go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents

🗓️ 14 Nov 2023 15:32:31Reported by RedHatType

redhat

redhat🔗 access.redhat.com👁 2 Views

Improve go-yaml heuristics to prevent CPU and memory abuse from large or malicious YAML.

Reporter	Title	Published	Views	Family All 169
IBM Security Bulletins	Security Bulletin: IBM Storage Fusion and IBM Storage Fusion HCI may be vulnerable to denial of service and link following via Go-Yaml, kube-apiserver, Golang Go and Beego	29 Aug 202321:46	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Planning Analytics Connector for SAP is affected by security vulnerabilities	2 Apr 202418:29	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in CloudPak for Watson AIOPs	26 Mar 202503:48	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in the Golang language affects IBM Event Streams (CVE-2022-3064)	6 Mar 202307:49	–	ibm
Tenable Nessus	Alibaba Cloud Linux 3 : 0050: container-tools:rhel8 (ALINUX3-SA-2024:0050)	14 May 202500:00	–	nessus
Tenable Nessus	AlmaLinux 8 : container-tools:4.0 (ALSA-2023:6938)	2 Jul 202500:00	–	nessus
Tenable Nessus	Azure Linux 3.0 Security Update: etcd / packer (CVE-2022-3064)	10 Feb 202500:00	–	nessus
Tenable Nessus	Debian dla-3479 : golang-gopkg-yaml.v2-dev - security update	6 Jul 202300:00	–	nessus
Tenable Nessus	Fedora 37 : manifest-tool (2023-11dafed208)	14 Mar 202300:00	–	nessus
Tenable Nessus	Fedora 38 : manifest-tool (2023-5312f6200c)	10 Mar 202300:00	–	nessus

OS	OS Version	Architecture	Package	Package Version	Filename
Red Hat Enterprise Linux	8	aarch64	aardvark-dns	2:1.0.1-38.module+el8.9.0+19098+6e7a5e3f	aardvark-dns-2:1.0.1-38.module+el8.9.0+19098+6e7a5e3f.aarch64.rpm
Red Hat Enterprise Linux	8	ppc64le	aardvark-dns	2:1.0.1-38.module+el8.9.0+19098+6e7a5e3f	aardvark-dns-2:1.0.1-38.module+el8.9.0+19098+6e7a5e3f.ppc64le.rpm
Red Hat Enterprise Linux	8	s390x	aardvark-dns	2:1.0.1-38.module+el8.9.0+19098+6e7a5e3f	aardvark-dns-2:1.0.1-38.module+el8.9.0+19098+6e7a5e3f.s390x.rpm
Red Hat Enterprise Linux	8	x86_64	aardvark-dns	2:1.0.1-38.module+el8.9.0+19098+6e7a5e3f	aardvark-dns-2:1.0.1-38.module+el8.9.0+19098+6e7a5e3f.x86_64.rpm
Red Hat Enterprise Linux	8	aarch64	buildah	1:1.24.6-7.module+el8.9.0+19784+443be299	buildah-1:1.24.6-7.module+el8.9.0+19784+443be299.aarch64.rpm
Red Hat Enterprise Linux	8	ppc64le	buildah	1:1.24.6-7.module+el8.9.0+19784+443be299	buildah-1:1.24.6-7.module+el8.9.0+19784+443be299.ppc64le.rpm
Red Hat Enterprise Linux	8	s390x	buildah	1:1.24.6-7.module+el8.9.0+19784+443be299	buildah-1:1.24.6-7.module+el8.9.0+19784+443be299.s390x.rpm
Red Hat Enterprise Linux	8	x86_64	buildah	1:1.24.6-7.module+el8.9.0+19784+443be299	buildah-1:1.24.6-7.module+el8.9.0+19784+443be299.x86_64.rpm
Red Hat Enterprise Linux	8	aarch64	buildah-debuginfo	1:1.24.6-7.module+el8.9.0+19784+443be299	buildah-debuginfo-1:1.24.6-7.module+el8.9.0+19784+443be299.aarch64.rpm
Red Hat Enterprise Linux	8	ppc64le	buildah-debuginfo	1:1.24.6-7.module+el8.9.0+19784+443be299	buildah-debuginfo-1:1.24.6-7.module+el8.9.0+19784+443be299.ppc64le.rpm

Source	Link
access	www.access.redhat.com/security/cve/CVE-2022-3064
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
github	www.github.com/advisories/GHSA-6q6q-88xp-6f2r
github	www.github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5
github	www.github.com/go-yaml/yaml/releases/tag/v2.2.4
nvd	www.nvd.nist.gov/vuln/detail/CVE-2022-3064
pkg	www.pkg.go.dev/vuln/GO-2022-0956
cve	www.cve.org/CVERecord

02 Jun 2026 22:52Current

7.3High risk

Vulners AI Score7.3

CVSS 3.17.5

EPSS0.02229

SSVC

yaml parser security flaw resource abuse memory usage cpu usage malicious input large documents