Page 22 of 153 results (0.012 seconds)

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. El paquete encoding/xml en Go (todas las versiones) no conserva correctamente la semántica de los prefijos del espacio de nombres de los elementos durante los viajes de ida por vuelta del proceso de generación de token, que permite a un atacante diseñar entradas que se comportan de manera conflictiva durante las diferentes etapas de procesamiento en las aplicaciones previas afectadas • https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md https://security.netapp.com/advisory/ntap-20210129-0006 • CWE-115: Misinterpretation of Input •

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0

The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. El paquete encoding/xml en Go versiones 1.15 y anteriores no conserva correctamente la semántica de las directivas durante los viajes de ida por vuelta del proceso de generación de token, que permite a un atacante diseñar entradas que se comportan de manera conflictiva durante las diferentes etapas de procesamiento en las aplicaciones previas afectadas • https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.md https://security.netapp.com/advisory/ntap-20210129-0006 • CWE-115: Misinterpretation of Input •

CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0

Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. Go versiones anteriores a 1.14.12 y versiones 1.15.x anteriores a 1.15.4, permite una Denegación de Servicio A flaw was found in the math/big package of Go's standard library that causes a denial of service. Applications written in Go that use math/big via cryptographic packages, including crypto/rsa and crypto/x509, are vulnerable and can potentially cause panic via a crafted certificate chain. The highest threat from this vulnerability is to system availability. • https://groups.google.com/g/golang-nuts/c/c-ssaaS7RMI https://lists.apache.org/thread.html/rd02e75766cd333a0df417588460f5e4477060633000bfe94955851fd%40%3Cissues.trafficcontrol.apache.org%3E https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2W4COUPL3YVTZ6RTEIT6LPBDJUFF3VSP https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F3ZSHGNTJWCWYAKY5OLZS2XQQYHSXSUO https://security.netapp.com/advisory/ntap-20201202-0004 https://www.arista.com/en/support/advisories-notices/ • CWE-295: Improper Certificate Validation •

CVSS: 7.5EPSS: 2%CPEs: 2EXPL: 0

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive. La inyección de código en el comando go con cgo antes de Go 1.14.12 y Go 1.15.5 permite la ejecución de código arbitrario en tiempo de compilación a través de banderas gcc maliciosas especificadas a través de una directiva #cgo An input validation vulnerability was found in Go. If cgo is specified in a Go file, it is possible to bypass the validation of arguments to the gcc compiler. This flaw allows an attacker to create a malicious repository that can execute arbitrary code when downloaded and run via `go get` or `go build` while building a Go project. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability. • https://go.dev/cl/267277 https://go.dev/issue/42556 https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561 https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html https://pkg.go.dev/vuln/GO-2022-0476 https://access.redhat.com/security/cve/CVE-2020-28367 https://bugzilla.redhat.com/show_bug.cgi?id=1897646 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 7.5EPSS: 1%CPEs: 6EXPL: 0

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file. Go versiones anteriores a 1.14.12 y versiones 1.15.x anteriores a 1.15.5, permite una Inyección de Código An input validation vulnerability was found in Go. From a generated go file (from the cgo tool), it is possible to modify symbols within that object file and specify code. This flaw allows an attacker to create a repository that includes malicious pre-built object files that could execute arbitrary code when downloaded and run via `go get` or `go build` while building a Go project. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. • https://go.dev/cl/269658 https://go.dev/issue/42559 https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292 https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM https://pkg.go.dev/vuln/GO-2022-0475 https://access.redhat.com/security/cve/CVE-2020-28366 https://bugzilla.redhat.com/show_bug.cgi?id=1897643 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •