Page 14 of 121 results (0.015 seconds)

CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0

net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests. net/http en Go versiones anteriores a 1.16.12 y versiones 1.17.x anteriores a 1.17.5, permite un consumo no controlado de memoria en la caché de canonización del encabezado por medio de peticiones HTTP/2. There's an uncontrolled resource consumption flaw in golang's net/http library in the canonicalHeader() function. An attacker who submits specially crafted requests to applications linked with net/http's http2 functionality could cause excessive resource consumption that could lead to a denial of service or otherwise impact to system performance and resources. • https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf https://groups.google.com/g/golang-announce/c/hcmEScgc00k https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html https://lists.debian.org/debian-lts-announce/2022/01/msg00017.html https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html https://security.gentoo.org/glsa/202208-02 https://security.netapp.com/advisory/ntap-20220121-0002 https://access.redhat.com/security/cve/CVE-2021-44716 https:/ • CWE-400: Uncontrolled Resource Consumption •

CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0

ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation. ImportedSymbols en debug/macho (para Open u OpenFat) en Go versiones anteriores a 1.16.10 y 1.17.x versiones anteriores a 1.17.3, Accede a una Ubicación de Memoria Después del Final de un Búfer, también se conoce como una situación de "out-of-bounds slice" An out of bounds read vulnerability was found in debug/macho of the Go standard library. When using the debug/macho standard library (stdlib) and malformed binaries are parsed using Open or OpenFat, it can cause golang to attempt to read outside of a slice (array) causing a panic when calling ImportedSymbols. An attacker can use this vulnerability to craft a file which causes an application using this library to crash resulting in a denial of service. • https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf https://groups.google.com/g/golang-announce/c/0fM21h43arc https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html https://lists.debian.org/debian-lts-announce/2022/01/msg00017.html https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z https://lists.fedoraproject.org/archives/list/package-announce& • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •

CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0

Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field. Go versiones anteriores a 1.16.10 y 1.17.x versiones anteriores a 1.17.3, permite un pánico de archivo/zip Reader.Open por medio de un archivo ZIP diseñado que contiene un nombre no válido o un campo filename vacío A vulnerability was found in archive/zip of the Go standard library. Applications written in Go where Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can panic when parsing a crafted ZIP archive containing completely invalid names or an empty filename argument. • https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf https://groups.google.com/g/golang-announce/c/0fM21h43arc https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z https://security.gentoo.org/glsa/202208-02 https://security.netapp.com/advisory/ntap-20211210-0003 https://www.oracle.com/security-alerts/cpujul2022.html • CWE-20: Improper Input Validation CWE-125: Out-of-bounds Read •

CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 2

Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used. Go versiones anteriores a 1.16.9 y versiones 1.17.x anteriores a 1.17.2, presenta un Desbordamiento de Búfer por medio de argumentos grandes en una invocación de función desde un módulo WASM, cuando GOARCH=wasm GOOS=js es usado A flaw was found in golang. This vulnerability can only be triggered when invoking functions from vulnerable WASM (WebAssembly) Modules. Go can be compiled to WASM. If the product or service doesn't use WASM functions, it is not affected, although it uses golang. • https://github.com/gkrishnan724/CVE-2021-38297 https://github.com/paras98/CVE-2021-38297-Go-wasm-Replication https://groups.google.com/forum/#%21forum/golang-announce https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message • CWE-20: Improper Input Validation CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •

CVSS: 5.9EPSS: 1%CPEs: 9EXPL: 0

Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort. Go versiones anteriores a 1.15.15 y 1.16.x versiones anteriores a 1.16.7, presenta una condición de carrera que puede conllevar un pánico de net/http/httputil ReverseProxy al abortar ErrAbortHandler A race condition flaw was found in Go. The incoming requests body weren't closed after the handler panic and as a consequence this could lead to ReverseProxy crash. The highest threat from this vulnerability is to Availability. • https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf https://groups.google.com/forum/#%21forum/golang-announce https://groups.google.com/g/golang-announce/c/JvWG9FUUYT0 https://groups.google.com/g/golang-announce/c/uHACNfXAZqk https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html https://lists.debian.org/debian-lts-announce/2022/01/msg00017.html https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html https://lists.fedoraproject.org/archives/list/ • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •