CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-32149 – Denial of service via crafted Accept-Language header in golang.org/x/text/language
https://notcve.org/view.php?id=CVE-2022-32149
An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse. Un atacante podría causar una denegación de servicio al diseñar un encabezado Accept-Language que ParseAcceptLanguage tardaría mucho tiempo en analizar A vulnerability was found in the golang.org/x/text/language package. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse. This issue leads to a denial of service, and can impact availability. • https://go.dev/cl/442235 https://go.dev/issue/56152 https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ https://pkg.go.dev/vuln/GO-2022-1059 https://access.redhat.com/security/cve/CVE-2022-32149 https://bugzilla.redhat.com/show_bug.cgi?id=2134010 • CWE-407: Inefficient Algorithmic Complexity CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38561 – golang: out-of-bounds read in golang.org/x/text/language leads to DoS
https://notcve.org/view.php?id=CVE-2021-38561
golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack. golang.org/x/text/language en golang.org/x/text anterior a 0.3.7 puede entrar en pánico con una lectura fuera de los límites durante el análisis de etiquetas de idioma BCP 47. El cálculo del índice está mal manejado. Si se analizan entradas de usuarios que no son de confianza, esto se puede utilizar como vector para un ataque de Denegación de Servicio (DoS). • https://deps.dev/advisory/OSV/GO-2021-0113 https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f https://groups.google.com/g/golang-announce https://pkg.go.dev/golang.org/x/text/language https://access.redhat.com/security/cve/CVE-2021-38561 https://bugzilla.redhat.com/show_bug.cgi?id=2100495 • CWE-125: Out-of-bounds Read •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-28852 – golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag
https://notcve.org/view.php?id=CVE-2020-28852
In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) En x/text en Go anterior a la versión v0.3.5, un pánico "slice bounds out of range" se produce en language.ParseAcceptLanguage mientras se procesa una etiqueta BCP 47. (Se supone que x/text/language puede ser capaz de analizar un encabezado HTTP Accept-Language) A flaw was found in golang.org. In x/text, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. • https://github.com/golang/go/issues/42536 https://security.netapp.com/advisory/ntap-20210212-0004 https://access.redhat.com/security/cve/CVE-2020-28852 https://bugzilla.redhat.com/show_bug.cgi?id=1913338 • CWE-129: Improper Validation of Array Index •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-14040 – golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
https://notcve.org/view.php?id=CVE-2020-14040
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String. El paquete x/text anterior a la versión 0.3.3 para Go tiene una vulnerabilidad en la codificación/unicode que podría llevar al decodificador UTF-16 a ingresar en un bucle infinito, causando que el programa se bloquee o se ejecute fuera de la memoria. Un atacante podría proporcionar un solo byte a un decodificador UTF16 instanciado con UseBOM o ExpectBOM para activar un bucle infinito si se llama a la función String en el Decoder, o el Decoder es pasado a golang.org/x/text/transform.String A denial of service vulnerability was found in the golang.org/x/text library. A library or application must use one of the vulnerable functions, such as unicode.Transform, transform.String, or transform.Byte, to be susceptible to this vulnerability. • https://groups.google.com/forum/#%21topic/golang-announce/bXVeAmGOqz0 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O https://access.redhat.com/security/cve/CVE-2020-14040 https://bugzilla.redhat.com/show_bug.cgi?id=1853652 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •