CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-34158 – Stack exhaustion in Parse in go/build/constraint
https://notcve.org/view.php?id=CVE-2024-34158
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. A flaw was found in the go/build/constraint package of the Golang standard library. Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. • https://go.dev/cl/611240 https://go.dev/issue/69141 https://groups.google.com/g/golang-dev/c/S9POB9NCTdk https://pkg.go.dev/vuln/GO-2024-3107 https://access.redhat.com/security/cve/CVE-2024-34158 https://bugzilla.redhat.com/show_bug.cgi?id=2310529 • CWE-674: Uncontrolled Recursion CWE-1325: Improperly Controlled Sequential Memory Allocation •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-34156 – Stack exhaustion in Decoder.Decode in encoding/gob
https://notcve.org/view.php?id=CVE-2024-34156
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. A flaw was found in the encoding/gob package of the Golang standard library. Calling Decoder.Decoding, a message that contains deeply nested structures, can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. • https://go.dev/cl/611239 https://go.dev/issue/69139 https://groups.google.com/g/golang-dev/c/S9POB9NCTdk https://pkg.go.dev/vuln/GO-2024-3106 https://access.redhat.com/security/cve/CVE-2024-34156 https://bugzilla.redhat.com/show_bug.cgi?id=2310528 • CWE-674: Uncontrolled Recursion •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2024-34155 – Stack exhaustion in all Parse functions in go/parser
https://notcve.org/view.php?id=CVE-2024-34155
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. A flaw was found in the go/parser package of the Golang standard library. Calling any Parse functions on Go source code containing deeply nested literals can cause a panic due to stack exhaustion. • https://go.dev/cl/611238 https://go.dev/issue/69138 https://groups.google.com/g/golang-dev/c/S9POB9NCTdk https://pkg.go.dev/vuln/GO-2024-3105 https://access.redhat.com/security/cve/CVE-2024-34155 https://bugzilla.redhat.com/show_bug.cgi?id=2310527 • CWE-674: Uncontrolled Recursion •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-24791 – Denial of service due to improper 100-continue handling in net/http
https://notcve.org/view.php?id=CVE-2024-24791
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. El cliente net/http HTTP/1.1 manejó mal el caso en el que un servidor responde a una solicitud con un encabezado "Expect: 100-continue" con un estado no informativo (200 o superior). • https://go.dev/cl/591255 https://go.dev/issue/67555 https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ https://pkg.go.dev/vuln/GO-2024-2963 https://access.redhat.com/security/cve/CVE-2024-24791 https://bugzilla.redhat.com/show_bug.cgi?id=2295310 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24788 – Malformed DNS message can cause infinite loop in net
https://notcve.org/view.php?id=CVE-2024-24788
A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop. Un mensaje DNS con formato incorrecto en respuesta a una consulta puede hacer que las funciones de búsqueda se atasquen en un bucle infinito. A flaw was found in the net package of the Go stdlib. When a malformed DNS message is received as a response to a query, the Lookup functions within the net package can get stuck in an infinite loop. This issue can lead to resource exhaustion and denial of service (DoS) conditions. • http://www.openwall.com/lists/oss-security/2024/05/08/3 https://go.dev/cl/578375 https://go.dev/issue/66754 https://groups.google.com/g/golang-announce/c/wkkO4P9stm0 https://pkg.go.dev/vuln/GO-2024-2824 https://security.netapp.com/advisory/ntap-20240605-0002 https://security.netapp.com/advisory/ntap-20240614-0001 https://access.redhat.com/security/cve/CVE-2024-24788 https://bugzilla.redhat.com/show_bug.cgi?id=2279814 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •