CVE-2022-3064 - Vulnerability Details

Description

Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.

Published: 2022-12-27

Score: 7.5 High

EPSS: 2.2% Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

gopkg.in/yaml.v2

unaffected

Version	Status	Constraints
`0`	affected	< 2.2.4

Configuration 1 [-]

cpe:2.3:a:yaml_project:yaml:*:*:*:*:*:go:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
container-tools:4.0-8090020230828093056.e7857ab1	cpe:/a:redhat:enterprise_linux:8	RHSA-2023:6938	2023-11-14T00:00:00Z
container-tools:rhel8-8090020230825121312.e7857ab1	cpe:/a:redhat:enterprise_linux:8	RHSA-2023:6939	2023-11-14T00:00:00Z
rhc-1:0.2.5-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:10784	2024-12-04T00:00:00Z
Red Hat Enterprise Linux 9
toolbox-0:0.0.99.4-6.el9_3	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:6346	2023-11-07T00:00:00Z
rhc-1:0.2.5-1.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:10759	2024-12-03T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
toolbox-0:0.0.99.4-1.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2024:4443	2024-07-09T00:00:00Z
Red Hat OpenShift Container Platform 4.10
openshift4/ose-configmap-reloader:v4.10.0-202302072301.p0.g1e5a18e.assembly.stream	cpe:/a:redhat:openshift:4.10::el8	RHSA-2023:0698	2023-02-15T00:00:00Z
openshift4/ose-telemeter:v4.10.0-202302201054.p0.g3b5eb87.assembly.stream	cpe:/a:redhat:openshift:4.10::el8	RHSA-2023:0899	2023-03-01T00:00:00Z
openshift4/ose-sriov-cni:v4.10.0-202305101928.p0.gc574bbb.assembly.stream	cpe:/a:redhat:openshift:4.10::el8	RHSA-2023:3218	2023-05-24T00:00:00Z
Red Hat OpenShift Container Platform 4.11
openshift4/ose-sriov-cni:v4.11.0-202305081228.p0.g71764f5.assembly.stream	cpe:/a:redhat:openshift:4.11::el8	RHSA-2023:2695	2023-05-18T00:00:00Z
Red Hat OpenShift Container Platform 4.12
openshift4/ose-sriov-cni:v4.12.0-202305022015.p0.g1876528.assembly.stream	cpe:/a:redhat:openshift:4.12::el8	RHSA-2023:2111	2023-05-10T00:00:00Z
Red Hat OpenShift Container Platform 4.13
openshift4/egress-router-cni-rhel8:v4.13.0-202402061238.p0.gdfe0373.assembly.stream.el8	cpe:/a:redhat:openshift:4.13::el8	RHSA-2024:0741	2024-02-14T00:00:00Z
Red Hat OpenShift Container Platform 4.14
openshift4/egress-router-cni-rhel8:v4.14.0-202310201027.p0.gafffdd4.assembly.stream	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5006	2023-10-31T00:00:00Z
Red Hat OpenShift Container Platform 4.9
openshift4/ose-configmap-reloader:v4.9.0-202302111027.p0.gc041899.assembly.stream	cpe:/a:redhat:openshift:4.9::el8	RHSA-2023:0778	2023-02-22T00:00:00Z
Red Hat OpenShift Dev Spaces 3 Containers
devspaces/configbump-rhel8:3.15-2	cpe:/a:redhat:openshift_devspaces:3::el8	RHSA-2024:4631	2024-07-18T00:00:00Z
Red Hat OpenShift GitOps 1.5
openshift-gitops-1/argocd-rhel8:v1.5.10-6	cpe:/a:redhat:openshift_gitops:1.5::el8	RHSA-2023:0804	2023-02-17T00:00:00Z
Red Hat OpenShift GitOps 1.6
openshift-gitops-1/argocd-rhel8:v1.6.5-5	cpe:/a:redhat:openshift_gitops:1.6::el8	RHSA-2023:0802	2023-02-17T00:00:00Z
Red Hat OpenShift GitOps 1.7
openshift-gitops-1/argocd-rhel8:v1.7.2-5	cpe:/a:redhat:openshift_gitops:1.7::el8	RHSA-2023:0803	2023-02-17T00:00:00Z
Red Hat OpenStack Platform 16.1
etcd-0:3.3.23-12.el8ost	cpe:/a:redhat:openstack:16.1::el8	RHSA-2023:1275	2023-03-15T00:00:00Z
Red Hat OpenStack Platform 16.2
etcd-0:3.3.23-12.el8ost	cpe:/a:redhat:openstack:16.2::el8	RHSA-2023:1275	2023-03-15T00:00:00Z
Red Hat OpenStack Platform 17.0
etcd-0:3.4.14-3.el9ost	cpe:/a:redhat:openstack:17.0::el9	RHSA-2023:1014	2023-02-28T00:00:00Z

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-3479-1	golang-yaml.v2 security update
EUVD	EUVD-2022-7537	Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.
Github GHSA	GHSA-6q6q-88xp-6f2r	yaml package for Go can consume excessive amounts of CPU or memory
Ubuntu USN	USN-6287-1	Go yaml vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.02223.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/advisories/GHSA-6q6q-88xp-6f2r
https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5
https://github.com/go-yaml/yaml/releases/tag/v2.2.4
https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/
https://nvd.nist.gov/vuln/detail/CVE-2022-3064
https://pkg.go.dev/vuln/GO-2022-0956
https://www.cve.org/CVERecord?id=CVE-2022-3064

History

Mon, 14 Apr 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Redhat Enterprise Linux Openshift Openshift Devspaces Openshift Gitops Openstack Rhel Eus

Yaml Project Yaml

MITRE

Status: PUBLISHED

Assigner: Go

Published: 2022-12-27T21:17:41.860Z

Updated: 2025-04-14T17:05:01.917Z

Reserved: 2022-08-30T15:40:50.104Z

Link: CVE-2022-3064

Vulnrichment

Updated: 2024-08-03T01:00:10.262Z

NVD

Status : Modified

Published: 2022-12-27T22:15:14.507

Modified: 2025-04-14T17:15:25.407

Link: CVE-2022-3064

Redhat

Severity : Important

Publid Date: 2022-08-29T00:00:00Z

Links: CVE-2022-3064 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-400

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object