CVSS: 7.8EPSS: 1%CPEs: 5EXPL: 0CVE-2020-7919 – Debian Security Advisory 4848-1
https://notcve.org/view.php?id=CVE-2020-7919
16 Mar 2020 — Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate. Go versiones anteriores a 1.12.16 y versiones 1.13.x anteriores a 1.13.7 (y el paquete crypto/cryptobyte versiones anteriores a 0.0.0-20200124225646-8b5121be2f68 para Go), permite ataques a los clientes (lo que resulta en un pánico) por medio de un certificado X.509 malformado. Multiple security issu... • https://groups.google.com/forum/#%21forum/golang-announce • CWE-295: Improper Certificate Validation •
CVSS: 9.8EPSS: 1%CPEs: 4EXPL: 0CVE-2015-5741 – golang: HTTP request smuggling in net/http library
https://notcve.org/view.php?id=CVE-2015-5741
08 Feb 2020 — The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields. La biblioteca net/http en el archivo net/http/transfer.go en Go versiones anteriores a 1.4.3, no analiza apropiadamente los encabezados HTTP, lo que permite a atacantes remotos llevar a cabo ataques de tráfico no autorizado de peticiones HTTP por medio de un... • http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167997.html • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 8.1EPSS: 97%CPEs: 15EXPL: 36CVE-2020-0601 – Microsoft Windows CryptoAPI Spoofing Vulnerability
https://notcve.org/view.php?id=CVE-2020-0601
14 Jan 2020 — A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'. Se presenta una vulnerabilidad de suplantación de identidad en la manera en que Windows CryptoAPI (Crypt32.dll) comprueba los certificados Elliptic... • https://packetstorm.news/files/id/155960 • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 18EXPL: 2CVE-2019-17596 – golang: invalid public key causes panic in dsa.Verify
https://notcve.org/view.php?id=CVE-2019-17596
24 Oct 2019 — Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates. Go versiones anteriores a 1.12.11 y versiones 1.3.x anteriores a 1.13.2, puede entrar en pánico tras intentar procesar el tráfico de red que contiene una clave pública DSA no válida. Existen varios escenarios de ataque, tal y como el tráfico de un cliente hacia un s... • https://github.com/pquerna/poc-dsa-verify-CVE-2019-17596 • CWE-295: Improper Certificate Validation CWE-436: Interpretation Conflict •
CVSS: 7.5EPSS: 0%CPEs: 14EXPL: 0CVE-2019-16276 – golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling
https://notcve.org/view.php?id=CVE-2019-16276
29 Sep 2019 — Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling. Go versiones anteriores a 1.12.10 y versiones 1.13.x anteriores a 1.13.1, permitir el Trafico No Autorizado de Peticiones HTTP. It was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter by... • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00043.html • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 9.8EPSS: 1%CPEs: 3EXPL: 1CVE-2019-14809 – golang: malformed hosts in URLs leads to authorization bypass
https://notcve.org/view.php?id=CVE-2019-14809
13 Aug 2019 — net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com. net / url in Go antes del 1.11.13 y 1.12.x antes del 1.12.8 maneja mal los hosts mal formados en las URL, lo que lleva a un... • http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html • CWE-285: Improper Authorization •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11888
https://notcve.org/view.php?id=CVE-2019-11888
13 May 2019 — Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges. Repase la sección 1.12.5 de Windows, que trata mal la creación de procesos con un entorno nulo en combinación con un token no nulo, que permite a los atacantes obtener información confidencial u obtener privilegios. • https://go-review.googlesource.com/c/go/+/176619 • CWE-269: Improper Privilege Management •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 1CVE-2019-9741 – golang: CRLF injection in net/http
https://notcve.org/view.php?id=CVE-2019-9741
13 Mar 2019 — An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command. Se ha descubierto un problema en net/http en Go 1.11.5. Es posible la inyección CRLF si el atacante controla un parámetro de url, tal y como queda demostrado por el segundo argumento en http.NewRequest con \r\n, seguido por una cabecera HTTP o un comando Redis. The go-toolset:r... • http://www.securityfocus.com/bid/107432 • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2019-9634
https://notcve.org/view.php?id=CVE-2019-9634
08 Mar 2019 — Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection. Go, hasta su versión 1.12 en Windows, utiliza de manera incorrecta determinadas funcionalidades de LoadLibrary, conduciendo a una inyección DLL. • http://www.openwall.com/lists/oss-security/2019/04/09/1 • CWE-427: Uncontrolled Search Path Element •
CVSS: 8.2EPSS: 3%CPEs: 5EXPL: 0CVE-2019-6486 – Debian Security Advisory 4379-1
https://notcve.org/view.php?id=CVE-2019-6486
24 Jan 2019 — Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks. Go, en versiones anteriores a la 1.10.8 y las versiones 1.11.x anteriores a la 1.11.5, gestionan de manera incorrecta las curvas elípticas P-521 y P-384, que permiten que los atacantes provoquen una denegación de servicio (consumo de CPU) o lleven a cabo ataques de recuperación de la clave privada EC... • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00042.html • CWE-770: Allocation of Resources Without Limits or Throttling •