CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30630 – Stack exhaustion in Glob on certain paths in io/fs
https://notcve.org/view.php?id=CVE-2022-30630
Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators. Una recursión no controlada en Glob en io/fs versiones anteriores a Go 1.17.12 y Go 1.18.4, permite a un atacante causar un pánico debido al agotamiento de la pila por medio de una ruta que contenga un gran número de separadores de ruta A flaw was found in the golang standard library, io/fs. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This could allow an attacker to impact availability. • https://go.dev/cl/417065 https://go.dev/issue/53415 https://go.googlesource.com/go/+/fa2d41d0ca736f3ad6b200b2a4e134364e9acc59 https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE https://pkg.go.dev/vuln/GO-2022-0527 https://access.redhat.com/security/cve/CVE-2022-30630 https://bugzilla.redhat.com/show_bug.cgi?id=2107371 • CWE-674: Uncontrolled Recursion CWE-1325: Improperly Controlled Sequential Memory Allocation •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30632 – Stack exhaustion on crafted paths in path/filepath
https://notcve.org/view.php?id=CVE-2022-30632
Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators. Una recursión no controlada en Glob en path/filepath versiones anteriores a Go 1.17.12 y Go 1.18.4, permite a un atacante causar un pánico debido al agotamiento de la pila por medio de una ruta que contenga un gran número de separadores de ruta A flaw was found in golang. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This can cause an attacker to impact availability. • https://go.dev/cl/417066 https://go.dev/issue/53416 https://go.googlesource.com/go/+/ac68c6c683409f98250d34ad282b9e1b0c9095ef https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE https://pkg.go.dev/vuln/GO-2022-0522 https://access.redhat.com/security/cve/CVE-2022-30632 https://bugzilla.redhat.com/show_bug.cgi?id=2107386 • CWE-674: Uncontrolled Recursion CWE-1325: Improperly Controlled Sequential Memory Allocation •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2022-32148 – Exposure of client IP addresses in net/http
https://notcve.org/view.php?id=CVE-2022-32148
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header. Una exposición inapropiada de las direcciones IP de los clientes en net/http versiones anteriores a Go 1.17.12 y Go 1.18.4, puede desencadenarse llamando a httputil.ReverseProxy.ServeHTTP con un mapa Request.Header que contenga un valor nulo para el encabezado X-Forwarded-For, lo que causa que ReverseProxy establezca la IP del cliente como valor de el encabezado X-Forwarded-For A flaw was found in net/http/httputil golang package. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy could set the client IP incorrectly. This issue may affect confidentiality. • https://go.dev/cl/412857 https://go.dev/issue/53423 https://go.googlesource.com/go/+/b2cc0fecc2ccd80e6d5d16542cc684f97b3a9c8a https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE https://pkg.go.dev/vuln/GO-2022-0520 https://access.redhat.com/security/cve/CVE-2022-32148 https://bugzilla.redhat.com/show_bug.cgi?id=2107383 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30631 – Stack exhaustion when reading certain archives in compress/gzip
https://notcve.org/view.php?id=CVE-2022-30631
Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files. Una recursión no controlada en el archivo Reader.Read en compress/gzip versiones anteriores a Go 1.17.12 y Go 1.18.4, permite a un atacante causar un pánico debido al agotamiento de la pila por medio de un archivo que contenga un gran número de archivos comprimidos de longitud 0 concatenados A flaw was found in golang. Calling the Reader, Read method on an archive that contains a large number of concatenated 0-length compressed files can cause a panic issue due to stack exhaustion. • https://go.dev/cl/417067 https://go.dev/issue/53168 https://go.googlesource.com/go/+/b2b8872c876201eac2d0707276c6999ff3eb185e https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE https://pkg.go.dev/vuln/GO-2022-0524 https://access.redhat.com/security/cve/CVE-2022-30631 https://bugzilla.redhat.com/show_bug.cgi?id=2107342 • CWE-674: Uncontrolled Recursion CWE-1325: Improperly Controlled Sequential Memory Allocation •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-28131 – Stack exhaustion from deeply nested XML documents in encoding/xml
https://notcve.org/view.php?id=CVE-2022-28131
Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document. En Decoder.Skip en encoding/xml en Go antes de 1.17.12 y 1.18.x antes de 1.18.4, el agotamiento de la pila y un pánico puede ocurrir a través de un documento XML profundamente anidado A flaw was found in golang encoding/xml. When calling Decoder, Skip while parsing a deeply nested XML document, a panic can occur due to stack exhaustion and allows an attacker to impact system availability. • https://go.dev/cl/417062 https://go.dev/issue/53614 https://go.googlesource.com/go/+/08c46ed43d80bbb67cb904944ea3417989be4af3 https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE https://pkg.go.dev/vuln/GO-2022-0521 https://access.redhat.com/security/cve/CVE-2022-28131 https://bugzilla.redhat.com/show_bug.cgi?id=2107390 • CWE-674: Uncontrolled Recursion CWE-1325: Improperly Controlled Sequential Memory Allocation •