CVE-2022-28131

🗓️ 09 Aug 2022 00:00:00Reported by GoType

cve🔗 web.nvd.nist.gov📰️ 6 Media mentions👁 395 Views

Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document

Reporter	Title	Published	Views	Family All 314
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in Go may affect IBM CICS TX Standard	24 Feb 202310:43	–	ibm
IBM Security Bulletins	Security Bulletin: Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for Febuary 2023	10 Mar 202318:29	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM API Connect	15 Mar 202500:18	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Pak System is vulnerable to multiple vulnerabilities in Golang Go	31 Mar 202314:14	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Pak for Data is vulnerable to a variety of issues due to 3rd party software	27 Sep 202417:52	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in the mongo-tools utility affect IBM WebSphere Automation	29 Mar 202317:13	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Pak for Security includes components with multiple known vulnerabilities	16 Jun 202315:20	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is affected by multiple vulnerabilities in Golang Go	5 Jul 202321:52	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Golang Go affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift	18 Nov 202200:02	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to multiple software weaknesses due to Golang	4 Apr 202521:17	–	ibm

NVD

Node

golang goRange<1.17.12

golang goRange1.18.0–1.18.4

Node

fedoraproject fedoraMatch35

Node

netapp cloud_insights_telegrafMatch-

[
  {
    "vendor": "Go standard library",
    "product": "encoding/xml",
    "collectionURL": "https://pkg.go.dev",
    "packageName": "encoding/xml",
    "versions": [
      {
        "version": "0",
        "lessThan": "1.17.12",
        "status": "affected",
        "versionType": "semver"
      },
      {
        "version": "1.18.0-0",
        "lessThan": "1.18.4",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "programRoutines": [
      {
        "name": "Decoder.Skip"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
groups	www.groups.google.com/g/golang-announce/c/nqrv9fbR0zE
pkg	www.pkg.go.dev/vuln/GO-2022-0521
go	www.go.googlesource.com/go/+/08c46ed43d80bbb67cb904944ea3417989be4af3
go	www.go.dev/issue/53614
go	www.go.dev/cl/417062