Page 20 of 119 results (0.010 seconds)

CVSS: 7.5EPSS: 0%CPEs: 18EXPL: 2

Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates. Go versiones anteriores a 1.12.11 y versiones 1.3.x anteriores a 1.13.2, puede entrar en pánico tras intentar procesar el tráfico de red que contiene una clave pública DSA no válida. Existen varios escenarios de ataque, tal y como el tráfico de un cliente hacia un servidor que comprueba los certificados del cliente. • https://github.com/pquerna/poc-dsa-verify-CVE-2019-17596 http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00043.html http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00044.html https://access.redhat.com/errata/RHSA-2020:0101 https://access.redhat.com/errata/RHSA-2020:0329 https://github.com/golang/go/issues/34960 https://groups.google.com/d/msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html https& • CWE-295: Improper Certificate Validation CWE-436: Interpretation Conflict •

CVSS: 7.5EPSS: 1%CPEs: 14EXPL: 0

Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling. Go versiones anteriores a 1.12.10 y versiones 1.13.x anteriores a 1.13.1, permitir el Trafico No Autorizado de Peticiones HTTP. It was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter bypasses depending on the specific network configuration. • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00043.html http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00044.html https://access.redhat.com/errata/RHSA-2020:0101 https://access.redhat.com/errata/RHSA-2020:0329 https://access.redhat.com/errata/RHSA-2020:0652 https://github.com/golang/go/issues/34540 https://groups.google.com/forum/#%21msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJ https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html https&# • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •

CVSS: 9.8EPSS: 3%CPEs: 3EXPL: 1

net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com. net / url in Go antes del 1.11.13 y 1.12.x antes del 1.12.8 maneja mal los hosts mal formados en las URL, lo que lleva a una omisión de autorización en algunas aplicaciones. Esto está relacionado con un campo Host con un sufijo que no aparece en Hostname () ni Port (), y está relacionado con un número de puerto no numérico. Por ejemplo, un atacante puede componer un javascript creado: // URL que da como resultado un nombre de host de google.com. • http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.html https://access.redhat.com/errata/RHSA-2019:3433 https://github.com/golang/go/issues/29098 https://groups.google.com/forum/ • CWE-285: Improper Authorization •

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0

Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges. Repase la sección 1.12.5 de Windows, que trata mal la creación de procesos con un entorno nulo en combinación con un token no nulo, que permite a los atacantes obtener información confidencial u obtener privilegios. • https://go-review.googlesource.com/c/go/+/176619 • CWE-269: Improper Privilege Management •

CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 1

An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command. Se ha descubierto un problema en net/http en Go 1.11.5. Es posible la inyección CRLF si el atacante controla un parámetro de url, tal y como queda demostrado por el segundo argumento en http.NewRequest con \r\n, seguido por una cabecera HTTP o un comando Redis. • http://www.securityfocus.com/bid/107432 https://access.redhat.com/errata/RHSA-2019:1300 https://access.redhat.com/errata/RHSA-2019:1519 https://github.com/golang/go/issues/30794 https://lists.debian.org/debian-lts-announce/2019/04/msg00007.html https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TOOVCEPQM7TZA6VEZEEB7 • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •