CVE-2021-4235

2022-12-2722:15:11

[email protected]

web.nvd.nist.gov

225

cve-2021-4235

yaml

dos

nvd

security vulnerability

denial of service

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

5.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

23.3%

JSON

Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.

Affected configurations

NVD

Node

yaml_projectyamlRange<2.2.3go

CPENameOperatorVersion
yaml_project:yamlyaml project yamllt2.2.3

CPE	Name	Operator	Version
yaml_project:yaml	yaml project yaml	lt	2.2.3

CNA Affected

[
  {
    "vendor": "gopkg.in/yaml.v2",
    "product": "gopkg.in/yaml.v2",
    "collectionURL": "https://pkg.go.dev",
    "packageName": "gopkg.in/yaml.v2",
    "versions": [
      {
        "version": "0",
        "lessThan": "2.2.3",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "programRoutines": [
      {
        "name": "decoder.unmarshal"
      },
      {
        "name": "Decoder.Decode"
      },
      {
        "name": "Unmarshal"
      },
      {
        "name": "UnmarshalStrict"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "github.com/go-yaml/yaml",
    "product": "github.com/go-yaml/yaml",
    "collectionURL": "https://pkg.go.dev",
    "packageName": "github.com/go-yaml/yaml",
    "programRoutines": [
      {
        "name": "decoder.unmarshal"
      },
      {
        "name": "Decoder.Decode"
      },
      {
        "name": "Unmarshal"
      },
      {
        "name": "UnmarshalStrict"
      }
    ],
    "defaultStatus": "affected"
  }
]