9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.821 High
EPSS
Percentile
98.3%
Severity: Medium
Date : 2019-08-24
CVE-ID : CVE-2019-9512 CVE-2019-9514 CVE-2019-14809
Package : go
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1021
The package go before version 2:1.12.8-1 is vulnerable to multiple
issues including denial of service and insufficient validation.
Upgrade to 2:1.12.8-1.
The problems have been fixed upstream in version 1.12.8.
None.
An issue has been found in several HTTP/2 implementations, where the
attacker sends continual pings to an HTTP/2 peer, causing the peer to
build an internal queue of responses. Depending on how efficiently this
data is queued, this can consume excess CPU, memory, or both,
potentially leading to a denial of service.
An issue has been found in several HTTP/2 implementations, where the
attacker opens a number of streams and sends an invalid request over
each stream that should solicit a stream of RST_STREAM frames from the
peer. Depending on how the peer queues the RST_STREAM frames, this can
consume excess memory, CPU, or both, potentially leading to a denial of
service.
An issue has been found in Go before 1.12.8, where url.Parse would
accept URLs with malformed hosts, such that the Host field could have
arbitrary suffixes that would appear in neither Hostname() nor Port(),
allowing authorization bypasses in certain applications. Note that URLs
with invalid, not numeric ports will now return an error from
url.Parse.
A remote attacker is able to cause a denial of service by sending a
specially crafted packet or bypass authorization due to insufficient
validation.
https://groups.google.com/forum/#!msg/golang-announce/65QixT3tcmg/DrFiG6vvCwAJ
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://golang.org/issue/29098
https://security.archlinux.org/CVE-2019-9512
https://security.archlinux.org/CVE-2019-9514
https://security.archlinux.org/CVE-2019-14809
github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
golang.org/issue/29098
groups.google.com/forum/#!msg/golang-announce/65QixT3tcmg/DrFiG6vvCwAJ
security.archlinux.org/AVG-1021
security.archlinux.org/CVE-2019-14809
security.archlinux.org/CVE-2019-9512
security.archlinux.org/CVE-2019-9514
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.821 High
EPSS
Percentile
98.3%