CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-28362 – golang: math/big: panic during recursive division of very large numbers
https://notcve.org/view.php?id=CVE-2020-28362
18 Nov 2020 — Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. Go versiones anteriores a 1.14.12 y versiones 1.15.x anteriores a 1.15.4, permite una Denegación de Servicio A flaw was found in the math/big package of Go's standard library that causes a denial of service. Applications written in Go that use math/big via cryptographic packages, including crypto/rsa and crypto/x509, are vulnerable and can potentially cause panic via a crafted certificate chain. The highest threat from this vulnerability i... • https://groups.google.com/g/golang-nuts/c/c-ssaaS7RMI • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 1%CPEs: 6EXPL: 0CVE-2020-28366 – Arbitrary code execution in go command with cgo in cmd/go and cmd/cgo
https://notcve.org/view.php?id=CVE-2020-28366
18 Nov 2020 — Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file. Go versiones anteriores a 1.14.12 y versiones 1.15.x anteriores a 1.15.5, permite una Inyección de Código An input validation vulnerability was found in Go. From a generated go file (from the cgo tool), it is possible to modify symbols within that object file and specify code. This flaw allows an attacker to create a repository ... • https://go.dev/cl/269658 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 2%CPEs: 2EXPL: 0CVE-2020-28367 – Arbitrary code execution via the go command with cgo in cmd/go
https://notcve.org/view.php?id=CVE-2020-28367
18 Nov 2020 — Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive. La inyección de código en el comando go con cgo antes de Go 1.14.12 y Go 1.15.5 permite la ejecución de código arbitrario en tiempo de compilación a través de banderas gcc maliciosas especificadas a través de una directiva #cgo An input validation vulnerability was found in Go. If cgo is specified in a Go file, it is possible to bypas... • https://go.dev/cl/267277 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 4CVE-2020-24553 – golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS
https://notcve.org/view.php?id=CVE-2020-24553
02 Sep 2020 — Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header. Go versiones anteriores a 1.14.8 y versiones 1.15.x anteriores a 1.15.1, permite un ataque de tipo XSS porque text/html es el predeterminado para los manejadores de CGI/FCGI que carecen de un encabezado Content-Type A flaw was found in the Go standard library packages before upstream versions 1.15 and 1.14.8. Both the net/http/cgi and net/http/fcgi packages use a defau... • https://packetstorm.news/files/id/159049 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2020-16845 – golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs
https://notcve.org/view.php?id=CVE-2020-16845
06 Aug 2020 — Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs. Go versiones anteriores a 1.13.15 y versiones 14.x anteriores a 1.14.7, puede presentar un bucle de lectura infinito en las funciones ReadUvarint y ReadVarint en encoding/binary por medio de entradas no válidas A flaw was found in the Go encoding/binary package. Certain invalid inputs to the ReadUvarint or the ReadVarint causes those functions to read an unlimited numb... • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00021.html • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2020-14039
https://notcve.org/view.php?id=CVE-2020-14039
17 Jul 2020 — In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete. En Go versiones anteriores a 1.13.13 y versiones 1.14.x anteriores a 1.14.5, Certificate.Verify puede carecer de una comprobación en los requisitos VerifyOptions.KeyUsages EKU (si VerifyOptions.Roots es igual a cero y la instalación está en Windows). Entonc... • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00077.html • CWE-295: Improper Certificate Validation •
CVSS: 5.9EPSS: 0%CPEs: 10EXPL: 0CVE-2020-15586 – golang: data race in certain net/http servers including ReverseProxy can lead to DoS
https://notcve.org/view.php?id=CVE-2020-15586
17 Jul 2020 — Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time. Go versiones anteriores a 1.13.13 y versiones 1.14.x anteriores a 1.14.5, presenta una carrera de datos en algunos servidores net/http, como es demostrado por el Manejador httputil.ReverseProxy, porque lee un cuerpo de petición y escribe una respuesta al mismo tiempo A flaw was found Go's net/http pa... • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00077.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.8EPSS: 1%CPEs: 5EXPL: 0CVE-2020-7919 – Debian Security Advisory 4848-1
https://notcve.org/view.php?id=CVE-2020-7919
16 Mar 2020 — Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate. Go versiones anteriores a 1.12.16 y versiones 1.13.x anteriores a 1.13.7 (y el paquete crypto/cryptobyte versiones anteriores a 0.0.0-20200124225646-8b5121be2f68 para Go), permite ataques a los clientes (lo que resulta en un pánico) por medio de un certificado X.509 malformado. Multiple security issu... • https://groups.google.com/forum/#%21forum/golang-announce • CWE-295: Improper Certificate Validation •
CVSS: 8.1EPSS: 97%CPEs: 15EXPL: 36CVE-2020-0601 – Microsoft Windows CryptoAPI Spoofing Vulnerability
https://notcve.org/view.php?id=CVE-2020-0601
14 Jan 2020 — A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'. Se presenta una vulnerabilidad de suplantación de identidad en la manera en que Windows CryptoAPI (Crypt32.dll) comprueba los certificados Elliptic... • https://packetstorm.news/files/id/155960 • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 18EXPL: 2CVE-2019-17596 – golang: invalid public key causes panic in dsa.Verify
https://notcve.org/view.php?id=CVE-2019-17596
24 Oct 2019 — Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates. Go versiones anteriores a 1.12.11 y versiones 1.3.x anteriores a 1.13.2, puede entrar en pánico tras intentar procesar el tráfico de red que contiene una clave pública DSA no válida. Existen varios escenarios de ataque, tal y como el tráfico de un cliente hacia un s... • https://github.com/pquerna/poc-dsa-verify-CVE-2019-17596 • CWE-295: Improper Certificate Validation CWE-436: Interpretation Conflict •