CVSS: 5.8EPSS: 0%CPEs: 4EXPL: 0CVE-2021-44717 – golang: syscall: don't close fd 0 on ForkExec error
https://notcve.org/view.php?id=CVE-2021-44717
16 Dec 2021 — Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion. Go versiones anteriores a 1.16.12 y versiones 1.17.x anteriores a 1.17.5 en UNIX, permite operaciones de escritura en un archivo no deseado o en una conexión de red no deseada como consecuencia de un cierre erróneo del descriptor de archivo 0 tras el agotamiento del descriptor de archivo.... • https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-404: Improper Resource Shutdown or Release •
CVSS: 7.5EPSS: 3%CPEs: 4EXPL: 0CVE-2021-44716 – golang: net/http: limit growth of header canonicalization cache
https://notcve.org/view.php?id=CVE-2021-44716
16 Dec 2021 — net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests. net/http en Go versiones anteriores a 1.16.12 y versiones 1.17.x anteriores a 1.17.5, permite un consumo no controlado de memoria en la caché de canonización del encabezado por medio de peticiones HTTP/2. There's an uncontrolled resource consumption flaw in golang's net/http library in the canonicalHeader() function. An attacker who submits specially crafted... • https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-39293 – golang: archive/zip: malformed archive may cause panic or memory exhaustion (incomplete fix of CVE-2021-33196)
https://notcve.org/view.php?id=CVE-2021-39293
02 Dec 2021 — In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196. En archive/zip en Go versiones anteriores a 1.16.8 y 1.17.x versiones anteriores a 1.17.1, un encabezado de archivo diseñada (designando falsamente que hay muchos archivos presentes) puede causar un pánico en NewReader o OpenReader. NOTA: este problema se pres... • https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2021-41772 – golang: archive/zip: Reader.Open panics on empty string
https://notcve.org/view.php?id=CVE-2021-41772
08 Nov 2021 — Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field. Go versiones anteriores a 1.16.10 y 1.17.x versiones anteriores a 1.17.3, permite un pánico de archivo/zip Reader.Open por medio de un archivo ZIP diseñado que contiene un nombre no válido o un campo filename vacío A vulnerability was found in archive/zip of the Go standard library. Applications written in Go where Reader.Open (the API implementi... • https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf • CWE-20: Improper Input Validation CWE-125: Out-of-bounds Read •
CVSS: 7.5EPSS: 1%CPEs: 5EXPL: 0CVE-2021-41771 – golang: debug/macho: invalid dynamic symbol table command can cause panic
https://notcve.org/view.php?id=CVE-2021-41771
08 Nov 2021 — ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation. ImportedSymbols en debug/macho (para Open u OpenFat) en Go versiones anteriores a 1.16.10 y 1.17.x versiones anteriores a 1.17.3, Accede a una Ubicación de Memoria Después del Final de un Búfer, también se conoce como una situación de "out-of-bounds slice" An out of bounds read vulnerability was found in debug/macho of ... • https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 2CVE-2021-38297 – golang: Command-line arguments may overwrite global data
https://notcve.org/view.php?id=CVE-2021-38297
18 Oct 2021 — Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used. Go versiones anteriores a 1.16.9 y versiones 1.17.x anteriores a 1.17.2, presenta un Desbordamiento de Búfer por medio de argumentos grandes en una invocación de función desde un módulo WASM, cuando GOARCH=wasm GOOS=js es usado A flaw was found in golang. This vulnerability can only be triggered when invoking functions from vulnerable WASM (WebAss... • https://github.com/gkrishnan724/CVE-2021-38297 • CWE-20: Improper Input Validation CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 5.9EPSS: 0%CPEs: 9EXPL: 0CVE-2021-36221 – golang: net/http/httputil: panic due to racy read of persistConn after handler panic
https://notcve.org/view.php?id=CVE-2021-36221
08 Aug 2021 — Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort. Go versiones anteriores a 1.15.15 y 1.16.x versiones anteriores a 1.16.7, presenta una condición de carrera que puede conllevar un pánico de net/http/httputil ReverseProxy al abortar ErrAbortHandler A race condition flaw was found in Go. The incoming requests body weren't closed after the handler panic and as a consequence this could lead to ReverseProxy cras... • https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 2CVE-2021-29923 – golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet
https://notcve.org/view.php?id=CVE-2021-29923
07 Aug 2021 — Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR. Go versiones anteriores a 1.17, no considera apropiadamente los caracteres cero extraños al principio de un octeto de dirección IP, lo que (en algunas situaciones) permite a atacantes omitir el control de acceso qu... • https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2021-33198 – golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
https://notcve.org/view.php?id=CVE-2021-33198
02 Aug 2021 — In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method. En Go versiones anteriores a 1.15.13 y versiones 1.16.x anteriores a 1.16.5, puede haber un pánico por un exponente grande al método math/big.Rat SetString o UnmarshalText. A flaw was found in Go, where it attempts to allocate excessive memory. This issue may cause panic or unrecoverable fatal error if passed inputs with very large exponents. The highest threat from... • https://groups.google.com/g/golang-announce • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2021-33197 – golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
https://notcve.org/view.php?id=CVE-2021-33197
02 Aug 2021 — In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers. En Go versiones anteriores a 1.15.13 y versiones 1.16.x anteriores a 1.16.5, algunas configuraciones de ReverseProxy (desde net/http/httputil) resultan en una situación en la que un atacante es capaz de dejar caer cabeceras arbitrarias A flaw was found in Go, acting as an unintended proxy or intermediary, where ReverseProxy for... • https://groups.google.com/g/golang-announce • CWE-20: Improper Input Validation CWE-862: Missing Authorization •