CVE-2022-28948: 
NixOS vulnerability analysis and mitigation

An issue was discovered in the Unmarshal function in Go-Yaml v3 that causes the program to crash when attempting to deserialize invalid input. The vulnerability was identified in May 2022 and affects applications using the Go-Yaml v3 library. This security flaw has been assigned CVE-2022-28948 and received a CVSS v3.1 base score of 7.5 (HIGH) (NVD).

The vulnerability exists in the parsing functionality of Go-Yaml v3's Unmarshal function. When attempting to parse malformed YAML input, specifically when encountering unknown events during parsing, the function triggers a panic with the message "attempted to parse unknown event (please report): none". The issue has been assigned CWE-502 (Deserialization of Untrusted Data) and has a CVSS vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it can be exploited remotely with no privileges required (GitHub Issue).

The successful exploitation of this vulnerability results in a Denial of Service (DoS) condition. When triggered, the application crashes due to the panic in the YAML parsing functionality, affecting the availability of the service. The vulnerability does not impact confidentiality or integrity of the system (NetApp Advisory).

The vulnerability has been fixed in Go-Yaml v3.0.1. Users are advised to upgrade to this version or later to address the issue. Several affected products, such as Astra Trident, have released patches to address this vulnerability in their respective versions (NetApp Advisory).