CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 3CVE-2020-24553 – golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS
https://notcve.org/view.php?id=CVE-2020-24553
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header. Go versiones anteriores a 1.14.8 y versiones 1.15.x anteriores a 1.15.1, permite un ataque de tipo XSS porque text/html es el predeterminado para los manejadores de CGI/FCGI que carecen de un encabezado Content-Type A flaw was found in the Go standard library packages before upstream versions 1.15 and 1.14.8. Both the net/http/cgi and net/http/fcgi packages use a default Content-Type response header value of "text/html", rather than "text/plain". This flaw allows an attacker to exploit this issue in applications using these packages by uploading crafted files, allowing a Cross-site Scripting attack (XSS). The highest threat from this vulnerability is to confidentiality and integrity. • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00002.html http://packetstormsecurity.com/files/159049/Go-CGI-FastCGI-Transport-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2020/Sep/5 https://groups.google.com/forum/#%21topic/golang-announce/8wqlSbkLdPs https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CZBO7Q73GGWBVYIKNH2HNN44Q5IQND5W https://security.netapp.com/advisory • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 4%CPEs: 8EXPL: 0CVE-2020-16845 – golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs
https://notcve.org/view.php?id=CVE-2020-16845
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs. Go versiones anteriores a 1.13.15 y versiones 14.x anteriores a 1.14.7, puede presentar un bucle de lectura infinito en las funciones ReadUvarint y ReadVarint en encoding/binary por medio de entradas no válidas A flaw was found in the Go encoding/binary package. Certain invalid inputs to the ReadUvarint or the ReadVarint causes those functions to read an unlimited number of bytes from the ByteReader argument before returning an error. This flaw possibly leads to processing more input than expected. The highest threat from this vulnerability is to system availability. • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00028.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00029.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00030.html https://groups.google.com/forum/#%21topic/golang-announce/NyPIaucMgXo https://groups.google.com/forum/#%21topic/golang-announce/_ulYYcIWg3Q https://lists.debian.org/debian-lts-announce/2020/11/msg00037& • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2020-14039
https://notcve.org/view.php?id=CVE-2020-14039
In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete. En Go versiones anteriores a 1.13.13 y versiones 1.14.x anteriores a 1.14.5, Certificate.Verify puede carecer de una comprobación en los requisitos VerifyOptions.KeyUsages EKU (si VerifyOptions.Roots es igual a cero y la instalación está en Windows). Entonces, la verificación del certificado X.509 está incompleta • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00077.html http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00082.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00029.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00030.html https://groups.google.com/forum/#%21forum/golang-announce https://groups.google.com/forum/#%21topic/golang-announce/XZNfaiwgt2w https://security.netapp.com/advisory/ntap-20200731-0005 https://www.ora • CWE-295: Improper Certificate Validation •
CVSS: 5.9EPSS: 1%CPEs: 10EXPL: 0CVE-2020-15586 – golang: data race in certain net/http servers including ReverseProxy can lead to DoS
https://notcve.org/view.php?id=CVE-2020-15586
Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time. Go versiones anteriores a 1.13.13 y versiones 1.14.x anteriores a 1.14.5, presenta una carrera de datos en algunos servidores net/http, como es demostrado por el Manejador httputil.ReverseProxy, porque lee un cuerpo de petición y escribe una respuesta al mismo tiempo A flaw was found Go's net/http package. Servers using ReverseProxy from net/http in the Go standard library are vulnerable to a data race that results in a denial of service. The highest threat from this vulnerability is to system availability. • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00077.html http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00082.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00029.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00030.html https://groups.google.com/forum/#%21topic/golang-announce/XZNfaiwgt2w https://groups.google.com/forum/#%21topic/golang-announce/f2c5bqrGH_g https://lists.debian.org/debian-lts-announce/2020/11/msg00037& • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 9.8EPSS: 1%CPEs: 4EXPL: 0CVE-2015-5741 – golang: HTTP request smuggling in net/http library
https://notcve.org/view.php?id=CVE-2015-5741
The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields. La biblioteca net/http en el archivo net/http/transfer.go en Go versiones anteriores a 1.4.3, no analiza apropiadamente los encabezados HTTP, lo que permite a atacantes remotos llevar a cabo ataques de tráfico no autorizado de peticiones HTTP por medio de una petición que contiene campos de encabezado Content-Length y Transfer-Encoding . HTTP-request vulnerabilities have been found in the Golang net/http and net/textproto libraries. Request headers with double Content-Length fields do not generate a 400 error (the second field is ignored), and invalid fields are parsed as valid (for example, "Content Length:" with a space in the middle is accepted). A non-authenticated attacker could exploit these flaws to bypass security controls, perform web-cache poisoning, or alter the request/response map (denial of service). • http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167997.html http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168029.html http://seclists.org/oss-sec/2015/q3/237 http://seclists.org/oss-sec/2015/q3/292 http://seclists.org/oss-sec/2015/q3/294 https://bugzilla.redhat.com/show_bug.cgi?id=1250352 https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f https://access.redhat.com/security/cve/CVE-2015-5741 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •