CVSS: 7.8EPSS: 36%CPEs: 8EXPL: 0CVE-2023-39325 – HTTP/2 rapid reset can cause excessive work in net/http
https://notcve.org/view.php?id=CVE-2023-39325
11 Oct 2023 — A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). N... • https://go.dev/cl/534215 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 1CVE-2022-28948 – golang-gopkg-yaml: crash when attempting to deserialize invalid input
https://notcve.org/view.php?id=CVE-2022-28948
19 May 2022 — An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input. Un problema en la función Unmarshal de Go-Yaml versión v3, causa el bloqueo del programa cuando intenta de serializar una entrada no válida A flaw was found in the Unmarshal function in Go-Yaml. This vulnerability results in program crashes when attempting to convert (or deserialize) invalid input data, potentially impacting system stability and reliability. New Cryostat 2.1.1 on RHEL 8... • https://github.com/go-yaml/yaml/issues/666 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-24921 – golang: regexp: stack exhaustion via a deeply nested expression
https://notcve.org/view.php?id=CVE-2022-24921
05 Mar 2022 — regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression. El archivo regexp.Compile en Go versiones anteriores a 1.16.15 y versiones 1.17.x anteriores a 1.17.8, permite un agotamiento de la pila por medio de una expresión profundamente anidada A stack overflow flaw was found in Golang's regexp module, which can crash the runtime if the application using regexp accepts very long or arbitrarily long regexps from untrusted sources that have sufficient ... • https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf • CWE-400: Uncontrolled Resource Consumption CWE-674: Uncontrolled Recursion •
CVSS: 7.6EPSS: 0%CPEs: 3EXPL: 1CVE-2021-25742 – Ingress-nginx custom snippets allows retrieval of ingress-nginx serviceaccount token and secrets across all namespaces
https://notcve.org/view.php?id=CVE-2021-25742
29 Oct 2021 — A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster. Se ha detectado un problema de seguridad en ingress-nginx donde un usuario que puede crear o actualizar objetos de entrada puede usar la función de fragmentos personalizados para obtener todos los secretos del clúster • https://github.com/kubernetes/ingress-nginx/issues/7837 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 1CVE-2021-34558 – golang: crypto/tls: certificate of wrong type is causing TLS client to panic
https://notcve.org/view.php?id=CVE-2021-34558
15 Jul 2021 — The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic. El paquete crypto/tls de Go versiones hasta 1.16.5, no afirma apropiadamente que el tipo de clave pública en un certificado X.509 coincida con el tipo esperado cuando se hace un intercambio de claves basado en RSA, permitiendo a un servidor TLS malicioso causar el... • https://github.com/alexzorin/cve-2021-34558 • CWE-20: Improper Input Validation CWE-295: Improper Certificate Validation •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-29509
https://notcve.org/view.php?id=CVE-2020-29509
14 Dec 2020 — The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. El paquete encoding/xml en Go (todas las versiones) no conserva correctamente la semántica de los prefijos del espacio de nombres de atributos durante los viajes de ida por vuelta del proceso de generación de to... • https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md • CWE-115: Misinterpretation of Input •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-29511
https://notcve.org/view.php?id=CVE-2020-29511
14 Dec 2020 — The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. El paquete encoding/xml en Go (todas las versiones) no conserva correctamente la semántica de los prefijos del espacio de nombres de los elementos durante los viajes de ida por vuelta del proceso de generación de ... • https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md • CWE-115: Misinterpretation of Input •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-29510
https://notcve.org/view.php?id=CVE-2020-29510
14 Dec 2020 — The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. El paquete encoding/xml en Go versiones 1.15 y anteriores no conserva correctamente la semántica de las directivas durante los viajes de ida por vuelta del proceso de generación de token, que permite a un atacante dise... • https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.md • CWE-115: Misinterpretation of Input •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-28362 – golang: math/big: panic during recursive division of very large numbers
https://notcve.org/view.php?id=CVE-2020-28362
18 Nov 2020 — Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. Go versiones anteriores a 1.14.12 y versiones 1.15.x anteriores a 1.15.4, permite una Denegación de Servicio A flaw was found in the math/big package of Go's standard library that causes a denial of service. Applications written in Go that use math/big via cryptographic packages, including crypto/rsa and crypto/x509, are vulnerable and can potentially cause panic via a crafted certificate chain. The highest threat from this vulnerability i... • https://groups.google.com/g/golang-nuts/c/c-ssaaS7RMI • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-28366 – Arbitrary code execution in go command with cgo in cmd/go and cmd/cgo
https://notcve.org/view.php?id=CVE-2020-28366
18 Nov 2020 — Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file. Go versiones anteriores a 1.14.12 y versiones 1.15.x anteriores a 1.15.5, permite una Inyección de Código An input validation vulnerability was found in Go. From a generated go file (from the cgo tool), it is possible to modify symbols within that object file and specify code. This flaw allows an attacker to create a repository ... • https://go.dev/cl/269658 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •