
CVE-2022-32149 – Denial of service via crafted Accept-Language header in golang.org/x/text/language
https://notcve.org/view.php?id=CVE-2022-32149
14 Oct 2022 — An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse. Un atacante podría causar una denegación de servicio al diseñar un encabezado Accept-Language que ParseAcceptLanguage tardaría mucho tiempo en analizar A vulnerability was found in the golang.org/x/text/language package. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse. This issue leads to a denial of servi... • https://go.dev/cl/442235 • CWE-407: Inefficient Algorithmic Complexity CWE-772: Missing Release of Resource after Effective Lifetime •

CVE-2021-38561 – golang: out-of-bounds read in golang.org/x/text/language leads to DoS
https://notcve.org/view.php?id=CVE-2021-38561
27 Jul 2022 — golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack. golang.org/x/text/language en golang.org/x/text anterior a 0.3.7 puede entrar en pánico con una lectura fuera de los límites durante el análisis de etiquetas de idioma BCP 47. El cálculo del índice está mal manejado. Si se analizan entradas de usuario... • https://deps.dev/advisory/OSV/GO-2021-0113 • CWE-125: Out-of-bounds Read •

CVE-2020-28852 – golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag
https://notcve.org/view.php?id=CVE-2020-28852
02 Jan 2021 — In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) En x/text en Go anterior a la versión v0.3.5, un pánico "slice bounds out of range" se produce en language.ParseAcceptLanguage mientras se procesa una etiqueta BCP 47. (Se supone que x/text/language puede ser capaz de analizar un encabezado HTTP Accept-Language) A flaw was found in golang.org... • https://github.com/golang/go/issues/42536 • CWE-129: Improper Validation of Array Index •

CVE-2020-14040 – golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
https://notcve.org/view.php?id=CVE-2020-14040
17 Jun 2020 — The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String. El paquete x/text anterior a la versión 0.3.3 para Go tiene una vulnerabilidad ... • https://groups.google.com/forum/#%21topic/golang-announce/bXVeAmGOqz0 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •