CVSS: 8.2EPSS: 3%CPEs: 5EXPL: 0CVE-2019-6486 – Debian Security Advisory 4379-1
https://notcve.org/view.php?id=CVE-2019-6486
24 Jan 2019 — Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks. Go, en versiones anteriores a la 1.10.8 y las versiones 1.11.x anteriores a la 1.11.5, gestionan de manera incorrecta las curvas elípticas P-521 y P-384, que permiten que los atacantes provoquen una denegación de servicio (consumo de CPU) o lleven a cabo ataques de recuperación de la clave privada EC... • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00042.html • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.1EPSS: 2%CPEs: 8EXPL: 0CVE-2018-16874 – Gentoo Linux Security Advisory 201812-09
https://notcve.org/view.php?id=CVE-2018-16874
14 Dec 2018 — In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution. En Go en versiones anteriores a la 1.1... • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.1EPSS: 28%CPEs: 8EXPL: 0CVE-2018-16873 – Gentoo Linux Security Advisory 201812-09
https://notcve.org/view.php?id=CVE-2018-16873
14 Dec 2018 — In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git"... • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 1%CPEs: 3EXPL: 1CVE-2018-16875 – Gentoo Linux Security Advisory 201812-09
https://notcve.org/view.php?id=CVE-2018-16875
14 Dec 2018 — The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected. El paquete crypto/x509 de Go, en versiones anteriores a la 1.10.6 y versiones 1.11.x anteriores a la 1.11.3,no limita la cantidad de trabajo realizado para cada verificación de cadenas, lo que podría pe... • https://github.com/alexzorin/poc-cve-2018-16875 • CWE-20: Improper Input Validation CWE-295: Improper Certificate Validation •
CVSS: 9.3EPSS: 13%CPEs: 4EXPL: 1CVE-2018-7187 – Debian Security Advisory 4379-1
https://notcve.org/view.php?id=CVE-2018-7187
16 Feb 2018 — The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site. La implementación "go get" en Go 1.9.4, cuando se emplea la opción -insecure command-line, no valida la ruta de importación (get/vcs.go solo busca "://" en cualquier lugar de la cadena), lo que permite que atacantes remotos ejecuten comandos a... • https://gist.github.com/SLAYEROWNER/b2a358f13ab267f2e9543bb9f9320ffc • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 2%CPEs: 13EXPL: 80CVE-2018-6574 – golang: arbitrary code execution during "go get" via C compiler options
https://notcve.org/view.php?id=CVE-2018-6574
07 Feb 2018 — Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked. Go, en versiones anteriores a la 1.8.7; Go en versiones 1.9.x anteriores a la 1.9.4 y los prelanzamientos de Go 1.10 anteriores a Go 1.10rc2 permiten la ejecución remota de comandos "go get" durante la construcción del código fuente aprovechando la caracter... • https://github.com/neargle/Go-Get-RCE-CVE-2018-6574-POC • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 1%CPEs: 16EXPL: 0CVE-2015-5740 – golang: HTTP request smuggling in net/http library
https://notcve.org/view.php?id=CVE-2015-5740
18 Oct 2017 — The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request with two Content-length headers. La biblioteca net/http en net/http/transfer.go en Go en versiones anteriores a la 1.4.3 no analiza sintácticamente cabeceras HTTP correctamente, lo que permite que atacantes remotos lleven a cabo ataques de contrabando de peticiones HTTP mediante una petición con dos cabeceras Content-lengt... • http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167997.html • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 9.8EPSS: 1%CPEs: 16EXPL: 0CVE-2015-5739 – golang: HTTP request smuggling in net/http library
https://notcve.org/view.php?id=CVE-2015-5739
18 Oct 2017 — The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content Length" instead of "Content-Length." La biblioteca net/http en net/textproto/reader.go en Go en versiones anteriores a la 1.4.3 no analiza sintácticamente claves de cabecera HTTP correctamente, lo que permite que atacantes remotos lleven a cabo ataques de contrabando de... • http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167997.html • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 9.8EPSS: 6%CPEs: 11EXPL: 0CVE-2017-15041 – golang: arbitrary code execution during "go get" or "go get -d"
https://notcve.org/view.php?id=CVE-2017-15041
05 Oct 2017 — Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repositor... • http://www.securityfocus.com/bid/101196 •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2017-15042 – golang: smtp.PlainAuth susceptible to man-in-the-middle password harvesting
https://notcve.org/view.php?id=CVE-2017-15042
05 Oct 2017 — An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STAR... • http://www.securityfocus.com/bid/101197 • CWE-300: Channel Accessible by Non-Endpoint CWE-319: Cleartext Transmission of Sensitive Information •