CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-44716 – golang: net/http: limit growth of header canonicalization cache
https://notcve.org/view.php?id=CVE-2021-44716
16 Dec 2021 — net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests. net/http en Go versiones anteriores a 1.16.12 y versiones 1.17.x anteriores a 1.17.5, permite un consumo no controlado de memoria en la caché de canonización del encabezado por medio de peticiones HTTP/2. There's an uncontrolled resource consumption flaw in golang's net/http library in the canonicalHeader() function. An attacker who submits specially crafted... • https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.8EPSS: 0%CPEs: 4EXPL: 0CVE-2021-44717 – golang: syscall: don't close fd 0 on ForkExec error
https://notcve.org/view.php?id=CVE-2021-44717
16 Dec 2021 — Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion. Go versiones anteriores a 1.16.12 y versiones 1.17.x anteriores a 1.17.5 en UNIX, permite operaciones de escritura en un archivo no deseado o en una conexión de red no deseada como consecuencia de un cierre erróneo del descriptor de archivo 0 tras el agotamiento del descriptor de archivo.... • https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-404: Improper Resource Shutdown or Release •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2021-41771 – golang: debug/macho: invalid dynamic symbol table command can cause panic
https://notcve.org/view.php?id=CVE-2021-41771
08 Nov 2021 — ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation. ImportedSymbols en debug/macho (para Open u OpenFat) en Go versiones anteriores a 1.16.10 y 1.17.x versiones anteriores a 1.17.3, Accede a una Ubicación de Memoria Después del Final de un Búfer, también se conoce como una situación de "out-of-bounds slice" An out of bounds read vulnerability was found in debug/macho of ... • https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2021-41772 – golang: archive/zip: Reader.Open panics on empty string
https://notcve.org/view.php?id=CVE-2021-41772
08 Nov 2021 — Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field. Go versiones anteriores a 1.16.10 y 1.17.x versiones anteriores a 1.17.3, permite un pánico de archivo/zip Reader.Open por medio de un archivo ZIP diseñado que contiene un nombre no válido o un campo filename vacío A vulnerability was found in archive/zip of the Go standard library. Applications written in Go where Reader.Open (the API implementi... • https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf • CWE-20: Improper Input Validation CWE-125: Out-of-bounds Read •
CVSS: 9.8EPSS: 6%CPEs: 4EXPL: 2CVE-2021-38297 – golang: Command-line arguments may overwrite global data
https://notcve.org/view.php?id=CVE-2021-38297
18 Oct 2021 — Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used. Go versiones anteriores a 1.16.9 y versiones 1.17.x anteriores a 1.17.2, presenta un Desbordamiento de Búfer por medio de argumentos grandes en una invocación de función desde un módulo WASM, cuando GOARCH=wasm GOOS=js es usado A flaw was found in golang. This vulnerability can only be triggered when invoking functions from vulnerable WASM (WebAss... • https://github.com/gkrishnan724/CVE-2021-38297 • CWE-20: Improper Input Validation CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-39293 – golang: archive/zip: malformed archive may cause panic or memory exhaustion (incomplete fix of CVE-2021-33196)
https://notcve.org/view.php?id=CVE-2021-39293
06 Oct 2021 — In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196. En archive/zip en Go versiones anteriores a 1.16.8 y 1.17.x versiones anteriores a 1.17.1, un encabezado de archivo diseñada (designando falsamente que hay muchos archivos presentes) puede causar un pánico en NewReader o OpenReader. NOTA: este problema se pres... • https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.9EPSS: 0%CPEs: 9EXPL: 0CVE-2021-36221 – golang: net/http/httputil: panic due to racy read of persistConn after handler panic
https://notcve.org/view.php?id=CVE-2021-36221
08 Aug 2021 — Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort. Go versiones anteriores a 1.15.15 y 1.16.x versiones anteriores a 1.16.7, presenta una condición de carrera que puede conllevar un pánico de net/http/httputil ReverseProxy al abortar ErrAbortHandler A race condition flaw was found in Go. The incoming requests body weren't closed after the handler panic and as a consequence this could lead to ReverseProxy cras... • https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 2CVE-2021-29923 – golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet
https://notcve.org/view.php?id=CVE-2021-29923
07 Aug 2021 — Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR. Go versiones anteriores a 1.17, no considera apropiadamente los caracteres cero extraños al principio de un octeto de dirección IP, lo que (en algunas situaciones) permite a atacantes omitir el control de acceso qu... • https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 1CVE-2021-34558 – golang: crypto/tls: certificate of wrong type is causing TLS client to panic
https://notcve.org/view.php?id=CVE-2021-34558
15 Jul 2021 — The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic. El paquete crypto/tls de Go versiones hasta 1.16.5, no afirma apropiadamente que el tipo de clave pública en un certificado X.509 coincida con el tipo esperado cuando se hace un intercambio de claves basado en RSA, permitiendo a un servidor TLS malicioso causar el... • https://github.com/alexzorin/cve-2021-34558 • CWE-20: Improper Input Validation CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2021-33196 – golang: archive/zip: malformed archive may cause panic or memory exhaustion
https://notcve.org/view.php?id=CVE-2021-33196
28 Jun 2021 — In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic. En archive/zip en Go versiones anteriores a 1.15.13 y versiones 1.16.x anteriores a 1.16.5, un recuento de archivos crafteado (en la cabecera de un archivo) puede causar un pánico en NewReader u OpenReader. A vulnerability was found in archive/zip of the Go standard library. Applications written in Go can panic or potentially exhaust system memory when parsin... • https://groups.google.com/g/golang-announce • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •