CVE-2022-28948
CVE Details
Visit the official vulnerability details page for CVE-2022-28948 to learn more.
Initial Publication
10/25/2024
Last Update
12/16/2024
Third Party Dependency
gopkg.in/yaml.v3
NIST CVE Summary
An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.
CVE Severity
Our Official Summary
A flaw was found in the Unmarshal function in Go-Yaml. This vulnerability results in program crashes when attempting to convert (or deserialize) invalid input data, potentially impacting system stability and reliability.
The images where this vulnrability is have controls in place are not accessible outside the cluster. So the attacker needs to gain privileged access to the cluster to attempt this exploit. Also the containers do not allow execution of arbitrary code. Impact of this exploit is also low, since container reduces the attack surface.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.5.15 | ⚠️ Impacted | ⚠️ Impacted | ✅ No Impact | ✅ No Impact |
| 4.5.11 | ⚠️ Impacted | ⚠️ Impacted | ✅ No Impact | ✅ No Impact |
| 4.5.10 | ⚠️ Impacted | ⚠️ Impacted | ✅ No Impact | ✅ No Impact |
| 4.5.8 | ⚠️ Impacted | ⚠️ Impacted | ✅ No Impact | ✅ No Impact |
| 4.5.5 | ⚠️ Impacted | ⚠️ Impacted | ✅ No Impact | ✅ No Impact |
| 4.5.4 | ⚠️ Impacted | ⚠️ Impacted | ✅ No Impact | ✅ No Impact |
| 4.4.20 | ⚠️ Impacted | ⚠️ Impacted | ✅ No Impact | ✅ No Impact |
Revision History
| Date | Revision |
|---|---|
| 12/16/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15 |
| 12/09/2024 | Official summary revised: A flaw was found in the Unmarshal function in Go-Yaml. This vulnerability results in program crashes when attempting to convert (or deserialize) invalid input data, potentially impacting system stability and reliability.The images where this vulnrability is have controls in place are not accessible outside the cluster. So the attacker needs to gain privileged access to the cluster to attempt this exploit. Also the containers do not allow execution of arbitrary code. Impact of this exploit is also low, since container reduces the attack surface. |
| 11/30/2024 | Advisory is now impacting. |
| 11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 |
| 11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 |
| 11/13/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20 |
| 11/10/2024 | Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8 |
| 10/27/2024 | Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5 |