CVE-2019-11888
https://notcve.org/view.php?id=CVE-2019-11888
Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges. Repase la sección 1.12.5 de Windows, que trata mal la creación de procesos con un entorno nulo en combinación con un token no nulo, que permite a los atacantes obtener información confidencial u obtener privilegios. • https://go-review.googlesource.com/c/go/+/176619 • CWE-269: Improper Privilege Management •
CVE-2019-9741 – golang: CRLF injection in net/http
https://notcve.org/view.php?id=CVE-2019-9741
An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command. Se ha descubierto un problema en net/http en Go 1.11.5. Es posible la inyección CRLF si el atacante controla un parámetro de url, tal y como queda demostrado por el segundo argumento en http.NewRequest con \r\n, seguido por una cabecera HTTP o un comando Redis. • http://www.securityfocus.com/bid/107432 https://access.redhat.com/errata/RHSA-2019:1300 https://access.redhat.com/errata/RHSA-2019:1519 https://github.com/golang/go/issues/30794 https://lists.debian.org/debian-lts-announce/2019/04/msg00007.html https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TOOVCEPQM7TZA6VEZEEB7 • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVE-2019-9634
https://notcve.org/view.php?id=CVE-2019-9634
Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection. Go, hasta su versión 1.12 en Windows, utiliza de manera incorrecta determinadas funcionalidades de LoadLibrary, conduciendo a una inyección DLL. • http://www.openwall.com/lists/oss-security/2019/04/09/1 http://www.securityfocus.com/bid/107450 https://github.com/golang/go/issues/30642 • CWE-427: Uncontrolled Search Path Element •
CVE-2019-6486
https://notcve.org/view.php?id=CVE-2019-6486
Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks. Go, en versiones anteriores a la 1.10.8 y las versiones 1.11.x anteriores a la 1.11.5, gestionan de manera incorrecta las curvas elípticas P-521 y P-384, que permiten que los atacantes provoquen una denegación de servicio (consumo de CPU) o lleven a cabo ataques de recuperación de la clave privada ECDH. • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00042.html http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html http://www.securityfocus.com/bid/106740 https://github.com/golang/go/commit/42b42f71cf8f5956c09e66230293dfb5db652360 https://github.com/golang/go/issues/29903 https://github.com/google/wycheproof https://gr • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2018-16875
https://notcve.org/view.php?id=CVE-2018-16875
The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected. El paquete crypto/x509 de Go, en versiones anteriores a la 1.10.6 y versiones 1.11.x anteriores a la 1.11.3,no limita la cantidad de trabajo realizado para cada verificación de cadenas, lo que podría permitir que los atacantes manipulen entradas patológicas que conducen a la denegación de servicio (DoS) de la CPU. Los servidores TLS de Go que aceptan certificados de clientes y clientes TLS se han visto afectados. • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html http://www.securityfocus.com/bid/106230 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16875 https://groups.google.com • CWE-20: Improper Input Validation CWE-295: Improper Certificate Validation •