FreeBSD096AB080-907C-11EC-BB14-002324B2FBA8go -- multiple vulnerabilities
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.004 Low
EPSS
Percentile
72.3%
The Go project reports:
crypto/elliptic: fix IsOnCurve for big.Int values that are not
valid coordinates
Some big.Int values that are not valid field elements (negative or
overflowing) might cause Curve.IsOnCurve to incorrectly return true.
Operating on those values may cause a panic or an invalid curve
operation. Note that Unmarshal will never return such values.
math/big: prevent large memory consumption in Rat.SetString
An attacker can cause unbounded memory growth in a program using
(*Rat).SetString due to an unhandled overflow.
cmd/go: prevent branches from materializing into versions
A branch whose name resembles a version tag (such as “v1.0.0” or
“subdir/v2.0.0-dev”) can be considered a valid version by the go
command. Materializing versions from branches might be unexpected
and bypass ACLs that limit the creation of tags but not branches.
Related
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.004 Low
EPSS
Percentile
72.3%