CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-28851 – golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension
https://notcve.org/view.php?id=CVE-2020-28851
02 Jan 2021 — In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) En x/text en Go versión 1.15.4, se produce un pánico "index out of range" en language.ParseAcceptLanguage mientras se analiza la extensión -u-. (Se supone que x/text/language puede analizar un encabezado HTTP Accept-Language). A flaw was found in golang.org. • https://github.com/golang/go/issues/42535 • CWE-129: Improper Validation of Array Index •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-29509
https://notcve.org/view.php?id=CVE-2020-29509
14 Dec 2020 — The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. El paquete encoding/xml en Go (todas las versiones) no conserva correctamente la semántica de los prefijos del espacio de nombres de atributos durante los viajes de ida por vuelta del proceso de generación de to... • https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md • CWE-115: Misinterpretation of Input •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-29511
https://notcve.org/view.php?id=CVE-2020-29511
14 Dec 2020 — The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. El paquete encoding/xml en Go (todas las versiones) no conserva correctamente la semántica de los prefijos del espacio de nombres de los elementos durante los viajes de ida por vuelta del proceso de generación de ... • https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md • CWE-115: Misinterpretation of Input •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-29510
https://notcve.org/view.php?id=CVE-2020-29510
14 Dec 2020 — The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. El paquete encoding/xml en Go versiones 1.15 y anteriores no conserva correctamente la semántica de las directivas durante los viajes de ida por vuelta del proceso de generación de token, que permite a un atacante dise... • https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.md • CWE-115: Misinterpretation of Input •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-28362 – golang: math/big: panic during recursive division of very large numbers
https://notcve.org/view.php?id=CVE-2020-28362
18 Nov 2020 — Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. Go versiones anteriores a 1.14.12 y versiones 1.15.x anteriores a 1.15.4, permite una Denegación de Servicio A flaw was found in the math/big package of Go's standard library that causes a denial of service. Applications written in Go that use math/big via cryptographic packages, including crypto/rsa and crypto/x509, are vulnerable and can potentially cause panic via a crafted certificate chain. The highest threat from this vulnerability i... • https://groups.google.com/g/golang-nuts/c/c-ssaaS7RMI • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 1%CPEs: 6EXPL: 0CVE-2020-28366 – Arbitrary code execution in go command with cgo in cmd/go and cmd/cgo
https://notcve.org/view.php?id=CVE-2020-28366
18 Nov 2020 — Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file. Go versiones anteriores a 1.14.12 y versiones 1.15.x anteriores a 1.15.5, permite una Inyección de Código An input validation vulnerability was found in Go. From a generated go file (from the cgo tool), it is possible to modify symbols within that object file and specify code. This flaw allows an attacker to create a repository ... • https://go.dev/cl/269658 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 2%CPEs: 2EXPL: 0CVE-2020-28367 – Arbitrary code execution via the go command with cgo in cmd/go
https://notcve.org/view.php?id=CVE-2020-28367
18 Nov 2020 — Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive. La inyección de código en el comando go con cgo antes de Go 1.14.12 y Go 1.15.5 permite la ejecución de código arbitrario en tiempo de compilación a través de banderas gcc maliciosas especificadas a través de una directiva #cgo An input validation vulnerability was found in Go. If cgo is specified in a Go file, it is possible to bypas... • https://go.dev/cl/267277 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 4CVE-2020-24553 – golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS
https://notcve.org/view.php?id=CVE-2020-24553
02 Sep 2020 — Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header. Go versiones anteriores a 1.14.8 y versiones 1.15.x anteriores a 1.15.1, permite un ataque de tipo XSS porque text/html es el predeterminado para los manejadores de CGI/FCGI que carecen de un encabezado Content-Type A flaw was found in the Go standard library packages before upstream versions 1.15 and 1.14.8. Both the net/http/cgi and net/http/fcgi packages use a defau... • https://packetstorm.news/files/id/159049 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2020-16845 – golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs
https://notcve.org/view.php?id=CVE-2020-16845
06 Aug 2020 — Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs. Go versiones anteriores a 1.13.15 y versiones 14.x anteriores a 1.14.7, puede presentar un bucle de lectura infinito en las funciones ReadUvarint y ReadVarint en encoding/binary por medio de entradas no válidas A flaw was found in the Go encoding/binary package. Certain invalid inputs to the ReadUvarint or the ReadVarint causes those functions to read an unlimited numb... • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00021.html • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2020-14039
https://notcve.org/view.php?id=CVE-2020-14039
17 Jul 2020 — In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete. En Go versiones anteriores a 1.13.13 y versiones 1.14.x anteriores a 1.14.5, Certificate.Verify puede carecer de una comprobación en los requisitos VerifyOptions.KeyUsages EKU (si VerifyOptions.Roots es igual a cero y la instalación está en Windows). Entonc... • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00077.html • CWE-295: Improper Certificate Validation •