GMS-2020-795: Denial of Service in yar

September 1, 2020 (updated September 23, 2021)

Versions of yar prior to 2.2.0 are affected by a denial of service vulnerability related to an invalid encrypted session cookie value.

When an invalid encryped session cookie value is provided, the process will crash.

Recommendation

Update to version 2.2.0 or later.

References

github.com/advisories/GHSA-gg6m-fhqv-hg56
github.com/spumko/yar/issues/34
nvd.nist.gov/vuln/detail/CVE-2014-4179
www.npmjs.com/advisories/44

Code Behaviors & Features

Detect and mitigate GMS-2020-795 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →