yaml/yaml/pull/375 https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html https://pkg.go.dev/vuln/GO-2021-0061 https://access.redhat.com/security/cve/CVE-2021-4235 https://bugzilla.redhat.com/show_bug.cgi?id=2156727 • CWE-400: Uncontrolled Resource Consumption •
CVE-2022-28948 – golang-gopkg-yaml: crash when attempting to deserialize invalid input
https://notcve.org/view.php?id=CVE-2022-28948
An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input. Un problema en la función Unmarshal de Go-Yaml versión v3, causa el bloqueo del programa cuando intenta de serializar una entrada no válida A flaw was found in the Unmarshal function in Go-Yaml. This vulnerability results in program crashes when attempting to convert (or deserialize) invalid input data, potentially impacting system stability and reliability. • https://github.com/go-yaml/yaml/issues/666 https://security.netapp.com/advisory/ntap-20220923-0006 https://access.redhat.com/security/cve/CVE-2022-28948 https://bugzilla.redhat.com/show_bug.cgi?id=2088748 • CWE-502: Deserialization of Untrusted Data •
CVE-2019-20478
https://notcve.org/view.php?id=CVE-2019-20478
In ruamel.yaml through 0.16.7, the load method allows remote code execution if the application calls this method with an untrusted argument. In other words, this issue affects developers who are unaware of the need to use methods such as safe_load in these use cases. En ruamel.yaml hasta las versiones 0.16.7, el método de carga permite una ejecución de código remota si la aplicación llama a este método con un argumento no confiable. En otras palabras, este problema afecta a desarrolladores que desconocen la necesidad de usar métodos como la función safe_load en estos casos de uso. • https://www.exploit-db.com/exploits/47655 •