CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-28131 – Stack exhaustion from deeply nested XML documents in encoding/xml
https://notcve.org/view.php?id=CVE-2022-28131
04 Aug 2022 — Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document. En Decoder.Skip en encoding/xml en Go antes de 1.17.12 y 1.18.x antes de 1.18.4, el agotamiento de la pila y un pánico puede ocurrir a través de un documento XML profundamente anidado A flaw was found in golang encoding/xml. When calling Decoder, Skip while parsing a deeply nested XML document, a panic can occur due to stack exha... • https://go.dev/cl/417062 • CWE-674: Uncontrolled Recursion CWE-1325: Improperly Controlled Sequential Memory Allocation •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 1CVE-2022-30634 – Indefinite hang with large buffers on Windows in crypto/rand
https://notcve.org/view.php?id=CVE-2022-30634
15 Jul 2022 — Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes. Un bucle infinito en Read en crypto/rand versiones anteriores a Go 1.17.11 y Go 1.18.3 en Windows, permite a un atacante causar un cuelgue no definido pasando un buffer mayor de 1 << 32 - 1 bytes • https://go.dev/cl/402257 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 3CVE-2022-23773 – golang: cmd/go: misinterpretation of branch names can lead to incorrect access control
https://notcve.org/view.php?id=CVE-2022-23773
11 Feb 2022 — cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags. cmd/go en Go versiones anteriores a 1.16.14 y versiones 1.17.x anteriores a 1.17.7, puede malinterpretar nombres de rama que falsamente parecen ser etiquetas de versión. Esto puede conllevar a un control de acceso incorrecto si supone que un actor puede crear ramas pero no etiqu... • https://github.com/danbudris/CVE-2022-23773-repro • CWE-436: Interpretation Conflict CWE-1220: Insufficient Granularity of Access Control •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2022-23772 – golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString
https://notcve.org/view.php?id=CVE-2022-23772
11 Feb 2022 — Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. Rat.SetString en el archivo math/big en Go versiones anteriores a 1.16.14 y versiones 1.17.x anteriores a 1.17.7, presenta un desbordamiento que puede conllevar a un Consumo de Memoria no Controlado A flaw was found in the big package of the math library in golang. The Rat.SetString could cause an overflow, and if left unhandled, it could lead to excessive memory use. Thi... • https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ • CWE-190: Integer Overflow or Wraparound •
CVSS: 9.1EPSS: 0%CPEs: 7EXPL: 0CVE-2022-23806 – golang: crypto/elliptic: IsOnCurve returns true for invalid field elements
https://notcve.org/view.php?id=CVE-2022-23806
11 Feb 2022 — Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element. Curve.IsOnCurve en crypto/elliptic en Go versiones anteriores a 1.16.14 y versiones 1.17.x anteriores a 1.17.7, puede devolver incorrectamente true en situaciones con un valor big.Int que no es un elemento de campo válido A flaw was found in the elliptic package of the crypto library in golang when the IsOnCurve function could retu... • https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ • CWE-252: Unchecked Return Value •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-44716 – golang: net/http: limit growth of header canonicalization cache
https://notcve.org/view.php?id=CVE-2021-44716
16 Dec 2021 — net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests. net/http en Go versiones anteriores a 1.16.12 y versiones 1.17.x anteriores a 1.17.5, permite un consumo no controlado de memoria en la caché de canonización del encabezado por medio de peticiones HTTP/2. There's an uncontrolled resource consumption flaw in golang's net/http library in the canonicalHeader() function. An attacker who submits specially crafted... • https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-39293 – golang: archive/zip: malformed archive may cause panic or memory exhaustion (incomplete fix of CVE-2021-33196)
https://notcve.org/view.php?id=CVE-2021-39293
02 Dec 2021 — In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196. En archive/zip en Go versiones anteriores a 1.16.8 y 1.17.x versiones anteriores a 1.17.1, un encabezado de archivo diseñada (designando falsamente que hay muchos archivos presentes) puede causar un pánico en NewReader o OpenReader. NOTA: este problema se pres... • https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2021-33195 – golang: net: lookup functions may return invalid host names
https://notcve.org/view.php?id=CVE-2021-33195
02 Aug 2021 — Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format. Go versiones anteriores a 1.15.13 y versiones 1.16.x anteriores a 1.16.5 tiene funciones para las búsquedas de DNS que no validan las respuestas de los servidores DNS, y por lo tanto un valor de retorno puede contener una inyección insegura (por ejemplo, XSS) que no se ajusta al... • https://groups.google.com/g/golang-announce • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 1CVE-2021-34558 – golang: crypto/tls: certificate of wrong type is causing TLS client to panic
https://notcve.org/view.php?id=CVE-2021-34558
15 Jul 2021 — The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic. El paquete crypto/tls de Go versiones hasta 1.16.5, no afirma apropiadamente que el tipo de clave pública en un certificado X.509 coincida con el tipo esperado cuando se hace un intercambio de claves basado en RSA, permitiendo a un servidor TLS malicioso causar el... • https://github.com/alexzorin/cve-2021-34558 • CWE-20: Improper Input Validation CWE-295: Improper Certificate Validation •
CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 0CVE-2021-3114 – golang: crypto/elliptic: incorrect operations on the P-224 curve
https://notcve.org/view.php?id=CVE-2021-3114
26 Jan 2021 — In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field. En Go versiones anteriores a 1.14.14 y versiones 1.15.x anteriores a 1.15.7, en el archivo crypto/elliptic/p224.go puede generar salidas incorrectas, relacionadas con un subdesbordamiento de la extremidad más baja durante la reducción completa final en el campo P-224 A flaw detected in golang: crypto/elliptic... • https://github.com/golang/go/commit/d95ca9138026cbe40e0857d76a81a16d03230871 • CWE-682: Incorrect Calculation •