CVSS: 5.9EPSS: 1%CPEs: 9EXPL: 0CVE-2021-36221 – golang: net/http/httputil: panic due to racy read of persistConn after handler panic
https://notcve.org/view.php?id=CVE-2021-36221
Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort. Go versiones anteriores a 1.15.15 y 1.16.x versiones anteriores a 1.16.7, presenta una condición de carrera que puede conllevar un pánico de net/http/httputil ReverseProxy al abortar ErrAbortHandler A race condition flaw was found in Go. The incoming requests body weren't closed after the handler panic and as a consequence this could lead to ReverseProxy crash. The highest threat from this vulnerability is to Availability. • https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf https://groups.google.com/forum/#%21forum/golang-announce https://groups.google.com/g/golang-announce/c/JvWG9FUUYT0 https://groups.google.com/g/golang-announce/c/uHACNfXAZqk https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html https://lists.debian.org/debian-lts-announce/2022/01/msg00017.html https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html https://lists.fedoraproject.org/archives/list/ • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 2CVE-2021-29923 – golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet
https://notcve.org/view.php?id=CVE-2021-29923
Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR. Go versiones anteriores a 1.17, no considera apropiadamente los caracteres cero extraños al principio de un octeto de dirección IP, lo que (en algunas situaciones) permite a atacantes omitir el control de acceso que es basado en las direcciones IP, debido a una interpretación octal inesperada. Esto afecta a net.ParseIP y net.ParseCIDR A flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. • https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis https://github.com/golang/go/issues/30999 https://github.com/golang/go/issues/43389 https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md https://go-review.googlesource.com/c/go/+/325829 https://golang.org/pkg/net/#ParseCIDR https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM https://security.gentoo.org/glsa/202208-02 https: • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2021-33198 – golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
https://notcve.org/view.php?id=CVE-2021-33198
In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method. En Go versiones anteriores a 1.15.13 y versiones 1.16.x anteriores a 1.16.5, puede haber un pánico por un exponente grande al método math/big.Rat SetString o UnmarshalText. A flaw was found in Go, where it attempts to allocate excessive memory. This issue may cause panic or unrecoverable fatal error if passed inputs with very large exponents. The highest threat from this vulnerability is to system availability. • https://groups.google.com/g/golang-announce https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI https://security.gentoo.org/glsa/202208-02 https://access.redhat.com/security/cve/CVE-2021-33198 https://bugzilla.redhat.com/show_bug.cgi?id=1989575 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2021-33197 – golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
https://notcve.org/view.php?id=CVE-2021-33197
In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers. En Go versiones anteriores a 1.15.13 y versiones 1.16.x anteriores a 1.16.5, algunas configuraciones de ReverseProxy (desde net/http/httputil) resultan en una situación en la que un atacante es capaz de dejar caer cabeceras arbitrarias A flaw was found in Go, acting as an unintended proxy or intermediary, where ReverseProxy forwards connection headers if the first one was empty. This flaw allows an attacker to drop arbitrary headers. The highest threat from this vulnerability is to integrity. • https://groups.google.com/g/golang-announce https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI https://security.gentoo.org/glsa/202208-02 https://access.redhat.com/security/cve/CVE-2021-33197 https://bugzilla.redhat.com/show_bug.cgi?id=1989570 • CWE-20: Improper Input Validation CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 1%CPEs: 3EXPL: 1CVE-2021-33195 – golang: net: lookup functions may return invalid host names
https://notcve.org/view.php?id=CVE-2021-33195
Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format. Go versiones anteriores a 1.15.13 y versiones 1.16.x anteriores a 1.16.5 tiene funciones para las búsquedas de DNS que no validan las respuestas de los servidores DNS, y por lo tanto un valor de retorno puede contener una inyección insegura (por ejemplo, XSS) que no se ajusta al formato RFC1035 A flaw was found in Go. The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in the net package and methods on the Resolver type, may return arbitrary values retrieved from DNS, allowing injection of unexpected contents. The highest threat from this vulnerability is to integrity. • https://groups.google.com/g/golang-announce https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI https://security.gentoo.org/glsa/202208-02 https://security.netapp.com/advisory/ntap-20210902-0005 https://access.redhat.com/security/cve/CVE-2021-33195 https://bugzilla.redhat.com/show_bug.cgi?id=1989564 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •