CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-27918 – golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader
https://notcve.org/view.php?id=CVE-2021-27918
10 Mar 2021 — encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method. encoding/xml en Go versiones anteriores a 1.15.9 y versiones 1.16.x anteriores a 1.16.1, presenta un bucle infinito si un TokenReader personalizado (para xml.NewTokenDecoder) devuelve EOF en medio de un elemento. Esto puede ocurrir en el método Decode, DecodeElement o Skip An... • https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 0CVE-2021-3114 – golang: crypto/elliptic: incorrect operations on the P-224 curve
https://notcve.org/view.php?id=CVE-2021-3114
26 Jan 2021 — In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field. En Go versiones anteriores a 1.14.14 y versiones 1.15.x anteriores a 1.15.7, en el archivo crypto/elliptic/p224.go puede generar salidas incorrectas, relacionadas con un subdesbordamiento de la extremidad más baja durante la reducción completa final en el campo P-224 A flaw detected in golang: crypto/elliptic... • https://github.com/golang/go/commit/d95ca9138026cbe40e0857d76a81a16d03230871 • CWE-682: Incorrect Calculation •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-3115 – golang: cmd/go: packages using cgo can cause arbitrary code execution at build time
https://notcve.org/view.php?id=CVE-2021-3115
26 Jan 2021 — Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download). Go versiones anteriores a 1.14.14 y versiones 1.15. x anteriores a 1.15.7 en Windows, es vulnerable a una inyección de comandos y una ejecución de código remota cuando es usado el comando "go get" para buscar módulos que hacen uso de cgo (por ejemplo, cg... • https://blog.golang.org/path-security • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-427: Uncontrolled Search Path Element •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-28851 – golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension
https://notcve.org/view.php?id=CVE-2020-28851
02 Jan 2021 — In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) En x/text en Go versión 1.15.4, se produce un pánico "index out of range" en language.ParseAcceptLanguage mientras se analiza la extensión -u-. (Se supone que x/text/language puede analizar un encabezado HTTP Accept-Language). A flaw was found in golang.org. • https://github.com/golang/go/issues/42535 • CWE-129: Improper Validation of Array Index •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-29509
https://notcve.org/view.php?id=CVE-2020-29509
14 Dec 2020 — The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. El paquete encoding/xml en Go (todas las versiones) no conserva correctamente la semántica de los prefijos del espacio de nombres de atributos durante los viajes de ida por vuelta del proceso de generación de to... • https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md • CWE-115: Misinterpretation of Input •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-29511
https://notcve.org/view.php?id=CVE-2020-29511
14 Dec 2020 — The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. El paquete encoding/xml en Go (todas las versiones) no conserva correctamente la semántica de los prefijos del espacio de nombres de los elementos durante los viajes de ida por vuelta del proceso de generación de ... • https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md • CWE-115: Misinterpretation of Input •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-29510
https://notcve.org/view.php?id=CVE-2020-29510
14 Dec 2020 — The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. El paquete encoding/xml en Go versiones 1.15 y anteriores no conserva correctamente la semántica de las directivas durante los viajes de ida por vuelta del proceso de generación de token, que permite a un atacante dise... • https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.md • CWE-115: Misinterpretation of Input •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-28362 – golang: math/big: panic during recursive division of very large numbers
https://notcve.org/view.php?id=CVE-2020-28362
18 Nov 2020 — Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. Go versiones anteriores a 1.14.12 y versiones 1.15.x anteriores a 1.15.4, permite una Denegación de Servicio A flaw was found in the math/big package of Go's standard library that causes a denial of service. Applications written in Go that use math/big via cryptographic packages, including crypto/rsa and crypto/x509, are vulnerable and can potentially cause panic via a crafted certificate chain. The highest threat from this vulnerability i... • https://groups.google.com/g/golang-nuts/c/c-ssaaS7RMI • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-28367 – Arbitrary code execution via the go command with cgo in cmd/go
https://notcve.org/view.php?id=CVE-2020-28367
18 Nov 2020 — Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive. La inyección de código en el comando go con cgo antes de Go 1.14.12 y Go 1.15.5 permite la ejecución de código arbitrario en tiempo de compilación a través de banderas gcc maliciosas especificadas a través de una directiva #cgo An input validation vulnerability was found in Go. If cgo is specified in a Go file, it is possible to bypas... • https://go.dev/cl/267277 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-28366 – Arbitrary code execution in go command with cgo in cmd/go and cmd/cgo
https://notcve.org/view.php?id=CVE-2020-28366
18 Nov 2020 — Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file. Go versiones anteriores a 1.14.12 y versiones 1.15.x anteriores a 1.15.5, permite una Inyección de Código An input validation vulnerability was found in Go. From a generated go file (from the cgo tool), it is possible to modify symbols within that object file and specify code. This flaw allows an attacker to create a repository ... • https://go.dev/cl/269658 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •