CVE-2022-30633
Stack exhaustion when unmarshaling certain documents in encoding/xml
Severity Score
7.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.
Una recursión no controlada en Unmarshal en encoding/xml versiones anteriores a Go 1.17.12 y Go 1.18.4 permite a un atacante causar un pánico debido al agotamiento de la pila por medio de unmarshal de un documento XML en una estructura Go que presenta un campo anidado que usa la etiqueta de campo 'any'
A flaw was found in golang. Calling Unmarshal on an XML document into a Go struct, which has a nested field that uses the "any" field tag, can cause a panic due to stack exhaustion.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-05-12 CVE Reserved
- 2022-08-04 CVE Published
- 2024-03-30 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-674: Uncontrolled Recursion
- CWE-1325: Improperly Controlled Sequential Memory Allocation
CAPEC
References (7)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://go.dev/cl/417061 | 2023-11-07 | |
| https://go.googlesource.com/go/+/c4c1993fd2a5b26fe45c09592af6d3388a3b2e08 | 2023-11-07 |
| URL | Date | SRC |
|---|---|---|
| https://go.dev/issue/53611 | 2023-11-07 | |
| https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE | 2023-11-07 | |
| https://pkg.go.dev/vuln/GO-2022-0523 | 2023-11-07 | |
| https://access.redhat.com/security/cve/CVE-2022-30633 | 2023-06-15 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2107392 | 2023-06-15 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | < 1.17.12 Search vendor "Golang" for product "Go" and version " < 1.17.12" | - |
Affected
| ||||||
| Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | >= 1.18.0 < 1.18.4 Search vendor "Golang" for product "Go" and version " >= 1.18.0 < 1.18.4" | - |
Affected
| ||||||