CVSS: 8.6EPSS: 1%CPEs: 7EXPL: 0CVE-2021-3121 – gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
https://notcve.org/view.php?id=CVE-2021-3121
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue. Se detectó un problema en GoGo Protobuf versiones anteriores a 1.3.2. El archivo plugin/unmarshal/unmarshal.go carece de determinada comprobación de índice, también se conoce como el problema "skippy peanut butter" A flaw was found in github.com/gogo/protobuf before 1.3.2 that allows an out-of-bounds access when unmarshalling certain protobuf objects. This flaw allows a remote attacker to send crafted protobuf messages, causing panic and resulting in a denial of service. The highest threat from this vulnerability is to availability. • https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025 https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2 https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff%40%3Cnotifications.skywalking.apache.org%3E https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e%40%3Ccommits.pulsar.apache.org%3E https://lists.apache.org&#x • CWE-129: Improper Validation of Array Index •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-28852 – golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag
https://notcve.org/view.php?id=CVE-2020-28852
In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) En x/text en Go anterior a la versión v0.3.5, un pánico "slice bounds out of range" se produce en language.ParseAcceptLanguage mientras se procesa una etiqueta BCP 47. (Se supone que x/text/language puede ser capaz de analizar un encabezado HTTP Accept-Language) A flaw was found in golang.org. In x/text, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. • https://github.com/golang/go/issues/42536 https://security.netapp.com/advisory/ntap-20210212-0004 https://access.redhat.com/security/cve/CVE-2020-28852 https://bugzilla.redhat.com/show_bug.cgi?id=1913338 • CWE-129: Improper Validation of Array Index •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-28851 – golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension
https://notcve.org/view.php?id=CVE-2020-28851
In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) En x/text en Go versión 1.15.4, se produce un pánico "index out of range" en language.ParseAcceptLanguage mientras se analiza la extensión -u-. (Se supone que x/text/language puede analizar un encabezado HTTP Accept-Language). A flaw was found in golang.org. • https://github.com/golang/go/issues/42535 https://security.netapp.com/advisory/ntap-20210212-0004 https://access.redhat.com/security/cve/CVE-2020-28851 https://bugzilla.redhat.com/show_bug.cgi?id=1913333 • CWE-129: Improper Validation of Array Index •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-29652 – golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference
https://notcve.org/view.php?id=CVE-2020-29652
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers. Una desreferencia de puntero null en el componente golang.org/x/crypto/ssh versiones hasta v0.0.0-20201203163018-be400aefbc4c para Go, permite a atacantes remotos causar una denegación de servicio contra servidores SSH A null pointer dereference vulnerability was found in golang. When using the library's ssh server without specifying an option for GSSAPIWithMICConfig, it is possible for an attacker to craft an ssh client connection using the `gssapi-with-mic` authentication method and cause the server to panic resulting in a denial of service. The highest threat from this vulnerability is to system availability. • https://go-review.googlesource.com/c/crypto/+/278852 https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1 https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff%40%3Cnotifications.skywalking.apache.org%3E https://access.redhat.com/security/cve/CVE-2020-29652 https://bugzilla.redhat.com/show_bug.cgi?id=1908883 • CWE-476: NULL Pointer Dereference •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-29509
https://notcve.org/view.php?id=CVE-2020-29509
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. El paquete encoding/xml en Go (todas las versiones) no conserva correctamente la semántica de los prefijos del espacio de nombres de atributos durante los viajes de ida por vuelta del proceso de generación de token, que permite a un atacante diseñar entradas que se comportan de manera conflictiva durante las diferentes etapas del procesamiento en las aplicaciones previas afectadas • https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md https://security.netapp.com/advisory/ntap-20210129-0006 • CWE-115: Misinterpretation of Input •