CVE-2021-33197 – golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
https://notcve.org/view.php?id=CVE-2021-33197
In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers. En Go versiones anteriores a 1.15.13 y versiones 1.16.x anteriores a 1.16.5, algunas configuraciones de ReverseProxy (desde net/http/httputil) resultan en una situación en la que un atacante es capaz de dejar caer cabeceras arbitrarias A flaw was found in Go, acting as an unintended proxy or intermediary, where ReverseProxy forwards connection headers if the first one was empty. This flaw allows an attacker to drop arbitrary headers. The highest threat from this vulnerability is to integrity. • https://groups.google.com/g/golang-announce https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI https://security.gentoo.org/glsa/202208-02 https://access.redhat.com/security/cve/CVE-2021-33197 https://bugzilla.redhat.com/show_bug.cgi?id=1989570 • CWE-20: Improper Input Validation CWE-862: Missing Authorization •
CVE-2021-33195 – golang: net: lookup functions may return invalid host names
https://notcve.org/view.php?id=CVE-2021-33195
Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format. Go versiones anteriores a 1.15.13 y versiones 1.16.x anteriores a 1.16.5 tiene funciones para las búsquedas de DNS que no validan las respuestas de los servidores DNS, y por lo tanto un valor de retorno puede contener una inyección insegura (por ejemplo, XSS) que no se ajusta al formato RFC1035 A flaw was found in Go. The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in the net package and methods on the Resolver type, may return arbitrary values retrieved from DNS, allowing injection of unexpected contents. The highest threat from this vulnerability is to integrity. • https://groups.google.com/g/golang-announce https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI https://security.gentoo.org/glsa/202208-02 https://security.netapp.com/advisory/ntap-20210902-0005 https://access.redhat.com/security/cve/CVE-2021-33195 https://bugzilla.redhat.com/show_bug.cgi?id=1989564 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2021-34558 – golang: crypto/tls: certificate of wrong type is causing TLS client to panic
https://notcve.org/view.php?id=CVE-2021-34558
The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic. El paquete crypto/tls de Go versiones hasta 1.16.5, no afirma apropiadamente que el tipo de clave pública en un certificado X.509 coincida con el tipo esperado cuando se hace un intercambio de claves basado en RSA, permitiendo a un servidor TLS malicioso causar el pánico en un cliente TLS A flaw was found in golang. A panic can be triggered by an attacker in a privileged network position without access to the server certificate's private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected. • https://golang.org/doc/devel/release#go1.16.minor https://groups.google.com/g/golang-announce https://groups.google.com/g/golang-announce/c/n9FxMelZGAQ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3BA7MFVXRBEKRTLSLYDICTYCGEMK2HZ7 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3XBQUFVI5TMV4KMKI7GKA223LHGPQISE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BTC3JQUASFN5U2XA4UZIGAPZQBD5JSS https:/ • CWE-20: Improper Input Validation CWE-295: Improper Certificate Validation •
CVE-2012-2666
https://notcve.org/view.php?id=CVE-2012-2666
golang/go in 1.0.2 fixes all.bash on shared machines. dotest() in src/pkg/debug/gosym/pclntab_test.go creates a temporary file with predicable name and executes it as shell script. golang/go en versión 1.0.2 corrige all.bash en máquinas compartidas. La función dotest() en el archivo src/pkg/debug/gosym/pclntab_test.go crea un archivo temporal con nombre predecible y lo ejecuta como script de shell • https://bugzilla.suse.com/show_bug.cgi?id=765455 https://codereview.appspot.com/5992078 https://github.com/golang/go/commit/8ac275bb01588a8c0e6c0fe2de7fd11f08feccdd https://security.netapp.com/advisory/ntap-20210902-0009 https://www.whitesourcesoftware.com/vulnerability-database/CVE-2012-2666 • CWE-377: Insecure Temporary File •
CVE-2021-33196 – golang: archive/zip: malformed archive may cause panic or memory exhaustion
https://notcve.org/view.php?id=CVE-2021-33196
In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic. En archive/zip en Go versiones anteriores a 1.15.13 y versiones 1.16.x anteriores a 1.16.5, un recuento de archivos crafteado (en la cabecera de un archivo) puede causar un pánico en NewReader u OpenReader. A vulnerability was found in archive/zip of the Go standard library. Applications written in Go can panic or potentially exhaust system memory when parsing malformed ZIP files. • https://groups.google.com/g/golang-announce https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html https://lists.debian.org/debian-lts-announce/2022/01/msg00017.html https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html https://security.gentoo.org/glsa/202208-02 https://access.redhat.com/security/cve/CVE-2021-33196 https://bugzilla.redhat.com/show_bug.cgi?id=1965503 • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •