Page 13 of 83 results (0.012 seconds)

CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0

CVE-2021-44716 – golang: net/http: limit growth of header canonicalization cache

https://notcve.org/view.php?id=CVE-2021-44716

net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests. net/http en Go versiones anteriores a 1.16.12 y versiones 1.17.x anteriores a 1.17.5, permite un consumo no controlado de memoria en la caché de canonización del encabezado por medio de peticiones HTTP/2. There's an uncontrolled resource consumption flaw in golang's net/http library in the canonicalHeader() function. An attacker who submits specially crafted requests to applications linked with net/http's http2 functionality could cause excessive resource consumption that could lead to a denial of service or otherwise impact to system performance and resources. • https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf https://groups.google.com/g/golang-announce/c/hcmEScgc00k https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html https://lists.debian.org/debian-lts-announce/2022/01/msg00017.html https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html https://security.gentoo.org/glsa/202208-02 https://security.netapp.com/advisory/ntap-20220121-0002 https://access.redhat.com/security/cve/CVE-2021-44716 https:/ • CWE-400: Uncontrolled Resource Consumption •

CVSS: 5.8EPSS: 0%CPEs: 4EXPL: 0

CVE-2021-44717 – golang: syscall: don't close fd 0 on ForkExec error

https://notcve.org/view.php?id=CVE-2021-44717

Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion. Go versiones anteriores a 1.16.12 y versiones 1.17.x anteriores a 1.17.5 en UNIX, permite operaciones de escritura en un archivo no deseado o en una conexión de red no deseada como consecuencia de un cierre erróneo del descriptor de archivo 0 tras el agotamiento del descriptor de archivo. There's a flaw in golang's syscall.ForkExec() interface. An attacker who manages to first cause a file descriptor exhaustion for the process, then cause syscall.ForkExec() to be called repeatedly, could compromise data integrity and/or confidentiality in a somewhat uncontrolled way in programs linked with and using syscall.ForkExec(). • https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf https://groups.google.com/g/golang-announce/c/hcmEScgc00k https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html https://lists.debian.org/debian-lts-announce/2022/01/msg00017.html https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html https://security.gentoo.org/glsa/202208-02 https://access.redhat.com/security/cve/CVE-2021-44717 https://bugzilla.redhat.com/show_bug.cgi?id=2030806 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-404: Improper Resource Shutdown or Release •

CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0

CVE-2021-41772 – golang: archive/zip: Reader.Open panics on empty string

https://notcve.org/view.php?id=CVE-2021-41772

Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field. Go versiones anteriores a 1.16.10 y 1.17.x versiones anteriores a 1.17.3, permite un pánico de archivo/zip Reader.Open por medio de un archivo ZIP diseñado que contiene un nombre no válido o un campo filename vacío A vulnerability was found in archive/zip of the Go standard library. Applications written in Go where Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can panic when parsing a crafted ZIP archive containing completely invalid names or an empty filename argument. • https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf https://groups.google.com/g/golang-announce/c/0fM21h43arc https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z https://security.gentoo.org/glsa/202208-02 https://security.netapp.com/advisory/ntap-20211210-0003 https://www.oracle.com/security-alerts/cpujul2022.html • CWE-20: Improper Input Validation CWE-125: Out-of-bounds Read •

CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0

CVE-2021-41771 – golang: debug/macho: invalid dynamic symbol table command can cause panic

https://notcve.org/view.php?id=CVE-2021-41771

ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation. ImportedSymbols en debug/macho (para Open u OpenFat) en Go versiones anteriores a 1.16.10 y 1.17.x versiones anteriores a 1.17.3, Accede a una Ubicación de Memoria Después del Final de un Búfer, también se conoce como una situación de "out-of-bounds slice" An out of bounds read vulnerability was found in debug/macho of the Go standard library. When using the debug/macho standard library (stdlib) and malformed binaries are parsed using Open or OpenFat, it can cause golang to attempt to read outside of a slice (array) causing a panic when calling ImportedSymbols. An attacker can use this vulnerability to craft a file which causes an application using this library to crash resulting in a denial of service. • https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf https://groups.google.com/g/golang-announce/c/0fM21h43arc https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html https://lists.debian.org/debian-lts-announce/2022/01/msg00017.html https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z https://lists.fedoraproject.org/archives/list/package-announce& • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •

CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 2

CVE-2021-38297 – golang: Command-line arguments may overwrite global data

https://notcve.org/view.php?id=CVE-2021-38297

Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used. Go versiones anteriores a 1.16.9 y versiones 1.17.x anteriores a 1.17.2, presenta un Desbordamiento de Búfer por medio de argumentos grandes en una invocación de función desde un módulo WASM, cuando GOARCH=wasm GOOS=js es usado A flaw was found in golang. This vulnerability can only be triggered when invoking functions from vulnerable WASM (WebAssembly) Modules. Go can be compiled to WASM. If the product or service doesn't use WASM functions, it is not affected, although it uses golang. • https://github.com/gkrishnan724/CVE-2021-38297 https://github.com/paras98/CVE-2021-38297-Go-wasm-Replication https://groups.google.com/forum/#%21forum/golang-announce https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message • CWE-20: Improper Input Validation CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •