CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2018-17142
https://notcve.org/view.php?id=CVE-2018-17142
The html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call. El paquete html (también conocido como x/net/html) hasta el 2018-09-17 en Go gestiona de manera incorrecta , lo que conduce a un "panic: runtime error" en parseCurrentToken en parse.go durante una llamada html.Parse. • https://github.com/golang/go/issues/27702 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHON https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBK • CWE-476: NULL Pointer Dereference •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2018-17143
https://notcve.org/view.php?id=CVE-2018-17143
The html package (aka x/net/html) through 2018-09-17 in Go mishandles <template><tBody><isindex/action=0>, leading to a "panic: runtime error" in inBodyIM in parse.go during an html.Parse call. El paquete html (también conocido como x/net/html) hasta el 2018-09-17 en Go gestiona de manera incorrecta /action=0>, lo que conduce a un "panic: runtime error" en inBodyIM en parse.go durante una llamada html.Parse. • https://github.com/golang/go/issues/27704 https://go-review.googlesource.com/c/net/+/136575 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHON https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBK • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 2CVE-2018-17075
https://notcve.org/view.php?id=CVE-2018-17075
The html package (aka x/net/html) before 2018-07-13 in Go mishandles "in frameset" insertion mode, leading to a "panic: runtime error" for html.Parse of <template><object>, <template><applet>, or <template><marquee>. This is related to HTMLTreeBuilder.cpp in WebKit. El paquete html (también conocido como x net html) en versiones anteriores al 2018-07-13 en Go gestiona de manera incorrecta el modo de inserción "in frameset", lo que conduce a un "panic: runtime error" para html.Parse de template object , template applet o template marquee . Esto está relacionado con HTMLTreeBuilder.cpp en WebKit. • https://bugs.chromium.org/p/chromium/issues/detail?id=829668 https://github.com/golang/go/issues/27016 https://github.com/golang/net/commit/aaf60122140d3fcf75376d319f0554393160eb50 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHON https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBK • CWE-476: NULL Pointer Dereference •
CVSS: 9.3EPSS: 30%CPEs: 4EXPL: 1CVE-2018-7187
https://notcve.org/view.php?id=CVE-2018-7187
The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site. La implementación "go get" en Go 1.9.4, cuando se emplea la opción -insecure command-line, no valida la ruta de importación (get/vcs.go solo busca "://" en cualquier lugar de la cadena), lo que permite que atacantes remotos ejecuten comandos arbitrarios del sistema operativo mediante un sitio web manipulado. • https://gist.github.com/SLAYEROWNER/b2a358f13ab267f2e9543bb9f9320ffc https://github.com/golang/go/issues/23867 https://lists.debian.org/debian-lts-announce/2018/02/msg00029.html https://security.gentoo.org/glsa/201804-12 https://www.debian.org/security/2019/dsa-4379 https://www.debian.org/security/2019/dsa-4380 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 3%CPEs: 13EXPL: 28CVE-2018-6574 – golang: arbitrary code execution during "go get" via C compiler options
https://notcve.org/view.php?id=CVE-2018-6574
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked. Go, en versiones anteriores a la 1.8.7; Go en versiones 1.9.x anteriores a la 1.9.4 y los prelanzamientos de Go 1.10 anteriores a Go 1.10rc2 permiten la ejecución remota de comandos "go get" durante la construcción del código fuente aprovechando la característica del plugin gcc o clang debido a que los argumentos -fplugin= y -plugin= no se bloquearon. An arbitrary command execution flaw was found in the way Go's "go get" command handled gcc and clang sensitive options during the build. A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side. • https://github.com/neargle/Go-Get-RCE-CVE-2018-6574-POC https://github.com/qweraqq/CVE-2018-6574 https://github.com/frozenkp/CVE-2018-6574 https://github.com/darthvader-htb/CVE-2018-6574 https://github.com/antunesmpedro/CVE-2018-6574 https://github.com/asavior2/CVE-2018-6574 https://github.com/Dannners/CVE-2018-6574-go-get-RCE https://github.com/jftierno/-CVE-2018-6574 https://github.com/ItsFadinG/CVE-2018-6574 https://github.com/OLAOLAOLA789/CVE-2018-6574 htt • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •