CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-2879 – Unbounded memory consumption when reading headers in archive/tar
https://notcve.org/view.php?id=CVE-2022-2879
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB. Reader.Read no establece un límite en el tamaño máximo de los encabezados de los archivos. Un archivo diseñado de forma maliciosa podía causar que Read asignara cantidades ilimitadas de memoria, causando potencialmente el agotamiento de los recursos o el pánico. • https://go.dev/cl/439355 https://go.dev/issue/54853 https://groups.google.com/g/golang-announce/c/xtuG5faxtaU https://pkg.go.dev/vuln/GO-2022-1037 https://security.gentoo.org/glsa/202311-09 https://access.redhat.com/security/cve/CVE-2022-2879 https://bugzilla.redhat.com/show_bug.cgi?id=2132867 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-32190 – Failure to strip relative path components in net/url
https://notcve.org/view.php?id=CVE-2022-32190
JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result. JoinPath y URL.JoinPath no eliminan los elementos de ruta ../ anexados a una ruta relativa. • https://go.dev/cl/423514 https://go.dev/issue/54385 https://groups.google.com/g/golang-announce/c/x49AQzIVX-s https://pkg.go.dev/vuln/GO-2022-0988 https://access.redhat.com/security/cve/CVE-2022-32190 https://bugzilla.redhat.com/show_bug.cgi?id=2124668 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-27664 – golang: net/http: handle server errors after sending GOAWAY
https://notcve.org/view.php?id=CVE-2022-27664
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. En net/http en Go versiones anteriores a 1.18.6 y 1.19.x anteriores a 1.19.1, los atacantes pueden causar una denegación de servicio porque una conexión HTTP/2 puede colgarse durante el cierre si el apagado fue adelantado por un error fatal. A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown. • https://groups.google.com/g/golang-announce https://groups.google.com/g/golang-announce/c/x49AQzIVX-s https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXKTHIGE5F576MAPFYCIJXNRGBSPISUF https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXS2OQ57KZC5XZKK5UW4SYKPVQAHIOJX https://security.gentoo.org/glsa/202209-26 https://security.netapp.com/advisory/ntap-20220923-0004 https://access.redhat.com/security/cve/CVE-2022-27664 https://bu • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30580 – Empty Cmd.Path can trigger unintended binary in os/exec on Windows
https://notcve.org/view.php?id=CVE-2022-30580
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset. Una inyección de código en el archivo Cmd.Start en os/exec versiones anteriores a Go 1.17.11 y Go 1.18.3, permite una ejecución de cualquier binario en el directorio de trabajo llamado "..com" o "..exe" llamando a Cmd.Run, Cmd.Start, Cmd.Output o Cmd.CombinedOutput cuando Cmd.Path no está establecido • https://go.dev/cl/403759 https://go.dev/issue/52574 https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ https://pkg.go.dev/vuln/GO-2022-0532 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2022-32189 – Panic when decoding Float and Rat types in math/big
https://notcve.org/view.php?id=CVE-2022-32189
A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service. Un mensaje codificado demasiado corto puede causar un pánico en Float.GobDecode y Rat GobDecode en math/big en Go versiones anteriores a 1.17.13 y 1.18.5, permitiendo potencialmente una denegación de servicio An uncontrolled resource consumption flaw was found in Golang math/big. A too-short encoded message can cause a panic in Float.GobDecode and Rat.GobDecode in math/big in Go, potentially allowing an attacker to create a denial of service, impacting availability. • https://go.dev/cl/417774 https://go.dev/issue/53871 https://go.googlesource.com/go/+/055113ef364337607e3e72ed7d48df67fde6fc66 https://groups.google.com/g/golang-announce/c/YqYYG87xB10 https://pkg.go.dev/vuln/GO-2022-0537 https://access.redhat.com/security/cve/CVE-2022-32189 https://bugzilla.redhat.com/show_bug.cgi?id=2113814 • CWE-400: Uncontrolled Resource Consumption •