CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-28851 – golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension
https://notcve.org/view.php?id=CVE-2020-28851
In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) En x/text en Go versión 1.15.4, se produce un pánico "index out of range" en language.ParseAcceptLanguage mientras se analiza la extensión -u-. (Se supone que x/text/language puede analizar un encabezado HTTP Accept-Language). A flaw was found in golang.org. • https://github.com/golang/go/issues/42535 https://security.netapp.com/advisory/ntap-20210212-0004 https://access.redhat.com/security/cve/CVE-2020-28851 https://bugzilla.redhat.com/show_bug.cgi?id=1913333 • CWE-129: Improper Validation of Array Index •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-29509
https://notcve.org/view.php?id=CVE-2020-29509
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. El paquete encoding/xml en Go (todas las versiones) no conserva correctamente la semántica de los prefijos del espacio de nombres de atributos durante los viajes de ida por vuelta del proceso de generación de token, que permite a un atacante diseñar entradas que se comportan de manera conflictiva durante las diferentes etapas del procesamiento en las aplicaciones previas afectadas • https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md https://security.netapp.com/advisory/ntap-20210129-0006 • CWE-115: Misinterpretation of Input •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-29511
https://notcve.org/view.php?id=CVE-2020-29511
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. El paquete encoding/xml en Go (todas las versiones) no conserva correctamente la semántica de los prefijos del espacio de nombres de los elementos durante los viajes de ida por vuelta del proceso de generación de token, que permite a un atacante diseñar entradas que se comportan de manera conflictiva durante las diferentes etapas de procesamiento en las aplicaciones previas afectadas • https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md https://security.netapp.com/advisory/ntap-20210129-0006 • CWE-115: Misinterpretation of Input •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-29510
https://notcve.org/view.php?id=CVE-2020-29510
The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. El paquete encoding/xml en Go versiones 1.15 y anteriores no conserva correctamente la semántica de las directivas durante los viajes de ida por vuelta del proceso de generación de token, que permite a un atacante diseñar entradas que se comportan de manera conflictiva durante las diferentes etapas de procesamiento en las aplicaciones previas afectadas • https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.md https://security.netapp.com/advisory/ntap-20210129-0006 • CWE-115: Misinterpretation of Input •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-28362 – golang: math/big: panic during recursive division of very large numbers
https://notcve.org/view.php?id=CVE-2020-28362
Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. Go versiones anteriores a 1.14.12 y versiones 1.15.x anteriores a 1.15.4, permite una Denegación de Servicio A flaw was found in the math/big package of Go's standard library that causes a denial of service. Applications written in Go that use math/big via cryptographic packages, including crypto/rsa and crypto/x509, are vulnerable and can potentially cause panic via a crafted certificate chain. The highest threat from this vulnerability is to system availability. • https://groups.google.com/g/golang-nuts/c/c-ssaaS7RMI https://lists.apache.org/thread.html/rd02e75766cd333a0df417588460f5e4477060633000bfe94955851fd%40%3Cissues.trafficcontrol.apache.org%3E https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2W4COUPL3YVTZ6RTEIT6LPBDJUFF3VSP https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F3ZSHGNTJWCWYAKY5OLZS2XQQYHSXSUO https://security.netapp.com/advisory/ntap-20201202-0004 https://www.arista.com/en/support/advisories-notices/ • CWE-295: Improper Certificate Validation •