CVSS: 7.5EPSS: 0%CPEs: 14EXPL: 0CVE-2019-16276 – golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling
https://notcve.org/view.php?id=CVE-2019-16276
29 Sep 2019 — Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling. Go versiones anteriores a 1.12.10 y versiones 1.13.x anteriores a 1.13.1, permitir el Trafico No Autorizado de Peticiones HTTP. It was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter by... • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00043.html • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 9.8EPSS: 1%CPEs: 3EXPL: 1CVE-2019-14809 – golang: malformed hosts in URLs leads to authorization bypass
https://notcve.org/view.php?id=CVE-2019-14809
13 Aug 2019 — net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com. net / url in Go antes del 1.11.13 y 1.12.x antes del 1.12.8 maneja mal los hosts mal formados en las URL, lo que lleva a un... • http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html • CWE-285: Improper Authorization •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11888
https://notcve.org/view.php?id=CVE-2019-11888
13 May 2019 — Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges. Repase la sección 1.12.5 de Windows, que trata mal la creación de procesos con un entorno nulo en combinación con un token no nulo, que permite a los atacantes obtener información confidencial u obtener privilegios. • https://go-review.googlesource.com/c/go/+/176619 • CWE-269: Improper Privilege Management •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2019-9634
https://notcve.org/view.php?id=CVE-2019-9634
08 Mar 2019 — Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection. Go, hasta su versión 1.12 en Windows, utiliza de manera incorrecta determinadas funcionalidades de LoadLibrary, conduciendo a una inyección DLL. • http://www.openwall.com/lists/oss-security/2019/04/09/1 • CWE-427: Uncontrolled Search Path Element •
CVSS: 8.2EPSS: 3%CPEs: 5EXPL: 0CVE-2019-6486 – Debian Security Advisory 4379-1
https://notcve.org/view.php?id=CVE-2019-6486
24 Jan 2019 — Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks. Go, en versiones anteriores a la 1.10.8 y las versiones 1.11.x anteriores a la 1.11.5, gestionan de manera incorrecta las curvas elípticas P-521 y P-384, que permiten que los atacantes provoquen una denegación de servicio (consumo de CPU) o lleven a cabo ataques de recuperación de la clave privada EC... • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00042.html • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.1EPSS: 2%CPEs: 8EXPL: 0CVE-2018-16874 – Gentoo Linux Security Advisory 201812-09
https://notcve.org/view.php?id=CVE-2018-16874
14 Dec 2018 — In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution. En Go en versiones anteriores a la 1.1... • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.1EPSS: 28%CPEs: 8EXPL: 0CVE-2018-16873 – Gentoo Linux Security Advisory 201812-09
https://notcve.org/view.php?id=CVE-2018-16873
14 Dec 2018 — In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git"... • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 1%CPEs: 3EXPL: 1CVE-2018-16875 – Gentoo Linux Security Advisory 201812-09
https://notcve.org/view.php?id=CVE-2018-16875
14 Dec 2018 — The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected. El paquete crypto/x509 de Go, en versiones anteriores a la 1.10.6 y versiones 1.11.x anteriores a la 1.11.3,no limita la cantidad de trabajo realizado para cada verificación de cadenas, lo que podría pe... • https://github.com/alexzorin/poc-cve-2018-16875 • CWE-20: Improper Input Validation CWE-295: Improper Certificate Validation •
CVSS: 9.3EPSS: 13%CPEs: 4EXPL: 1CVE-2018-7187 – Debian Security Advisory 4379-1
https://notcve.org/view.php?id=CVE-2018-7187
16 Feb 2018 — The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site. La implementación "go get" en Go 1.9.4, cuando se emplea la opción -insecure command-line, no valida la ruta de importación (get/vcs.go solo busca "://" en cualquier lugar de la cadena), lo que permite que atacantes remotos ejecuten comandos a... • https://gist.github.com/SLAYEROWNER/b2a358f13ab267f2e9543bb9f9320ffc • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 2%CPEs: 13EXPL: 80CVE-2018-6574 – golang: arbitrary code execution during "go get" via C compiler options
https://notcve.org/view.php?id=CVE-2018-6574
07 Feb 2018 — Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked. Go, en versiones anteriores a la 1.8.7; Go en versiones 1.9.x anteriores a la 1.9.4 y los prelanzamientos de Go 1.10 anteriores a Go 1.10rc2 permiten la ejecución remota de comandos "go get" durante la construcción del código fuente aprovechando la caracter... • https://github.com/neargle/Go-Get-RCE-CVE-2018-6574-POC • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •