CVE-2022-30633
Stack exhaustion when unmarshaling certain documents in encoding/xml
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.
Una recursión no controlada en Unmarshal en encoding/xml versiones anteriores a Go 1.17.12 y Go 1.18.4 permite a un atacante causar un pánico debido al agotamiento de la pila por medio de unmarshal de un documento XML en una estructura Go que presenta un campo anidado que usa la etiqueta de campo 'any'
A flaw was found in golang. Calling Unmarshal on an XML document into a Go struct, which has a nested field that uses the "any" field tag, can cause a panic due to stack exhaustion.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-05-12 CVE Reserved
- 2022-08-04 CVE Published
- 2024-03-30 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-674: Uncontrolled Recursion
- CWE-1325: Improperly Controlled Sequential Memory Allocation
CAPEC
References (7)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://go.dev/cl/417061 | 2023-11-07 | |
https://go.googlesource.com/go/+/c4c1993fd2a5b26fe45c09592af6d3388a3b2e08 | 2023-11-07 |
URL | Date | SRC |
---|---|---|
https://go.dev/issue/53611 | 2023-11-07 | |
https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE | 2023-11-07 | |
https://pkg.go.dev/vuln/GO-2022-0523 | 2023-11-07 | |
https://access.redhat.com/security/cve/CVE-2022-30633 | 2023-06-15 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2107392 | 2023-06-15 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | < 1.17.12 Search vendor "Golang" for product "Go" and version " < 1.17.12" | - |
Affected
| ||||||
Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | >= 1.18.0 < 1.18.4 Search vendor "Golang" for product "Go" and version " >= 1.18.0 < 1.18.4" | - |
Affected
|