Filtered by vendor Golang
Subscribe
Search
Total
73 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-27918 | 1 Golang | 1 Go | 2021-03-18 | 5.0 MEDIUM | 7.5 HIGH |
| encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method. | |||||
| CVE-2020-28851 | 1 Golang | 1 Go | 2021-02-22 | 5.0 MEDIUM | 7.5 HIGH |
| In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) | |||||
| CVE-2020-28367 | 3 Debian, Fedoraproject, Golang | 3 Debian Linux, Fedora, Go | 2020-12-16 | 5.1 MEDIUM | 7.5 HIGH |
| Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injection. | |||||
| CVE-2020-28366 | 2 Fedoraproject, Golang | 2 Fedora, Go | 2020-12-16 | 5.1 MEDIUM | 7.5 HIGH |
| Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection. | |||||
| CVE-2020-14040 | 2 Fedoraproject, Golang | 2 Fedora, Text | 2020-11-18 | 5.0 MEDIUM | 7.5 HIGH |
| The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String. | |||||
| CVE-2019-9634 | 2 Golang, Microsoft | 2 Go, Windows | 2020-08-24 | 6.8 MEDIUM | 7.8 HIGH |
| Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection. | |||||
| CVE-2018-17075 | 2 Fedoraproject, Golang | 2 Fedora, Net | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| The html package (aka x/net/html) before 2018-07-13 in Go mishandles "in frameset" insertion mode, leading to a "panic: runtime error" for html.Parse of <template><object>, <template><applet>, or <template><marquee>. This is related to HTMLTreeBuilder.cpp in WebKit. | |||||
| CVE-2018-17143 | 2 Fedoraproject, Golang | 2 Fedora, Net | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| The html package (aka x/net/html) through 2018-09-17 in Go mishandles <template><tBody><isindex/action=0>, leading to a "panic: runtime error" in inBodyIM in parse.go during an html.Parse call. | |||||
| CVE-2018-17142 | 2 Fedoraproject, Golang | 2 Fedora, Net | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| The html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call. | |||||
| CVE-2019-6486 | 3 Debian, Golang, Opensuse | 3 Debian Linux, Go, Leap | 2020-08-24 | 6.4 MEDIUM | 8.2 HIGH |
| Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks. | |||||
| CVE-2018-17847 | 2 Fedoraproject, Golang | 2 Fedora, Net | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| The html package (aka x/net/html) through 2018-09-25 in Go mishandles <svg><template><desc><t><svg></template>, leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in node.go, called from (*parser).clearActiveFormattingElements, during an html.Parse call. | |||||
| CVE-2017-3204 | 1 Golang | 1 Crypto | 2020-07-07 | 6.8 MEDIUM | 8.1 HIGH |
| The Go SSH library (x/crypto/ssh) by default does not verify host keys, facilitating man-in-the-middle attacks. Default behavior changed in commit e4e2799 to require explicitly registering a hostkey verification mechanism. | |||||
| CVE-2018-17848 | 2 Fedoraproject, Golang | 2 Fedora, Net | 2020-06-02 | 5.0 MEDIUM | 7.5 HIGH |
| The html package (aka x/net/html) through 2018-09-25 in Go mishandles <math><template><mn><b></template>, leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call. | |||||
| CVE-2018-17846 | 2 Fedoraproject, Golang | 2 Fedora, Net | 2020-06-02 | 5.0 MEDIUM | 7.5 HIGH |
| The html package (aka x/net/html) through 2018-09-25 in Go mishandles <table><math><select><mi><select></table>, leading to an infinite loop during an html.Parse call because inSelectIM and inSelectInTableIM do not comply with a specification. | |||||
| CVE-2016-5386 | 4 Fedoraproject, Golang, Oracle and 1 more | 6 Fedora, Go, Linux and 3 more | 2019-12-27 | 6.8 MEDIUM | 8.1 HIGH |
| The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. | |||||
| CVE-2018-6574 | 3 Debian, Golang, Redhat | 6 Debian Linux, Go, Enterprise Linux Server and 3 more | 2019-10-03 | 4.6 MEDIUM | 7.8 HIGH |
| Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked. | |||||
| CVE-2018-16875 | 2 Golang, Opensuse | 2 Go, Leap | 2019-06-03 | 7.8 HIGH | 7.5 HIGH |
| The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected. | |||||
| CVE-2018-7187 | 2 Debian, Golang | 2 Debian Linux, Go | 2019-02-28 | 9.3 HIGH | 8.8 HIGH |
| The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site. | |||||
| CVE-2015-8618 | 2 Golang, Opensuse | 2 Go, Leap | 2018-10-30 | 5.0 MEDIUM | 7.5 HIGH |
| The Int.Exp Montgomery code in the math/big library in Go 1.5.x before 1.5.3 mishandles carry propagation and produces incorrect output, which makes it easier for attackers to obtain private RSA keys via unspecified vectors. | |||||
| CVE-2016-3959 | 3 Fedoraproject, Golang, Opensuse | 3 Fedora, Go, Leap | 2018-10-30 | 5.0 MEDIUM | 7.5 HIGH |
| The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted public key to a program that uses HTTPS client certificates or SSH server libraries. | |||||
| CVE-2017-1000098 | 1 Golang | 1 Go | 2018-08-13 | 5.0 MEDIUM | 7.5 HIGH |
| The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors. | |||||
| CVE-2016-3958 | 1 Golang | 1 Go | 2018-08-13 | 7.2 HIGH | 7.8 HIGH |
| Untrusted search path vulnerability in Go before 1.5.4 and 1.6.x before 1.6.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, related to use of the LoadLibrary function. | |||||
| CVE-2017-1000097 | 1 Golang | 1 Go | 2018-08-13 | 5.0 MEDIUM | 7.5 HIGH |
| On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate. | |||||