
CVE-2021-33198 – golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
https://notcve.org/view.php?id=CVE-2021-33198
28 Jun 2021 — In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method. En Go versiones anteriores a 1.15.13 y versiones 1.16.x anteriores a 1.16.5, puede haber un pánico por un exponente grande al método math/big.Rat SetString o UnmarshalText. A flaw was found in Go, where it attempts to allocate excessive memory. This issue may cause panic or unrecoverable fatal error if passed inputs with very large exponents. The highest threat from... • https://groups.google.com/g/golang-announce • CWE-400: Uncontrolled Resource Consumption •

CVE-2021-33197 – golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
https://notcve.org/view.php?id=CVE-2021-33197
28 Jun 2021 — In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers. En Go versiones anteriores a 1.15.13 y versiones 1.16.x anteriores a 1.16.5, algunas configuraciones de ReverseProxy (desde net/http/httputil) resultan en una situación en la que un atacante es capaz de dejar caer cabeceras arbitrarias A flaw was found in Go, acting as an unintended proxy or intermediary, where ReverseProxy for... • https://groups.google.com/g/golang-announce • CWE-20: Improper Input Validation CWE-862: Missing Authorization •

CVE-2021-31525 – golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header
https://notcve.org/view.php?id=CVE-2021-31525
27 May 2021 — net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations. net/http en Go versiones anteriores a 1.15.12 y versiones 1.16.x anteriores a 1.16.4, permite a atacantes remotos causar una denegación de servicio (pánico) por medio de un encabezado grande en los parámetros ReadRequest o ReadResponse. El Servidor, el Transporte y... • https://github.com/golang/go/issues/45710 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-674: Uncontrolled Recursion •

CVE-2021-33194 – golang: x/net/html: infinite loop in ParseFragment
https://notcve.org/view.php?id=CVE-2021-33194
26 May 2021 — golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input. golang.org/x/net antes de v0.0.0-20210520170846-37e1c6afe023 permite a los atacantes provocar una denegación de servicio (bucle infinito) a través de una entrada ParseFragment manipulada A flaw was found in golang. An attacker can craft an input to ParseFragment within parse.go that would cause it to enter an infinite loop and never return. The greatest th... • https://github.com/golang/net/commit/37e1c6afe02340126705deced573a85ab75209d7 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •

CVE-2021-27919 – Gentoo Linux Security Advisory 202208-02
https://notcve.org/view.php?id=CVE-2021-27919
11 Mar 2021 — archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename. archive/zip en Go versiones 1.16.x anteriores a 1.16.1, permite a atacantes causar una denegación de servicio (pánico) al intentar usar la API Reader.Open para un archivo ZIP en el que ../ aparece al principio de cualquier nombre de archivo Multiple vulnerabilities have been found in Go, the worst of whi... • https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw •

CVE-2021-27918 – golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader
https://notcve.org/view.php?id=CVE-2021-27918
10 Mar 2021 — encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method. encoding/xml en Go versiones anteriores a 1.15.9 y versiones 1.16.x anteriores a 1.16.1, presenta un bucle infinito si un TokenReader personalizado (para xml.NewTokenDecoder) devuelve EOF en medio de un elemento. Esto puede ocurrir en el método Decode, DecodeElement o Skip An... • https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •

CVE-2021-3114 – golang: crypto/elliptic: incorrect operations on the P-224 curve
https://notcve.org/view.php?id=CVE-2021-3114
26 Jan 2021 — In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field. En Go versiones anteriores a 1.14.14 y versiones 1.15.x anteriores a 1.15.7, en el archivo crypto/elliptic/p224.go puede generar salidas incorrectas, relacionadas con un subdesbordamiento de la extremidad más baja durante la reducción completa final en el campo P-224 A flaw detected in golang: crypto/elliptic... • https://github.com/golang/go/commit/d95ca9138026cbe40e0857d76a81a16d03230871 • CWE-682: Incorrect Calculation •

CVE-2021-3115 – golang: cmd/go: packages using cgo can cause arbitrary code execution at build time
https://notcve.org/view.php?id=CVE-2021-3115
26 Jan 2021 — Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download). Go versiones anteriores a 1.14.14 y versiones 1.15. x anteriores a 1.15.7 en Windows, es vulnerable a una inyección de comandos y una ejecución de código remota cuando es usado el comando "go get" para buscar módulos que hacen uso de cgo (por ejemplo, cg... • https://blog.golang.org/path-security • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-427: Uncontrolled Search Path Element •

CVE-2021-3121 – gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
https://notcve.org/view.php?id=CVE-2021-3121
11 Jan 2021 — An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue. Se detectó un problema en GoGo Protobuf versiones anteriores a 1.3.2. El archivo plugin/unmarshal/unmarshal.go carece de determinada comprobación de índice, también se conoce como el problema "skippy peanut butter" A flaw was found in github.com/gogo/protobuf before 1.3.2 that allows an out-of-bounds access when unmarshalling certain protobuf objects... • https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025 • CWE-129: Improper Validation of Array Index •

CVE-2020-28852 – golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag
https://notcve.org/view.php?id=CVE-2020-28852
02 Jan 2021 — In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) En x/text en Go anterior a la versión v0.3.5, un pánico "slice bounds out of range" se produce en language.ParseAcceptLanguage mientras se procesa una etiqueta BCP 47. (Se supone que x/text/language puede ser capaz de analizar un encabezado HTTP Accept-Language) A flaw was found in golang.org... • https://github.com/golang/go/issues/42536 • CWE-129: Improper Validation of Array Index •