CVE-2021-29923 – golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet
https://notcve.org/view.php?id=CVE-2021-29923
Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR. Go versiones anteriores a 1.17, no considera apropiadamente los caracteres cero extraños al principio de un octeto de dirección IP, lo que (en algunas situaciones) permite a atacantes omitir el control de acceso que es basado en las direcciones IP, debido a una interpretación octal inesperada. Esto afecta a net.ParseIP y net.ParseCIDR A flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. • https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis https://github.com/golang/go/issues/30999 https://github.com/golang/go/issues/43389 https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md https://go-review.googlesource.com/c/go/+/325829 https://golang.org/pkg/net/#ParseCIDR https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM https://security.gentoo.org/glsa/202208-02 https: • CWE-20: Improper Input Validation •
CVE-2021-33198 – golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
https://notcve.org/view.php?id=CVE-2021-33198
In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method. En Go versiones anteriores a 1.15.13 y versiones 1.16.x anteriores a 1.16.5, puede haber un pánico por un exponente grande al método math/big.Rat SetString o UnmarshalText. A flaw was found in Go, where it attempts to allocate excessive memory. This issue may cause panic or unrecoverable fatal error if passed inputs with very large exponents. The highest threat from this vulnerability is to system availability. • https://groups.google.com/g/golang-announce https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI https://security.gentoo.org/glsa/202208-02 https://access.redhat.com/security/cve/CVE-2021-33198 https://bugzilla.redhat.com/show_bug.cgi?id=1989575 • CWE-400: Uncontrolled Resource Consumption •
CVE-2021-33197 – golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
https://notcve.org/view.php?id=CVE-2021-33197
In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers. En Go versiones anteriores a 1.15.13 y versiones 1.16.x anteriores a 1.16.5, algunas configuraciones de ReverseProxy (desde net/http/httputil) resultan en una situación en la que un atacante es capaz de dejar caer cabeceras arbitrarias A flaw was found in Go, acting as an unintended proxy or intermediary, where ReverseProxy forwards connection headers if the first one was empty. This flaw allows an attacker to drop arbitrary headers. The highest threat from this vulnerability is to integrity. • https://groups.google.com/g/golang-announce https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI https://security.gentoo.org/glsa/202208-02 https://access.redhat.com/security/cve/CVE-2021-33197 https://bugzilla.redhat.com/show_bug.cgi?id=1989570 • CWE-20: Improper Input Validation CWE-862: Missing Authorization •
CVE-2021-33195 – golang: net: lookup functions may return invalid host names
https://notcve.org/view.php?id=CVE-2021-33195
Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format. Go versiones anteriores a 1.15.13 y versiones 1.16.x anteriores a 1.16.5 tiene funciones para las búsquedas de DNS que no validan las respuestas de los servidores DNS, y por lo tanto un valor de retorno puede contener una inyección insegura (por ejemplo, XSS) que no se ajusta al formato RFC1035 A flaw was found in Go. The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in the net package and methods on the Resolver type, may return arbitrary values retrieved from DNS, allowing injection of unexpected contents. The highest threat from this vulnerability is to integrity. • https://groups.google.com/g/golang-announce https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI https://security.gentoo.org/glsa/202208-02 https://security.netapp.com/advisory/ntap-20210902-0005 https://access.redhat.com/security/cve/CVE-2021-33195 https://bugzilla.redhat.com/show_bug.cgi?id=1989564 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2021-34558 – golang: crypto/tls: certificate of wrong type is causing TLS client to panic
https://notcve.org/view.php?id=CVE-2021-34558
The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic. El paquete crypto/tls de Go versiones hasta 1.16.5, no afirma apropiadamente que el tipo de clave pública en un certificado X.509 coincida con el tipo esperado cuando se hace un intercambio de claves basado en RSA, permitiendo a un servidor TLS malicioso causar el pánico en un cliente TLS A flaw was found in golang. A panic can be triggered by an attacker in a privileged network position without access to the server certificate's private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected. • https://golang.org/doc/devel/release#go1.16.minor https://groups.google.com/g/golang-announce https://groups.google.com/g/golang-announce/c/n9FxMelZGAQ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3BA7MFVXRBEKRTLSLYDICTYCGEMK2HZ7 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3XBQUFVI5TMV4KMKI7GKA223LHGPQISE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BTC3JQUASFN5U2XA4UZIGAPZQBD5JSS https:/ • CWE-20: Improper Input Validation CWE-295: Improper Certificate Validation •