CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-41715 – Memory exhaustion when compiling regular expressions in regexp/syntax
https://notcve.org/view.php?id=CVE-2022-41715
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected. • https://go.dev/cl/439356 https://go.dev/issue/55949 https://groups.google.com/g/golang-announce/c/xtuG5faxtaU https://pkg.go.dev/vuln/GO-2022-1039 https://security.gentoo.org/glsa/202311-09 https://access.redhat.com/security/cve/CVE-2022-41715 https://bugzilla.redhat.com/show_bug.cgi?id=2132872 •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-2879 – Unbounded memory consumption when reading headers in archive/tar
https://notcve.org/view.php?id=CVE-2022-2879
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB. Reader.Read no establece un límite en el tamaño máximo de los encabezados de los archivos. Un archivo diseñado de forma maliciosa podía causar que Read asignara cantidades ilimitadas de memoria, causando potencialmente el agotamiento de los recursos o el pánico. • https://go.dev/cl/439355 https://go.dev/issue/54853 https://groups.google.com/g/golang-announce/c/xtuG5faxtaU https://pkg.go.dev/vuln/GO-2022-1037 https://security.gentoo.org/glsa/202311-09 https://access.redhat.com/security/cve/CVE-2022-2879 https://bugzilla.redhat.com/show_bug.cgi?id=2132867 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-27664 – golang: net/http: handle server errors after sending GOAWAY
https://notcve.org/view.php?id=CVE-2022-27664
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. En net/http en Go versiones anteriores a 1.18.6 y 1.19.x anteriores a 1.19.1, los atacantes pueden causar una denegación de servicio porque una conexión HTTP/2 puede colgarse durante el cierre si el apagado fue adelantado por un error fatal. A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown. • https://groups.google.com/g/golang-announce https://groups.google.com/g/golang-announce/c/x49AQzIVX-s https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXKTHIGE5F576MAPFYCIJXNRGBSPISUF https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXS2OQ57KZC5XZKK5UW4SYKPVQAHIOJX https://security.gentoo.org/glsa/202209-26 https://security.netapp.com/advisory/ntap-20220923-0004 https://access.redhat.com/security/cve/CVE-2022-27664 https://bu • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30580 – Empty Cmd.Path can trigger unintended binary in os/exec on Windows
https://notcve.org/view.php?id=CVE-2022-30580
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset. Una inyección de código en el archivo Cmd.Start en os/exec versiones anteriores a Go 1.17.11 y Go 1.18.3, permite una ejecución de cualquier binario en el directorio de trabajo llamado "..com" o "..exe" llamando a Cmd.Run, Cmd.Start, Cmd.Output o Cmd.CombinedOutput cuando Cmd.Path no está establecido • https://go.dev/cl/403759 https://go.dev/issue/52574 https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ https://pkg.go.dev/vuln/GO-2022-0532 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2022-32189 – Panic when decoding Float and Rat types in math/big
https://notcve.org/view.php?id=CVE-2022-32189
A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service. Un mensaje codificado demasiado corto puede causar un pánico en Float.GobDecode y Rat GobDecode en math/big en Go versiones anteriores a 1.17.13 y 1.18.5, permitiendo potencialmente una denegación de servicio An uncontrolled resource consumption flaw was found in Golang math/big. A too-short encoded message can cause a panic in Float.GobDecode and Rat.GobDecode in math/big in Go, potentially allowing an attacker to create a denial of service, impacting availability. • https://go.dev/cl/417774 https://go.dev/issue/53871 https://go.googlesource.com/go/+/055113ef364337607e3e72ed7d48df67fde6fc66 https://groups.google.com/g/golang-announce/c/YqYYG87xB10 https://pkg.go.dev/vuln/GO-2022-0537 https://access.redhat.com/security/cve/CVE-2022-32189 https://bugzilla.redhat.com/show_bug.cgi?id=2113814 • CWE-400: Uncontrolled Resource Consumption •