CVE-2022-3064

NameCVE-2022-3064
DescriptionParsing malicious or large YAML documents can consume excessive amounts of CPU or memory.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-yaml.v2 (PTS)buster2.2.2-1vulnerable
bullseye2.4.0-1fixed
bookworm, sid2.4.0-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-yaml.v2source(unstable)2.2.8-1

Notes

https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5 (v2.2.4)
check if affect other versions of "go-yaml"

Search for package or bug name: Reporting problems