VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-r6k8-p4aa-aaaa

Essentials
Severities (110)
References (17)
Severity details (22)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-r6k8-p4aa-aaaa
Aliases	CVE-2021-4235 GHSA-r88r-gmrh-7j83
Summary	Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-400

Uncontrolled Resource Consumption

System	Score	Found at
cvssv3	5.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-4235.json
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00039	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00039	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00039	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00039	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00039	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00039	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00039	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00039	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00039	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00039	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00039	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00039	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00039	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00039	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00039	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2021-4235
cvssv3.1	5.5	https://github.com/go-yaml/yaml
cvssv3.1	7.5	https://github.com/go-yaml/yaml
generic_textual	HIGH	https://github.com/go-yaml/yaml
generic_textual	MODERATE	https://github.com/go-yaml/yaml
cvssv3.1	5.5	https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241
generic_textual	MODERATE	https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241
ssvc	Track	https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241
cvssv3.1	5.5	https://github.com/go-yaml/yaml/pull/375
generic_textual	MODERATE	https://github.com/go-yaml/yaml/pull/375
ssvc	Track	https://github.com/go-yaml/yaml/pull/375
cvssv3.1	5.5	https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html
cvssv3.1	7.5	https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html
generic_textual	HIGH	https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html
generic_textual	MODERATE	https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html
ssvc	Track	https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html
cvssv3	5.5	https://nvd.nist.gov/vuln/detail/CVE-2021-4235
cvssv3.1	5.5	https://nvd.nist.gov/vuln/detail/CVE-2021-4235
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2021-4235
cvssv3.1	5.5	https://pkg.go.dev/vuln/GO-2021-0061
generic_textual	MODERATE	https://pkg.go.dev/vuln/GO-2021-0061
ssvc	Track	https://pkg.go.dev/vuln/GO-2021-0061

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-4235.json
		https://api.first.org/data/v1/epss?cve=CVE-2021-4235
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4235
		https://github.com/go-yaml/yaml
		https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241
		https://github.com/go-yaml/yaml/pull/375
		https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html
		https://pkg.go.dev/vuln/GO-2021-0061
2156727		https://bugzilla.redhat.com/show_bug.cgi?id=2156727
cpe:2.3:a:yaml_project:yaml::::::go::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:yaml_project:yaml::::::go::*
CVE-2021-4235		https://nvd.nist.gov/vuln/detail/CVE-2021-4235
RHSA-2023:0569		https://access.redhat.com/errata/RHSA-2023:0569
RHSA-2023:0570		https://access.redhat.com/errata/RHSA-2023:0570
RHSA-2023:1326		https://access.redhat.com/errata/RHSA-2023:1326
RHSA-2023:3615		https://access.redhat.com/errata/RHSA-2023:3615
RHSA-2023:3742		https://access.redhat.com/errata/RHSA-2023:3742
USN-6287-1		https://usn.ubuntu.com/6287-1/

No exploits are available.

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-4235.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Found at https://github.com/go-yaml/yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/go-yaml/yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Found at https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-11T16:24:34Z/ Found at https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Found at https://github.com/go-yaml/yaml/pull/375

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-11T16:24:34Z/ Found at https://github.com/go-yaml/yaml/pull/375

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Found at https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-11T16:24:34Z/ Found at https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-4235

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-4235

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Found at https://pkg.go.dev/vuln/GO-2021-0061

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-11T16:24:34Z/ Found at https://pkg.go.dev/vuln/GO-2021-0061

Exploit Prediction Scoring System (EPSS)

Percentile	0.03962
EPSS Score	0.00025
Published At	March 28, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.