CVE-2022-3064 - Vulnerability Details

Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Enterprise Linux Openshift Openshift Devspaces Openshift Gitops Openstack Rhel Eus
Yaml Project	Yaml

Configuration 1 [-]

cpe:2.3:a:yaml_project:yaml:*:*:*:*:*:go:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
container-tools:4.0-8090020230828093056.e7857ab1	cpe:/a:redhat:enterprise_linux:8	RHSA-2023:6938	2023-11-14T00:00:00Z
container-tools:rhel8-8090020230825121312.e7857ab1	cpe:/a:redhat:enterprise_linux:8	RHSA-2023:6939	2023-11-14T00:00:00Z
rhc-1:0.2.5-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:10784	2024-12-04T00:00:00Z
Red Hat Enterprise Linux 9
toolbox-0:0.0.99.4-6.el9_3	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:6346	2023-11-07T00:00:00Z
rhc-1:0.2.5-1.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:10759	2024-12-03T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
toolbox-0:0.0.99.4-1.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2024:4443	2024-07-09T00:00:00Z
Red Hat OpenShift Container Platform 4.10
openshift4/ose-configmap-reloader:v4.10.0-202302072301.p0.g1e5a18e.assembly.stream	cpe:/a:redhat:openshift:4.10::el8	RHSA-2023:0698	2023-02-15T00:00:00Z
openshift4/ose-telemeter:v4.10.0-202302201054.p0.g3b5eb87.assembly.stream	cpe:/a:redhat:openshift:4.10::el8	RHSA-2023:0899	2023-03-01T00:00:00Z
openshift4/ose-sriov-cni:v4.10.0-202305101928.p0.gc574bbb.assembly.stream	cpe:/a:redhat:openshift:4.10::el8	RHSA-2023:3218	2023-05-24T00:00:00Z
Red Hat OpenShift Container Platform 4.11
openshift4/ose-sriov-cni:v4.11.0-202305081228.p0.g71764f5.assembly.stream	cpe:/a:redhat:openshift:4.11::el8	RHSA-2023:2695	2023-05-18T00:00:00Z
Red Hat OpenShift Container Platform 4.12
openshift4/ose-sriov-cni:v4.12.0-202305022015.p0.g1876528.assembly.stream	cpe:/a:redhat:openshift:4.12::el8	RHSA-2023:2111	2023-05-10T00:00:00Z
Red Hat OpenShift Container Platform 4.13
openshift4/egress-router-cni-rhel8:v4.13.0-202402061238.p0.gdfe0373.assembly.stream.el8	cpe:/a:redhat:openshift:4.13::el8	RHSA-2024:0741	2024-02-14T00:00:00Z
Red Hat OpenShift Container Platform 4.14
openshift4/egress-router-cni-rhel8:v4.14.0-202310201027.p0.gafffdd4.assembly.stream	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5006	2023-10-31T00:00:00Z
Red Hat OpenShift Container Platform 4.9
openshift4/ose-configmap-reloader:v4.9.0-202302111027.p0.gc041899.assembly.stream	cpe:/a:redhat:openshift:4.9::el8	RHSA-2023:0778	2023-02-22T00:00:00Z
Red Hat OpenShift Dev Spaces 3 Containers
devspaces/configbump-rhel8:3.15-2	cpe:/a:redhat:openshift_devspaces:3::el8	RHSA-2024:4631	2024-07-18T00:00:00Z
Red Hat OpenShift GitOps 1.5
openshift-gitops-1/argocd-rhel8:v1.5.10-6	cpe:/a:redhat:openshift_gitops:1.5::el8	RHSA-2023:0804	2023-02-17T00:00:00Z
Red Hat OpenShift GitOps 1.6
openshift-gitops-1/argocd-rhel8:v1.6.5-5	cpe:/a:redhat:openshift_gitops:1.6::el8	RHSA-2023:0802	2023-02-17T00:00:00Z
Red Hat OpenShift GitOps 1.7
openshift-gitops-1/argocd-rhel8:v1.7.2-5	cpe:/a:redhat:openshift_gitops:1.7::el8	RHSA-2023:0803	2023-02-17T00:00:00Z
Red Hat OpenStack Platform 16.1
etcd-0:3.3.23-12.el8ost	cpe:/a:redhat:openstack:16.1::el8	RHSA-2023:1275	2023-03-15T00:00:00Z
Red Hat OpenStack Platform 16.2
etcd-0:3.3.23-12.el8ost	cpe:/a:redhat:openstack:16.2::el8	RHSA-2023:1275	2023-03-15T00:00:00Z
Red Hat OpenStack Platform 17.0
etcd-0:3.4.14-3.el9ost	cpe:/a:redhat:openstack:17.0::el9	RHSA-2023:1014	2023-02-28T00:00:00Z

References

Link	Providers
https://github.com/advisories/GHSA-6q6q-88xp-6f2r
https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5
https://github.com/go-yaml/yaml/releases/tag/v2.2.4
https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/
https://nvd.nist.gov/vuln/detail/CVE-2022-3064
https://pkg.go.dev/vuln/GO-2022-0956
https://www.cve.org/CVERecord?id=CVE-2022-3064

History

No history.

MITRE

Status: PUBLISHED

Assigner: Go

Published: 2022-12-27T21:17:41.860Z

Updated: 2025-02-13T16:32:40.805Z

Reserved: 2022-08-30T15:40:50.104Z

Link: CVE-2022-3064

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-12-27T22:15:14.507

Modified: 2024-11-21T07:18:44.827

Link: CVE-2022-3064

Redhat

Severity : Important

Publid Date: 2022-08-29T00:00:00Z

Links: CVE-2022-3064 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object