CVE-2022-28948
Unmarshal function panic vulnerability in yaml.v3 (Go)
What is CVE-2022-28948 About?
This vulnerability involves an issue in an Unmarshal function that can lead to a program panic when processing invalid input. This results in a Denial of Service condition, crashing the application. Exploitation is straightforward, requiring the submission of malformed data.
Affected Software
- gopkg.in/yaml.v3
- <3.0.1
- <3.0.0-20220521103104-8f96da9f5d5e
Technical Details
The vulnerability occurs within the Unmarshal function of the affected software. When this function attempts to deserialize specific, invalid input data, it triggers an unhandled error condition, causing the program to panic and terminate abruptly. This indicates a failure in robust error handling during the deserialization process. The attack vector involves providing malformed input that specifically targets this deserialization logic.
What is the Impact of CVE-2022-28948?
Successful exploitation may allow attackers to cause application crashes, lead to service disruption, and potentially create a denial of service condition.
What is the Exploitability of CVE-2022-28948?
Exploiting this vulnerability typically involves constructing and submitting invalid input to the application's Unmarshal function. The complexity is low to medium, as it relies on discovering specific input patterns that trigger the panic. No authentication or elevated privileges are usually required, as the vulnerability lies in input processing, often accessible to any user who can interact with the deserialization endpoint. This can be a remote or local vulnerability depending on how the Unmarshal function is exposed. The primary risk factor is any application that accepts and deserializes untrusted input without proper validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-28948?
About the Fix from Resolved Security
Available Upgrade Options
- gopkg.in/yaml.v3
- <3.0.0-20220521103104-8f96da9f5d5e → Upgrade to 3.0.0-20220521103104-8f96da9f5d5e
- gopkg.in/yaml.v3
- <3.0.1 → Upgrade to 3.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/go-yaml/yaml/commit/f6f7691b1fdeb513f56608cd2c32c51f8194bf51
- https://github.com/go-yaml/yaml/commit/8f96da9f5d5eff988554c1aae1784627c4bf6754
- https://security.netapp.com/advisory/ntap-20220923-0006
- https://github.com/go-yaml/yaml/issues/666
- https://nvd.nist.gov/vuln/detail/CVE-2022-28948
- https://github.com/go-yaml/yaml
- https://github.com/go-yaml/yaml/issues/665
- https://github.com/go-yaml/yaml/commit/8f96da9f5d5eff988554c1aae1784627c4bf6754
- https://github.com/go-yaml/yaml/issues/666
- https://osv.dev/vulnerability/GO-2022-0603
What are Similar Vulnerabilities to CVE-2022-28948?
Similar Vulnerabilities: CVE-2021-37574 , CVE-2021-39130 , CVE-2020-8037 , CVE-2020-5397 , CVE-2020-5259
