Page 15 of 123 results (0.021 seconds)

CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 2

CVE-2021-38297 – golang: Command-line arguments may overwrite global data

https://notcve.org/view.php?id=CVE-2021-38297

Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used. Go versiones anteriores a 1.16.9 y versiones 1.17.x anteriores a 1.17.2, presenta un Desbordamiento de Búfer por medio de argumentos grandes en una invocación de función desde un módulo WASM, cuando GOARCH=wasm GOOS=js es usado A flaw was found in golang. This vulnerability can only be triggered when invoking functions from vulnerable WASM (WebAssembly) Modules. Go can be compiled to WASM. If the product or service doesn't use WASM functions, it is not affected, although it uses golang. • https://github.com/gkrishnan724/CVE-2021-38297 https://github.com/paras98/CVE-2021-38297-Go-wasm-Replication https://groups.google.com/forum/#%21forum/golang-announce https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message • CWE-20: Improper Input Validation CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •

CVSS: 5.9EPSS: 1%CPEs: 9EXPL: 0

CVE-2021-36221 – golang: net/http/httputil: panic due to racy read of persistConn after handler panic

https://notcve.org/view.php?id=CVE-2021-36221

Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort. Go versiones anteriores a 1.15.15 y 1.16.x versiones anteriores a 1.16.7, presenta una condición de carrera que puede conllevar un pánico de net/http/httputil ReverseProxy al abortar ErrAbortHandler A race condition flaw was found in Go. The incoming requests body weren't closed after the handler panic and as a consequence this could lead to ReverseProxy crash. The highest threat from this vulnerability is to Availability. • https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf https://groups.google.com/forum/#%21forum/golang-announce https://groups.google.com/g/golang-announce/c/JvWG9FUUYT0 https://groups.google.com/g/golang-announce/c/uHACNfXAZqk https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html https://lists.debian.org/debian-lts-announce/2022/01/msg00017.html https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html https://lists.fedoraproject.org/archives/list/ • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •

CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 2

CVE-2021-29923 – golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet

https://notcve.org/view.php?id=CVE-2021-29923

Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR. Go versiones anteriores a 1.17, no considera apropiadamente los caracteres cero extraños al principio de un octeto de dirección IP, lo que (en algunas situaciones) permite a atacantes omitir el control de acceso que es basado en las direcciones IP, debido a una interpretación octal inesperada. Esto afecta a net.ParseIP y net.ParseCIDR A flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. • https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis https://github.com/golang/go/issues/30999 https://github.com/golang/go/issues/43389 https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md https://go-review.googlesource.com/c/go/+/325829 https://golang.org/pkg/net/#ParseCIDR https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM https://security.gentoo.org/glsa/202208-02 https: • CWE-20: Improper Input Validation •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1

CVE-2021-33198 – golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents

https://notcve.org/view.php?id=CVE-2021-33198

In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method. En Go versiones anteriores a 1.15.13 y versiones 1.16.x anteriores a 1.16.5, puede haber un pánico por un exponente grande al método math/big.Rat SetString o UnmarshalText. A flaw was found in Go, where it attempts to allocate excessive memory. This issue may cause panic or unrecoverable fatal error if passed inputs with very large exponents. The highest threat from this vulnerability is to system availability. • https://groups.google.com/g/golang-announce https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI https://security.gentoo.org/glsa/202208-02 https://access.redhat.com/security/cve/CVE-2021-33198 https://bugzilla.redhat.com/show_bug.cgi?id=1989575 • CWE-400: Uncontrolled Resource Consumption •

CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1

CVE-2021-33197 – golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty

https://notcve.org/view.php?id=CVE-2021-33197

In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers. En Go versiones anteriores a 1.15.13 y versiones 1.16.x anteriores a 1.16.5, algunas configuraciones de ReverseProxy (desde net/http/httputil) resultan en una situación en la que un atacante es capaz de dejar caer cabeceras arbitrarias A flaw was found in Go, acting as an unintended proxy or intermediary, where ReverseProxy forwards connection headers if the first one was empty. This flaw allows an attacker to drop arbitrary headers. The highest threat from this vulnerability is to integrity. • https://groups.google.com/g/golang-announce https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI https://security.gentoo.org/glsa/202208-02 https://access.redhat.com/security/cve/CVE-2021-33197 https://bugzilla.redhat.com/show_bug.cgi?id=1989570 • CWE-20: Improper Input Validation CWE-862: Missing Authorization •