Filtered by vendor Golang
Subscribe
Total
147 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-39293 | 2 Golang, Netapp | 2 Go, Cloud Insights Telegraf | 2023-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196. | |||||
| CVE-2021-33196 | 2 Debian, Golang | 2 Debian Linux, Go | 2023-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic. | |||||
| CVE-2022-27536 | 2 Apple, Golang | 2 Macos, Go | 2023-03-09 | 5.0 MEDIUM | 7.5 HIGH |
| Certificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1 can be caused to panic on macOS when presented with certain malformed certificates. This allows a remote TLS server to cause a TLS client to panic. | |||||
| CVE-2022-32189 | 1 Golang | 1 Go | 2023-03-03 | N/A | 7.5 HIGH |
| A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service. | |||||
| CVE-2021-38561 | 1 Golang | 1 Text | 2023-01-05 | N/A | 7.5 HIGH |
| golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack. | |||||
| CVE-2021-27918 | 1 Golang | 1 Go | 2022-12-13 | 5.0 MEDIUM | 7.5 HIGH |
| encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method. | |||||
| CVE-2022-41720 | 2 Golang, Microsoft | 2 Go, Windows | 2022-12-12 | N/A | 7.5 HIGH |
| On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error. | |||||
| CVE-2022-23772 | 3 Debian, Golang, Netapp | 6 Debian Linux, Go, Beegfs Csi Driver and 3 more | 2022-11-09 | 7.8 HIGH | 7.5 HIGH |
| Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. | |||||
| CVE-2022-32149 | 1 Golang | 1 Text | 2022-10-18 | N/A | 7.5 HIGH |
| An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse. | |||||
| CVE-2021-33195 | 2 Golang, Netapp | 2 Go, Cloud Insights Telegraf Agent | 2022-09-14 | 7.5 HIGH | 7.3 HIGH |
| Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format. | |||||
| CVE-2021-33198 | 1 Golang | 1 Go | 2022-09-14 | 5.0 MEDIUM | 7.5 HIGH |
| In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method. | |||||
| CVE-2021-33197 | 1 Golang | 1 Go | 2022-09-14 | 4.3 MEDIUM | 5.3 MEDIUM |
| In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers. | |||||
| CVE-2018-7187 | 2 Debian, Golang | 2 Debian Linux, Go | 2022-08-16 | 9.3 HIGH | 8.8 HIGH |
| The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site. | |||||
| CVE-2019-9634 | 2 Golang, Microsoft | 2 Go, Windows | 2022-08-16 | 6.8 MEDIUM | 7.8 HIGH |
| Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection. | |||||
| CVE-2020-0601 | 2 Golang, Microsoft | 5 Go, Windows, Windows 10 and 2 more | 2022-08-12 | 5.8 MEDIUM | 8.1 HIGH |
| A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'. | |||||
| CVE-2020-28852 | 1 Golang | 1 Text | 2022-06-03 | 5.0 MEDIUM | 7.5 HIGH |
| In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) | |||||
| CVE-2021-23772 | 2 Golang, Iris-go | 2 Go, Iris | 2022-01-04 | 6.8 MEDIUM | 8.8 HIGH |
| This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder. | |||||
| CVE-2012-2666 | 1 Golang | 1 Go | 2021-10-18 | 7.5 HIGH | 9.8 CRITICAL |
| golang/go in 1.0.2 fixes all.bash on shared machines. dotest() in src/pkg/debug/gosym/pclntab_test.go creates a temporary file with predicable name and executes it as shell script. | |||||
| CVE-2015-5741 | 2 Golang, Redhat | 3 Go, Enterprise Linux, Openstack | 2021-08-04 | 7.5 HIGH | 9.8 CRITICAL |
| The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields. | |||||
| CVE-2017-15041 | 3 Debian, Golang, Redhat | 7 Debian Linux, Go, Developer Tools and 4 more | 2021-03-19 | 7.5 HIGH | 9.8 CRITICAL |
| Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get." | |||||