Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in gopkg.in/yaml.v2: CVE-2022-3064 #956

Closed
neild opened this issue Aug 22, 2022 · 4 comments
Closed

x/vulndb: potential Go vuln in gopkg.in/yaml.v2: CVE-2022-3064 #956

neild opened this issue Aug 22, 2022 · 4 comments
Assignees
@tatianab
Labels
Direct External Report NeedsCVERecord

Comments

@neild
Copy link
Contributor

neild commented Aug 22, 2022

Description

v2.2.4 of gopkg.in/yaml.v2 includes fixes for excessive CPU consumption when parsing untrusted inputs:

https://github.com/go-yaml/yaml/tags

Improve heuristics preventing CPU/memory abuse (go-yaml/yaml#515)

Affected Modules, Packages, Versions and Symbols

Module: gopkg.in/yaml.v2
Package: gopkg.in/yaml.v2
Versions:
  - Introduced: 1.2.0
  - Fixed: 1.2.4

Does this vulnerability already have an associated CVE ID?

No

CVE ID

No response

Credit

No response

CWE ID

No response

Pull Request

No response

Commit

No response

References

No response

Additional information

No response
@neild neild self-assigned this Aug 22, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/425081 mentions this issue: x/vulndb: add data/reports/GO-2022-0956.yaml

@julieqiu
Copy link
Member

Reopening for us to add the CVE metadata.

@julieqiu julieqiu reopened this Aug 30, 2022
@julieqiu julieqiu assigned tatianab and unassigned neild Aug 30, 2022
@tatianab
Copy link
Contributor

This is CVE-2022-3064

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/426694 mentions this issue: data/reports: add CVE metadata for GO-2022-0956.yaml

@tatianab tatianab changed the title x/vulndb: potential Go vuln in gopkg.in/yaml.v2 x/vulndb: potential Go vuln in gopkg.in/yaml.v2: CVE-2022-3064 Aug 30, 2022
gopherbot pushed a commit that referenced this issue Aug 30, 2022
@tatianab
data/reports: add CVE metadata for GO-2022-0956.yaml
d5f9586 
Updates #956

Change-Id: Id812cfd56fb28601f9202a1eb3931b6b3d70d8b9
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/426694
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Julie Qiu <julieqiu@google.com>
@tatianab tatianab closed this as completed Sep 1, 2022
@GoVulnBot GoVulnBot mentioned this issue Dec 30, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tatianab tatianab

Labels
Direct External Report NeedsCVERecord
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@neild @julieqiu @tatianab @gopherbot