CVE-2022-30635 – Stack exhaustion when decoding certain messages in encoding/gob
https://notcve.org/view.php?id=CVE-2022-30635
Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures. Una recursión no controlada en el archivo Decoder.Decode en encoding/gob versiones anteriores a Go 1.17.12 y Go 1.18.4, permite a un atacante causar un pánico debido al agotamiento de la pila por medio de un mensaje que contiene estructuras profundamente anidadas A flaw was found in golang. When calling Decoder, Decode on a message that contains deeply nested structures, a panic can occur due to stack exhaustion and allows an attacker to impact system availability. • https://go.dev/cl/417064 https://go.dev/issue/53615 https://go.googlesource.com/go/+/6fa37e98ea4382bf881428ee0c150ce591500eb7 https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE https://pkg.go.dev/vuln/GO-2022-0526 https://access.redhat.com/security/cve/CVE-2022-30635 https://bugzilla.redhat.com/show_bug.cgi?id=2107388 • CWE-674: Uncontrolled Recursion CWE-1325: Improperly Controlled Sequential Memory Allocation •
CVE-2022-30630 – Stack exhaustion in Glob on certain paths in io/fs
https://notcve.org/view.php?id=CVE-2022-30630
Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators. Una recursión no controlada en Glob en io/fs versiones anteriores a Go 1.17.12 y Go 1.18.4, permite a un atacante causar un pánico debido al agotamiento de la pila por medio de una ruta que contenga un gran número de separadores de ruta A flaw was found in the golang standard library, io/fs. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This could allow an attacker to impact availability. • https://go.dev/cl/417065 https://go.dev/issue/53415 https://go.googlesource.com/go/+/fa2d41d0ca736f3ad6b200b2a4e134364e9acc59 https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE https://pkg.go.dev/vuln/GO-2022-0527 https://access.redhat.com/security/cve/CVE-2022-30630 https://bugzilla.redhat.com/show_bug.cgi?id=2107371 • CWE-674: Uncontrolled Recursion CWE-1325: Improperly Controlled Sequential Memory Allocation •
CVE-2022-30632 – Stack exhaustion on crafted paths in path/filepath
https://notcve.org/view.php?id=CVE-2022-30632
Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators. Una recursión no controlada en Glob en path/filepath versiones anteriores a Go 1.17.12 y Go 1.18.4, permite a un atacante causar un pánico debido al agotamiento de la pila por medio de una ruta que contenga un gran número de separadores de ruta A flaw was found in golang. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This can cause an attacker to impact availability. • https://go.dev/cl/417066 https://go.dev/issue/53416 https://go.googlesource.com/go/+/ac68c6c683409f98250d34ad282b9e1b0c9095ef https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE https://pkg.go.dev/vuln/GO-2022-0522 https://access.redhat.com/security/cve/CVE-2022-30632 https://bugzilla.redhat.com/show_bug.cgi?id=2107386 • CWE-674: Uncontrolled Recursion CWE-1325: Improperly Controlled Sequential Memory Allocation •
CVE-2022-32148 – Exposure of client IP addresses in net/http
https://notcve.org/view.php?id=CVE-2022-32148
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header. Una exposición inapropiada de las direcciones IP de los clientes en net/http versiones anteriores a Go 1.17.12 y Go 1.18.4, puede desencadenarse llamando a httputil.ReverseProxy.ServeHTTP con un mapa Request.Header que contenga un valor nulo para el encabezado X-Forwarded-For, lo que causa que ReverseProxy establezca la IP del cliente como valor de el encabezado X-Forwarded-For A flaw was found in net/http/httputil golang package. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy could set the client IP incorrectly. This issue may affect confidentiality. • https://go.dev/cl/412857 https://go.dev/issue/53423 https://go.googlesource.com/go/+/b2cc0fecc2ccd80e6d5d16542cc684f97b3a9c8a https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE https://pkg.go.dev/vuln/GO-2022-0520 https://access.redhat.com/security/cve/CVE-2022-32148 https://bugzilla.redhat.com/show_bug.cgi?id=2107383 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2022-30631 – Stack exhaustion when reading certain archives in compress/gzip
https://notcve.org/view.php?id=CVE-2022-30631
Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files. Una recursión no controlada en el archivo Reader.Read en compress/gzip versiones anteriores a Go 1.17.12 y Go 1.18.4, permite a un atacante causar un pánico debido al agotamiento de la pila por medio de un archivo que contenga un gran número de archivos comprimidos de longitud 0 concatenados A flaw was found in golang. Calling the Reader, Read method on an archive that contains a large number of concatenated 0-length compressed files can cause a panic issue due to stack exhaustion. • https://go.dev/cl/417067 https://go.dev/issue/53168 https://go.googlesource.com/go/+/b2b8872c876201eac2d0707276c6999ff3eb185e https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE https://pkg.go.dev/vuln/GO-2022-0524 https://access.redhat.com/security/cve/CVE-2022-30631 https://bugzilla.redhat.com/show_bug.cgi?id=2107342 • CWE-674: Uncontrolled Recursion CWE-1325: Improperly Controlled Sequential Memory Allocation •