CVE-2022-28131
Stack exhaustion from deeply nested XML documents in encoding/xml
Severity Score
7.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.
En Decoder.Skip en encoding/xml en Go antes de 1.17.12 y 1.18.x antes de 1.18.4, el agotamiento de la pila y un pánico puede ocurrir a través de un documento XML profundamente anidado
A flaw was found in golang encoding/xml. When calling Decoder, Skip while parsing a deeply nested XML document, a panic can occur due to stack exhaustion and allows an attacker to impact system availability.
*Credits:
Go Security Team, Juho Nurminen of Mattermost
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-03-29 CVE Reserved
- 2022-08-04 CVE Published
- 2024-03-30 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-674: Uncontrolled Recursion
- CWE-1325: Improperly Controlled Sequential Memory Allocation
CAPEC
References (7)
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2022-28131 | 2023-06-15 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2107390 | 2023-06-15 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | < 1.17.12 Search vendor "Golang" for product "Go" and version " < 1.17.12" | - |
Affected
| ||||||
Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | >= 1.18.0 < 1.18.4 Search vendor "Golang" for product "Go" and version " >= 1.18.0 < 1.18.4" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Cloud Insights Telegraf Search vendor "Netapp" for product "Cloud Insights Telegraf" | - | - |
Affected
|