CVE-2021-4235

{"id": "CVE-2021-4235", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2022-12-27T22:15:11.960", "references": [{"url": "https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241", "tags": ["Patch", "Third Party Advisory"], "source": "security@golang.org"}, {"url": "https://github.com/go-yaml/yaml/pull/375", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "security@golang.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html", "source": "security@golang.org"}, {"url": "https://pkg.go.dev/vuln/GO-2021-0061", "tags": ["Third Party Advisory"], "source": "security@golang.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector."}, {"lang": "es", "value": "Debido a la b\u00fasqueda ilimitada de alias, un archivo YAML creado con fines malintencionados puede hacer que el sistema consuma importantes recursos. Si se analiza la entrada del usuario, esto se puede utilizar como un vector de denegaci\u00f3n de servicio."}], "lastModified": "2023-07-06T00:15:09.707", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:yaml_project:yaml:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "6ADB4662-19BA-4FB2-88FB-0D8309DE5DB0", "versionEndExcluding": "2.2.3"}], "operator": "OR"}]}], "sourceIdentifier": "security@golang.org"}