CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11888
https://notcve.org/view.php?id=CVE-2019-11888
13 May 2019 — Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges. Repase la sección 1.12.5 de Windows, que trata mal la creación de procesos con un entorno nulo en combinación con un token no nulo, que permite a los atacantes obtener información confidencial u obtener privilegios. • https://go-review.googlesource.com/c/go/+/176619 • CWE-269: Improper Privilege Management •
CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 3CVE-2019-11841 – Go Cryptography Libraries Cleartext Message Spoofing
https://notcve.org/view.php?id=CVE-2019-11841
13 May 2019 — A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message can contain one or more optional "Hash" Armor Headers. The "Hash" Armor Header specifies the message digest algorithm(s) used for the signature. However, the Go clearsign package ignores the value of this header, which allows an attacker to spoof it. Consequently, an attac... • https://packetstorm.news/files/id/152840 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 5.9EPSS: 2%CPEs: 3EXPL: 0CVE-2019-11840 – golang.org/x/crypto: Keystream loop in amd64 assembly when overflowing 32-bit counter
https://notcve.org/view.php?id=CVE-2019-11840
09 May 2019 — An issue was discovered in the supplementary Go cryptography library, golang.org/x/crypto, before v0.0.0-20190320223903-b7391e95e576. A flaw was found in the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa packages. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can... • https://bugzilla.redhat.com/show_bug.cgi?id=1691529 • CWE-330: Use of Insufficiently Random Values •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18367 – libseccomp-golang: mishandling of multiple argument rules leading to a bypass of intended access restrictions
https://notcve.org/view.php?id=CVE-2017-18367
24 Apr 2019 — libseccomp-golang 0.9.0 and earlier incorrectly generates BPFs that OR multiple arguments rather than ANDing them. A process running under a restrictive seccomp filter that specified multiple syscall arguments could bypass intended access restrictions by specifying a single matching argument. libseccomp-golang versión 0.9.0 y anteriores, BPF generan incorrectamente múltiples argumentos OR en lugar de ANDing. Un proceso que se realiza bajo un filtro seccomp restrictivo que especificó múltiples argumentos de ... • http://www.openwall.com/lists/oss-security/2019/04/25/6 • CWE-20: Improper Input Validation CWE-305: Authentication Bypass by Primary Weakness •
CVSS: 6.1EPSS: 1%CPEs: 6EXPL: 1CVE-2019-9741 – golang: CRLF injection in net/http
https://notcve.org/view.php?id=CVE-2019-9741
13 Mar 2019 — An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command. Se ha descubierto un problema en net/http en Go 1.11.5. Es posible la inyección CRLF si el atacante controla un parámetro de url, tal y como queda demostrado por el segundo argumento en http.NewRequest con \r\n, seguido por una cabecera HTTP o un comando Redis. The go-toolset:r... • http://www.securityfocus.com/bid/107432 • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2019-9634
https://notcve.org/view.php?id=CVE-2019-9634
08 Mar 2019 — Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection. Go, hasta su versión 1.12 en Windows, utiliza de manera incorrecta determinadas funcionalidades de LoadLibrary, conduciendo a una inyección DLL. • http://www.openwall.com/lists/oss-security/2019/04/09/1 • CWE-427: Uncontrolled Search Path Element •
CVSS: 8.2EPSS: 1%CPEs: 5EXPL: 0CVE-2019-6486 – Debian Security Advisory 4379-1
https://notcve.org/view.php?id=CVE-2019-6486
24 Jan 2019 — Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks. Go, en versiones anteriores a la 1.10.8 y las versiones 1.11.x anteriores a la 1.11.5, gestionan de manera incorrecta las curvas elípticas P-521 y P-384, que permiten que los atacantes provoquen una denegación de servicio (consumo de CPU) o lleven a cabo ataques de recuperación de la clave privada EC... • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00042.html • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.1EPSS: 81%CPEs: 8EXPL: 0CVE-2018-16873 – Gentoo Linux Security Advisory 201812-09
https://notcve.org/view.php?id=CVE-2018-16873
14 Dec 2018 — In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git"... • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html • CWE-20: Improper Input Validation •
CVSS: 8.1EPSS: 3%CPEs: 8EXPL: 0CVE-2018-16874 – Gentoo Linux Security Advisory 201812-09
https://notcve.org/view.php?id=CVE-2018-16874
14 Dec 2018 — In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution. En Go en versiones anteriores a la 1.1... • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 3%CPEs: 3EXPL: 1CVE-2018-16875 – Gentoo Linux Security Advisory 201812-09
https://notcve.org/view.php?id=CVE-2018-16875
14 Dec 2018 — The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected. El paquete crypto/x509 de Go, en versiones anteriores a la 1.10.6 y versiones 1.11.x anteriores a la 1.11.3,no limita la cantidad de trabajo realizado para cada verificación de cadenas, lo que podría pe... • https://github.com/alexzorin/poc-cve-2018-16875 • CWE-20: Improper Input Validation CWE-295: Improper Certificate Validation •