Page 17 of 119 results (0.007 seconds)

CVSS: 7.5EPSS: 1%CPEs: 6EXPL: 0

Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download). Go versiones anteriores a 1.14.14 y versiones 1.15. x anteriores a 1.15.7 en Windows, es vulnerable a una inyección de comandos y una ejecución de código remota cuando es usado el comando "go get" para buscar módulos que hacen uso de cgo (por ejemplo, cgo puede ejecutar un programa gcc desde una descarga que no es confiable) A flaw was found in golang: cmd/go, in which Go can execute arbitrary commands at build time when cgo is in use on Windows OS. On Linux/Unix, only users who have "." listed explicitly in their PATH variable are affected. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. • https://blog.golang.org/path-security https://groups.google.com/g/golang-announce/c/mperVMGa98w https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ https://security.gentoo.org/glsa/202208-02 https://security.netapp.com/advisory/ntap-20210219-0001 https://access.redhat.com/security/cve/CVE-2021-3115 https://bugzilla.redhat.com/show_bug.cgi?id=1918761 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-427: Uncontrolled Search Path Element •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1

In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) En x/text en Go versión 1.15.4, se produce un pánico "index out of range" en language.ParseAcceptLanguage mientras se analiza la extensión -u-. (Se supone que x/text/language puede analizar un encabezado HTTP Accept-Language). A flaw was found in golang.org. • https://github.com/golang/go/issues/42535 https://security.netapp.com/advisory/ntap-20210212-0004 https://access.redhat.com/security/cve/CVE-2020-28851 https://bugzilla.redhat.com/show_bug.cgi?id=1913333 • CWE-129: Improper Validation of Array Index •

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. El paquete encoding/xml en Go (todas las versiones) no conserva correctamente la semántica de los prefijos del espacio de nombres de atributos durante los viajes de ida por vuelta del proceso de generación de token, que permite a un atacante diseñar entradas que se comportan de manera conflictiva durante las diferentes etapas del procesamiento en las aplicaciones previas afectadas • https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md https://security.netapp.com/advisory/ntap-20210129-0006 • CWE-115: Misinterpretation of Input •

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. El paquete encoding/xml en Go (todas las versiones) no conserva correctamente la semántica de los prefijos del espacio de nombres de los elementos durante los viajes de ida por vuelta del proceso de generación de token, que permite a un atacante diseñar entradas que se comportan de manera conflictiva durante las diferentes etapas de procesamiento en las aplicaciones previas afectadas • https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md https://security.netapp.com/advisory/ntap-20210129-0006 • CWE-115: Misinterpretation of Input •

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0

The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. El paquete encoding/xml en Go versiones 1.15 y anteriores no conserva correctamente la semántica de las directivas durante los viajes de ida por vuelta del proceso de generación de token, que permite a un atacante diseñar entradas que se comportan de manera conflictiva durante las diferentes etapas de procesamiento en las aplicaciones previas afectadas • https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.md https://security.netapp.com/advisory/ntap-20210129-0006 • CWE-115: Misinterpretation of Input •