CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-32190 – Failure to strip relative path components in net/url
https://notcve.org/view.php?id=CVE-2022-32190
13 Sep 2022 — JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result. JoinPath y URL.JoinPath no eliminan los elementos de ruta ../ anexados a una ruta relativa. • https://go.dev/cl/423514 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-27664 – golang: net/http: handle server errors after sending GOAWAY
https://notcve.org/view.php?id=CVE-2022-27664
06 Sep 2022 — In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. En net/http en Go versiones anteriores a 1.18.6 y 1.19.x anteriores a 1.19.1, los atacantes pueden causar una denegación de servicio porque una conexión HTTP/2 puede colgarse durante el cierre si el apagado fue adelantado por un error fatal. A flaw was found in the golang package. In net/http in Go, attackers can c... • https://groups.google.com/g/golang-announce • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30580 – Empty Cmd.Path can trigger unintended binary in os/exec on Windows
https://notcve.org/view.php?id=CVE-2022-30580
09 Aug 2022 — Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset. Una inyección de código en el archivo Cmd.Start en os/exec versiones anteriores a Go 1.17.11 y Go 1.18.3, permite una ejecución de cualquier binario en el directorio de trabajo llamado "..com" o "..exe" llamando a Cmd.Run, Cmd.Start, Cmd.Output o Cmd.CombinedOut... • https://go.dev/cl/403759 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-29804 – Path traversal via Clean on Windows in path/filepath
https://notcve.org/view.php?id=CVE-2022-29804
09 Aug 2022 — Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack. En filepath.Clean en path/filepath en Go versiones anteriores a 1.17.11 y en 1.18.x antes de 1.18.3 en Windows, las rutas inválidas como .\c: podían convertirse en rutas válidas (como c: en este ejemplo). • https://go.dev/cl/401595 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 1CVE-2022-1962 – Stack exhaustion due to deeply nested types in go/parser
https://notcve.org/view.php?id=CVE-2022-1962
04 Aug 2022 — Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations. Una recursión no controlada en las funciones Parse en go/parser versiones anteriores a Go 1.17.12 y Go 1.18.4, permite a un atacante causar un pánico debido al agotamiento de la pila por medio de tipos o declaraciones profundamente anidados A flaw was found in the golang standard library, go/parser. When calling any Par... • https://go.dev/cl/417063 • CWE-674: Uncontrolled Recursion CWE-1325: Improperly Controlled Sequential Memory Allocation •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2022-1705 – Improper sanitization of Transfer-Encoding headers in net/http
https://notcve.org/view.php?id=CVE-2022-1705
04 Aug 2022 — Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid. La aceptación de algunos encabezados Transfer-Encoding inválidas en el cliente HTTP/1 en net/http versiones anteriores a Go 1.17.12 y Go 1.18.4, permite un contrabando de peticiones HTTP si es combinado con un servidor intermedio que tampoco rechaza indebidamente ... • https://go.dev/cl/409874 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-28131 – Stack exhaustion from deeply nested XML documents in encoding/xml
https://notcve.org/view.php?id=CVE-2022-28131
04 Aug 2022 — Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document. En Decoder.Skip en encoding/xml en Go antes de 1.17.12 y 1.18.x antes de 1.18.4, el agotamiento de la pila y un pánico puede ocurrir a través de un documento XML profundamente anidado A flaw was found in golang encoding/xml. When calling Decoder, Skip while parsing a deeply nested XML document, a panic can occur due to stack exha... • https://go.dev/cl/417062 • CWE-674: Uncontrolled Recursion CWE-1325: Improperly Controlled Sequential Memory Allocation •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2022-32148 – Exposure of client IP addresses in net/http
https://notcve.org/view.php?id=CVE-2022-32148
04 Aug 2022 — Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header. Una exposición inapropiada de las direcciones IP de los clientes en net/http versiones anteriores a Go 1.17.12 y Go 1.18.4, puede desencadenarse llamando a httputil.ReverseProxy.ServeHTTP con un ... • https://go.dev/cl/412857 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2022-32189 – Panic when decoding Float and Rat types in math/big
https://notcve.org/view.php?id=CVE-2022-32189
04 Aug 2022 — A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service. Un mensaje codificado demasiado corto puede causar un pánico en Float.GobDecode y Rat GobDecode en math/big en Go versiones anteriores a 1.17.13 y 1.18.5, permitiendo potencialmente una denegación de servicio An uncontrolled resource consumption flaw was found in Golang math/big. A too-short encoded message can cause a panic in Float.GobDec... • https://go.dev/cl/417774 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 3.1EPSS: 0%CPEs: 2EXPL: 1CVE-2022-30629 – Session tickets lack random ticket_age_add in crypto/tls
https://notcve.org/view.php?id=CVE-2022-30629
04 Aug 2022 — Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption. Valores no aleatorios para la función ticket_age_add en los tickets de sesión en crypto/tls versiones anteriores a Go 1.17.11 y Go 1.18.3, permiten a un atacante que pueda observar los handshakes TLS correlacionar conexiones sucesivas comparando las edades de los tickets ... • https://go.dev/cl/405994 • CWE-330: Use of Insufficiently Random Values CWE-331: Insufficient Entropy •