CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2021-33195 – golang: net: lookup functions may return invalid host names
https://notcve.org/view.php?id=CVE-2021-33195
28 Jun 2021 — Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format. Go versiones anteriores a 1.15.13 y versiones 1.16.x anteriores a 1.16.5 tiene funciones para las búsquedas de DNS que no validan las respuestas de los servidores DNS, y por lo tanto un valor de retorno puede contener una inyección insegura (por ejemplo, XSS) que no se ajusta al... • https://groups.google.com/g/golang-announce • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2021-33198 – golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
https://notcve.org/view.php?id=CVE-2021-33198
28 Jun 2021 — In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method. En Go versiones anteriores a 1.15.13 y versiones 1.16.x anteriores a 1.16.5, puede haber un pánico por un exponente grande al método math/big.Rat SetString o UnmarshalText. A flaw was found in Go, where it attempts to allocate excessive memory. This issue may cause panic or unrecoverable fatal error if passed inputs with very large exponents. The highest threat from... • https://groups.google.com/g/golang-announce • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2021-33197 – golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
https://notcve.org/view.php?id=CVE-2021-33197
28 Jun 2021 — In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers. En Go versiones anteriores a 1.15.13 y versiones 1.16.x anteriores a 1.16.5, algunas configuraciones de ReverseProxy (desde net/http/httputil) resultan en una situación en la que un atacante es capaz de dejar caer cabeceras arbitrarias A flaw was found in Go, acting as an unintended proxy or intermediary, where ReverseProxy for... • https://groups.google.com/g/golang-announce • CWE-20: Improper Input Validation CWE-862: Missing Authorization •
CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 0CVE-2021-31525 – golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header
https://notcve.org/view.php?id=CVE-2021-31525
27 May 2021 — net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations. net/http en Go versiones anteriores a 1.15.12 y versiones 1.16.x anteriores a 1.16.4, permite a atacantes remotos causar una denegación de servicio (pánico) por medio de un encabezado grande en los parámetros ReadRequest o ReadResponse. El Servidor, el Transporte y... • https://github.com/golang/go/issues/45710 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-674: Uncontrolled Recursion •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-33194 – golang: x/net/html: infinite loop in ParseFragment
https://notcve.org/view.php?id=CVE-2021-33194
26 May 2021 — golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input. golang.org/x/net antes de v0.0.0-20210520170846-37e1c6afe023 permite a los atacantes provocar una denegación de servicio (bucle infinito) a través de una entrada ParseFragment manipulada A flaw was found in golang. An attacker can craft an input to ParseFragment within parse.go that would cause it to enter an infinite loop and never return. The greatest th... • https://github.com/golang/net/commit/37e1c6afe02340126705deced573a85ab75209d7 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-27918 – golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader
https://notcve.org/view.php?id=CVE-2021-27918
10 Mar 2021 — encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method. encoding/xml en Go versiones anteriores a 1.15.9 y versiones 1.16.x anteriores a 1.16.1, presenta un bucle infinito si un TokenReader personalizado (para xml.NewTokenDecoder) devuelve EOF en medio de un elemento. Esto puede ocurrir en el método Decode, DecodeElement o Skip An... • https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 0CVE-2021-3114 – golang: crypto/elliptic: incorrect operations on the P-224 curve
https://notcve.org/view.php?id=CVE-2021-3114
26 Jan 2021 — In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field. En Go versiones anteriores a 1.14.14 y versiones 1.15.x anteriores a 1.15.7, en el archivo crypto/elliptic/p224.go puede generar salidas incorrectas, relacionadas con un subdesbordamiento de la extremidad más baja durante la reducción completa final en el campo P-224 A flaw detected in golang: crypto/elliptic... • https://github.com/golang/go/commit/d95ca9138026cbe40e0857d76a81a16d03230871 • CWE-682: Incorrect Calculation •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-3115 – golang: cmd/go: packages using cgo can cause arbitrary code execution at build time
https://notcve.org/view.php?id=CVE-2021-3115
26 Jan 2021 — Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download). Go versiones anteriores a 1.14.14 y versiones 1.15. x anteriores a 1.15.7 en Windows, es vulnerable a una inyección de comandos y una ejecución de código remota cuando es usado el comando "go get" para buscar módulos que hacen uso de cgo (por ejemplo, cg... • https://blog.golang.org/path-security • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-427: Uncontrolled Search Path Element •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-29509
https://notcve.org/view.php?id=CVE-2020-29509
14 Dec 2020 — The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. El paquete encoding/xml en Go (todas las versiones) no conserva correctamente la semántica de los prefijos del espacio de nombres de atributos durante los viajes de ida por vuelta del proceso de generación de to... • https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md • CWE-115: Misinterpretation of Input •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-29511
https://notcve.org/view.php?id=CVE-2020-29511
14 Dec 2020 — The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. El paquete encoding/xml en Go (todas las versiones) no conserva correctamente la semántica de los prefijos del espacio de nombres de los elementos durante los viajes de ida por vuelta del proceso de generación de ... • https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md • CWE-115: Misinterpretation of Input •