CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 0CVE-2021-31525 – golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header
https://notcve.org/view.php?id=CVE-2021-31525
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations. net/http en Go versiones anteriores a 1.15.12 y versiones 1.16.x anteriores a 1.16.4, permite a atacantes remotos causar una denegación de servicio (pánico) por medio de un encabezado grande en los parámetros ReadRequest o ReadResponse. El Servidor, el Transporte y el Cliente pueden estar afectados en algunas configuraciones A vulnerability was detected in net/http of the Go standard library when parsing very large HTTP header values, causing a crash and subsequent denial of service. This vulnerability affects both clients and servers written in Go, however, servers are only vulnerable if the value of MaxHeaderBytes has been increased from the default. • https://github.com/golang/go/issues/45710 https://groups.google.com/g/golang-announce/c/cu9SP4eSXMc https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ISRZZ6NY5R2TBYE72KZFOCO25TEUQTBF https://security.gentoo.org/glsa/202208-02 https://access.redhat.com/security/cve/CVE-2021-31525 https://bugzilla.redhat.com/show_bug.cgi?id=1958341 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-674: Uncontrolled Recursion •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-33194 – golang: x/net/html: infinite loop in ParseFragment
https://notcve.org/view.php?id=CVE-2021-33194
golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input. golang.org/x/net antes de v0.0.0-20210520170846-37e1c6afe023 permite a los atacantes provocar una denegación de servicio (bucle infinito) a través de una entrada ParseFragment manipulada A flaw was found in golang. An attacker can craft an input to ParseFragment within parse.go that would cause it to enter an infinite loop and never return. The greatest threat to the system is of availability. • https://github.com/golang/net/commit/37e1c6afe02340126705deced573a85ab75209d7 https://groups.google.com/g/golang-announce/c/wPunbCPkWUg https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM https://access.redhat.com/security/cve/CVE-2021-33194 https://bugzilla.redhat.com/show_bug.cgi?id=1963232 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-27919
https://notcve.org/view.php?id=CVE-2021-27919
archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename. archive/zip en Go versiones 1.16.x anteriores a 1.16.1, permite a atacantes causar una denegación de servicio (pánico) al intentar usar la API Reader.Open para un archivo ZIP en el que ../ aparece al principio de cualquier nombre de archivo • https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MU47VKTNXX33ZDLTI2ORRUY3KLJKU6G https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HM7U5JNS5WU66Q3S26PFIU2ITB2ATTQ4 https://security.gentoo.org/glsa/202208-02 •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-27918 – golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader
https://notcve.org/view.php?id=CVE-2021-27918
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method. encoding/xml en Go versiones anteriores a 1.15.9 y versiones 1.16.x anteriores a 1.16.1, presenta un bucle infinito si un TokenReader personalizado (para xml.NewTokenDecoder) devuelve EOF en medio de un elemento. Esto puede ocurrir en el método Decode, DecodeElement o Skip An infinite loop vulnerability was found in golang. If an application defines a custom token parser initializing with `xml.NewTokenDecoder` it is possible for the parsing loop to never return. An attacker could potentially craft a malicious XML document which has an XML element with `EOF` within it, causing the parsing application to endlessly loop, resulting in a Denial of Service (DoS). • https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw https://security.gentoo.org/glsa/202208-02 https://access.redhat.com/security/cve/CVE-2021-27918 https://bugzilla.redhat.com/show_bug.cgi?id=1937901 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 6.5EPSS: 1%CPEs: 7EXPL: 0CVE-2021-3114 – golang: crypto/elliptic: incorrect operations on the P-224 curve
https://notcve.org/view.php?id=CVE-2021-3114
In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field. En Go versiones anteriores a 1.14.14 y versiones 1.15.x anteriores a 1.15.7, en el archivo crypto/elliptic/p224.go puede generar salidas incorrectas, relacionadas con un subdesbordamiento de la extremidad más baja durante la reducción completa final en el campo P-224 A flaw detected in golang: crypto/elliptic, in which P-224 keys as generated can return incorrect inputs, reducing the strength of the cryptography. The highest threat from this vulnerability is confidentiality and integrity. • https://github.com/golang/go/commit/d95ca9138026cbe40e0857d76a81a16d03230871 https://groups.google.com/g/golang-announce/c/mperVMGa98w https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ https://security.gentoo.org/glsa/202208-02 https://security.netapp.com/advisory/ntap-20210219-0001 https://www.debian.or • CWE-682: Incorrect Calculation •