CVE-2022-32190 – Failure to strip relative path components in net/url
https://notcve.org/view.php?id=CVE-2022-32190
JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result. JoinPath y URL.JoinPath no eliminan los elementos de ruta ../ anexados a una ruta relativa. • https://go.dev/cl/423514 https://go.dev/issue/54385 https://groups.google.com/g/golang-announce/c/x49AQzIVX-s https://pkg.go.dev/vuln/GO-2022-0988 https://access.redhat.com/security/cve/CVE-2022-32190 https://bugzilla.redhat.com/show_bug.cgi?id=2124668 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2022-27664 – golang: net/http: handle server errors after sending GOAWAY
https://notcve.org/view.php?id=CVE-2022-27664
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. En net/http en Go versiones anteriores a 1.18.6 y 1.19.x anteriores a 1.19.1, los atacantes pueden causar una denegación de servicio porque una conexión HTTP/2 puede colgarse durante el cierre si el apagado fue adelantado por un error fatal. A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown. • https://groups.google.com/g/golang-announce https://groups.google.com/g/golang-announce/c/x49AQzIVX-s https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXKTHIGE5F576MAPFYCIJXNRGBSPISUF https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXS2OQ57KZC5XZKK5UW4SYKPVQAHIOJX https://security.gentoo.org/glsa/202209-26 https://security.netapp.com/advisory/ntap-20220923-0004 https://access.redhat.com/security/cve/CVE-2022-27664 https://bu • CWE-400: Uncontrolled Resource Consumption •
CVE-2022-30580 – Empty Cmd.Path can trigger unintended binary in os/exec on Windows
https://notcve.org/view.php?id=CVE-2022-30580
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset. Una inyección de código en el archivo Cmd.Start en os/exec versiones anteriores a Go 1.17.11 y Go 1.18.3, permite una ejecución de cualquier binario en el directorio de trabajo llamado "..com" o "..exe" llamando a Cmd.Run, Cmd.Start, Cmd.Output o Cmd.CombinedOutput cuando Cmd.Path no está establecido • https://go.dev/cl/403759 https://go.dev/issue/52574 https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ https://pkg.go.dev/vuln/GO-2022-0532 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2022-32189 – Panic when decoding Float and Rat types in math/big
https://notcve.org/view.php?id=CVE-2022-32189
A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service. Un mensaje codificado demasiado corto puede causar un pánico en Float.GobDecode y Rat GobDecode en math/big en Go versiones anteriores a 1.17.13 y 1.18.5, permitiendo potencialmente una denegación de servicio An uncontrolled resource consumption flaw was found in Golang math/big. A too-short encoded message can cause a panic in Float.GobDecode and Rat.GobDecode in math/big in Go, potentially allowing an attacker to create a denial of service, impacting availability. • https://go.dev/cl/417774 https://go.dev/issue/53871 https://go.googlesource.com/go/+/055113ef364337607e3e72ed7d48df67fde6fc66 https://groups.google.com/g/golang-announce/c/YqYYG87xB10 https://pkg.go.dev/vuln/GO-2022-0537 https://access.redhat.com/security/cve/CVE-2022-32189 https://bugzilla.redhat.com/show_bug.cgi?id=2113814 • CWE-400: Uncontrolled Resource Consumption •
CVE-2022-30629 – Session tickets lack random ticket_age_add in crypto/tls
https://notcve.org/view.php?id=CVE-2022-30629
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption. Valores no aleatorios para la función ticket_age_add en los tickets de sesión en crypto/tls versiones anteriores a Go 1.17.11 y Go 1.18.3, permiten a un atacante que pueda observar los handshakes TLS correlacionar conexiones sucesivas comparando las edades de los tickets durante la reanudación de la sesión A flaw was found in the crypto/tls golang package. When session tickets are generated by crypto/tls, it is missing the ticket expiration. This issue may allow an attacker to observe the TLS handshakes to correlate successive connections during session resumption. • https://go.dev/cl/405994 https://go.dev/issue/52814 https://go.googlesource.com/go/+/fe4de36198794c447fbd9d7cc2d7199a506c76a5 https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ https://pkg.go.dev/vuln/GO-2022-0531 https://access.redhat.com/security/cve/CVE-2022-30629 https://bugzilla.redhat.com/show_bug.cgi?id=2092793 • CWE-330: Use of Insufficiently Random Values CWE-331: Insufficient Entropy •