CVE-2021-4235 - Vulnerability Details

Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Openshift Openshift Data Foundation
Yaml Project	Yaml

Configuration 1 [-]

cpe:2.3:a:yaml_project:yaml:*:*:*:*:*:go:*:*

Package	CPE	Advisory	Released Date
Red Hat OpenShift Container Platform 4.12
openshift-clients-0:4.12.0-202301042257.p0.g854f807.assembly.stream.el9	cpe:/a:redhat:openshift:4.12::el8	RHSA-2022:7398	2023-01-17T00:00:00Z
openshift4/ose-installer:v4.12.0-202301271115.p0.g7fea1c4.assembly.stream	cpe:/a:redhat:openshift:4.12::el8	RHSA-2023:0569	2023-02-07T00:00:00Z
openshift4/metallb-rhel8-operator:v4.12.0-202301301729.p0.g917cd33.assembly.stream	cpe:/a:redhat:openshift:4.12::el8	RHSA-2023:0570	2023-02-07T00:00:00Z
openshift4/ose-openshift-controller-manager-rhel8:v4.12.0-202306090942.p0.gb6528f9.assembly.stream	cpe:/a:redhat:openshift:4.12::el8	RHSA-2023:3615	2023-06-24T00:00:00Z
Red Hat OpenShift Container Platform 4.13
openshift4/ose-installer:v4.13.0-202305091542.p0.g44db7b2.assembly.stream	cpe:/a:redhat:openshift:4.13::el8	RHSA-2023:1326	2023-05-17T00:00:00Z
openshift4/ose-machine-api-operator:v4.13.0-202304190216.p0.ga23baf7.assembly.stream	cpe:/a:redhat:openshift:4.13::el8	RHSA-2023:1326	2023-05-17T00:00:00Z
RHODF-4.13-RHEL-9
odf4/mcg-rhel9-operator:v4.13.0-41	cpe:/a:redhat:openshift_data_foundation:4.13::el9	RHSA-2023:3742	2023-06-21T00:00:00Z
odf4/odf-rhel9-operator:v4.13.0-24	cpe:/a:redhat:openshift_data_foundation:4.13::el9	RHSA-2023:3742	2023-06-21T00:00:00Z

References

Link	Providers
https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241
https://github.com/go-yaml/yaml/pull/375
https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html
https://nvd.nist.gov/vuln/detail/CVE-2021-4235
https://pkg.go.dev/vuln/GO-2021-0061
https://www.cve.org/CVERecord?id=CVE-2021-4235

History

No history.

MITRE

Status: PUBLISHED

Assigner: Go

Published: 2022-12-27T21:13:42.393Z

Updated: 2025-02-13T16:28:37.426Z

Reserved: 2022-07-29T18:56:20.415Z

Link: CVE-2021-4235

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-12-27T22:15:11.960

Modified: 2024-11-21T06:37:12.307

Link: CVE-2021-4235

Redhat

Severity : Moderate

Publid Date: 2022-12-27T00:00:00Z

Links: CVE-2021-4235 - Bugzilla

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object