Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01864.

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Vendors Products
Redhat
  • Enterprise Linux
  • Openshift
  • Openshift Devspaces
  • Openshift Gitops
  • Openstack
  • Rhel Eus
Yaml Project
  • Yaml

Configuration 1 [-]

cpe:2.3:a:yaml_project:yaml:*:*:*:*:*:go:*:*
Package CPE Advisory Released Date
Red Hat Enterprise Linux 8
container-tools:4.0-8090020230828093056.e7857ab1 cpe:/a:redhat:enterprise_linux:8 RHSA-2023:6938 2023-11-14T00:00:00Z
container-tools:rhel8-8090020230825121312.e7857ab1 cpe:/a:redhat:enterprise_linux:8 RHSA-2023:6939 2023-11-14T00:00:00Z
rhc-1:0.2.5-1.el8_10 cpe:/a:redhat:enterprise_linux:8 RHSA-2024:10784 2024-12-04T00:00:00Z
Red Hat Enterprise Linux 9
toolbox-0:0.0.99.4-6.el9_3 cpe:/a:redhat:enterprise_linux:9 RHSA-2023:6346 2023-11-07T00:00:00Z
rhc-1:0.2.5-1.el9_5 cpe:/a:redhat:enterprise_linux:9 RHSA-2024:10759 2024-12-03T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
toolbox-0:0.0.99.4-1.el9_2 cpe:/a:redhat:rhel_eus:9.2 RHSA-2024:4443 2024-07-09T00:00:00Z
Red Hat OpenShift Container Platform 4.10
openshift4/ose-configmap-reloader:v4.10.0-202302072301.p0.g1e5a18e.assembly.stream cpe:/a:redhat:openshift:4.10::el8 RHSA-2023:0698 2023-02-15T00:00:00Z
openshift4/ose-telemeter:v4.10.0-202302201054.p0.g3b5eb87.assembly.stream cpe:/a:redhat:openshift:4.10::el8 RHSA-2023:0899 2023-03-01T00:00:00Z
openshift4/ose-sriov-cni:v4.10.0-202305101928.p0.gc574bbb.assembly.stream cpe:/a:redhat:openshift:4.10::el8 RHSA-2023:3218 2023-05-24T00:00:00Z
Red Hat OpenShift Container Platform 4.11
openshift4/ose-sriov-cni:v4.11.0-202305081228.p0.g71764f5.assembly.stream cpe:/a:redhat:openshift:4.11::el8 RHSA-2023:2695 2023-05-18T00:00:00Z
Red Hat OpenShift Container Platform 4.12
openshift4/ose-sriov-cni:v4.12.0-202305022015.p0.g1876528.assembly.stream cpe:/a:redhat:openshift:4.12::el8 RHSA-2023:2111 2023-05-10T00:00:00Z
Red Hat OpenShift Container Platform 4.13
openshift4/egress-router-cni-rhel8:v4.13.0-202402061238.p0.gdfe0373.assembly.stream.el8 cpe:/a:redhat:openshift:4.13::el8 RHSA-2024:0741 2024-02-14T00:00:00Z
Red Hat OpenShift Container Platform 4.14
openshift4/egress-router-cni-rhel8:v4.14.0-202310201027.p0.gafffdd4.assembly.stream cpe:/a:redhat:openshift:4.14::el8 RHSA-2023:5006 2023-10-31T00:00:00Z
Red Hat OpenShift Container Platform 4.9
openshift4/ose-configmap-reloader:v4.9.0-202302111027.p0.gc041899.assembly.stream cpe:/a:redhat:openshift:4.9::el8 RHSA-2023:0778 2023-02-22T00:00:00Z
Red Hat OpenShift Dev Spaces 3 Containers
devspaces/configbump-rhel8:3.15-2 cpe:/a:redhat:openshift_devspaces:3::el8 RHSA-2024:4631 2024-07-18T00:00:00Z
Red Hat OpenShift GitOps 1.5
openshift-gitops-1/argocd-rhel8:v1.5.10-6 cpe:/a:redhat:openshift_gitops:1.5::el8 RHSA-2023:0804 2023-02-17T00:00:00Z
Red Hat OpenShift GitOps 1.6
openshift-gitops-1/argocd-rhel8:v1.6.5-5 cpe:/a:redhat:openshift_gitops:1.6::el8 RHSA-2023:0802 2023-02-17T00:00:00Z
Red Hat OpenShift GitOps 1.7
openshift-gitops-1/argocd-rhel8:v1.7.2-5 cpe:/a:redhat:openshift_gitops:1.7::el8 RHSA-2023:0803 2023-02-17T00:00:00Z
Red Hat OpenStack Platform 16.1
etcd-0:3.3.23-12.el8ost cpe:/a:redhat:openstack:16.1::el8 RHSA-2023:1275 2023-03-15T00:00:00Z
Red Hat OpenStack Platform 16.2
etcd-0:3.3.23-12.el8ost cpe:/a:redhat:openstack:16.2::el8 RHSA-2023:1275 2023-03-15T00:00:00Z
Red Hat OpenStack Platform 17.0
etcd-0:3.4.14-3.el9ost cpe:/a:redhat:openstack:17.0::el9 RHSA-2023:1014 2023-02-28T00:00:00Z

No data.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-3479-1 golang-yaml.v2 security update
EUVD EUVD EUVD-2022-7537 Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.
Github GHSA Github GHSA GHSA-6q6q-88xp-6f2r yaml package for Go can consume excessive amounts of CPU or memory
Ubuntu USN Ubuntu USN USN-6287-1 Go yaml vulnerabilities
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://github.com/advisories/GHSA-6q6q-88xp-6f2r cve-icon
https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5 cve-icon cve-icon cve-icon
https://github.com/go-yaml/yaml/releases/tag/v2.2.4 cve-icon cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/ cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2022-3064 cve-icon
https://pkg.go.dev/vuln/GO-2022-0956 cve-icon cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2022-3064 cve-icon
History

Mon, 14 Apr 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2025-04-14T17:05:01.917Z

Reserved: 2022-08-30T15:40:50.104Z

Link: CVE-2022-3064

cve-icon Vulnrichment

Updated: 2024-08-03T01:00:10.262Z

cve-icon NVD

Status : Modified

Published: 2022-12-27T22:15:14.507

Modified: 2025-04-14T17:15:25.407

Link: CVE-2022-3064

cve-icon Redhat

Severity : Important

Publid Date: 2022-08-29T00:00:00Z

Links: CVE-2022-3064 - Bugzilla

cve-icon OpenCVE Enrichment

No data.