geofffranks / ssh-keys-alfred-workflow Goto Github PK

Vulnerable Library - github.com/go-yaml/yaml-v2.0.0+incompatible

YAML support for the Go language.

Library home page: https://proxy.golang.org/github.com/go-yaml/yaml/@v/v2.0.0+incompatible.zip

Dependency Hierarchy:

• ❌ github.com/go-yaml/yaml-v2.0.0+incompatible (Vulnerable Library)

Found in HEAD commit: 2f8b12df3a2bf883fe01937a9f307fb9fba89384

Vulnerability Details

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.

Publish Date: 2020-04-01

URL: CVE-2019-11254

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-10-02

Fix Resolution: v2.2.8

Vulnerable Library - github.com/go-yaml/yaml-v2.0.0

YAML support for the Go language.

Dependency Hierarchy:

• ❌ github.com/go-yaml/yaml-v2.0.0 (Vulnerable Library)

Found in HEAD commit: 2f8b12df3a2bf883fe01937a9f307fb9fba89384

Vulnerability Details

An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.

Publish Date: 2022-05-19

URL: CVE-2022-28948

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-fm53-mpmp-7qw2

Release Date: 2022-05-19

Fix Resolution: v3.0.0

Vulnerable Library - github.com/go-yaml/yaml-v2.0.0+incompatible

YAML support for the Go language.

Library home page: https://proxy.golang.org/github.com/go-yaml/yaml/@v/v2.0.0+incompatible.zip

Dependency Hierarchy:

• ❌ github.com/go-yaml/yaml-v2.0.0+incompatible (Vulnerable Library)

Found in HEAD commit: 2f8b12df3a2bf883fe01937a9f307fb9fba89384

Vulnerability Details

Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.

Publish Date: 2022-12-27

URL: CVE-2022-3064

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2022-0956

Release Date: 2022-12-27

Fix Resolution: v2.2.4

Vulnerable Library - github.com/go-yaml/yaml-v2.0.0+incompatible

YAML support for the Go language.

Library home page: https://proxy.golang.org/github.com/go-yaml/yaml/@v/v2.0.0+incompatible.zip

Dependency Hierarchy:

• ❌ github.com/go-yaml/yaml-v2.0.0+incompatible (Vulnerable Library)

Found in HEAD commit: 2f8b12df3a2bf883fe01937a9f307fb9fba89384

Vulnerability Details

Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.

Publish Date: 2022-12-27

URL: CVE-2021-4235

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-12-27

Fix Resolution: v2.2.3