CVE-2021-4235 — Uncontrolled Resource Consumption in Yaml.v2 Gopkg.in Yaml.v2

CWE-400 — Uncontrolled Resource Consumption10 documents7 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 90.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gopkg.in Yaml.v2 Gopkg.in Yaml.v2 Gopkg.in Yaml.v2 Yaml Project Yaml +6 more

Timeline

PublishedDec 27

Latest updateAug 14

Description

Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages9 packages

▶Gogopkg.in/yaml.v2< 2.2.3

▶NVDyaml_project/yaml< 2.2.3

▶debiandebian/golang-yaml.v2< golang-yaml.v2 2.2.8-1 (bookworm)

▶CVEListV5gopkg.in/yaml.v2_gopkg.in_yaml.v2< 2.2.3

▶Gogithub.com/go-yaml_yaml2.1.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

golang-yaml.v2 vulnerabilities↗2023-08-14

▶

OSV

YAML Go package vulnerable to denial of service↗2022-12-28

▶

GHSA

YAML Go package vulnerable to denial of service↗2022-12-28

▶

OSV

CVE-2021-4235: Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources↗2022-12-27

▶

OSV

Denial of service in gopkg.in/yaml.v2↗2021-04-14

▶

📋Vendor Advisories

Ubuntu

Go yaml vulnerabilities↗2023-08-14

▶

Red Hat

go-yaml: Denial of Service in go-yaml↗2022-12-27

▶

Microsoft

Denial of service in gopkg.in/yaml.v2↗2022-12-13

▶

Debian

CVE-2021-4235: golang-yaml.v2 - Due to unbounded alias chasing, a maliciously crafted YAML file can cause the sy...↗2021

▶