FreeBSDDB4B2F27-252A-11EB-865C-00155D646400go -- math/big: panic during recursive division of very large numbers; cmd/go: arbitrary code execution at build time through cgo
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.016 Low
EPSS
Percentile
87.0%
The Go project reports:
A number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem,
QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD) can panic
when provided crafted large inputs. For the panic to happen,
the divisor or modulo argument must be larger than 3168 bits
(on 32-bit architectures) or 6336 bits (on 64-bit architectures).
Multiple math/big.Rat methods are similarly affected.
The go command may execute arbitrary code at build time when
cgo is in use. This may occur when running go get on a malicious
package, or any other command that builds untrusted code. This
can be caused by a malicious gcc flags specified via a #cgo
directive.
The go command may execute arbitrary code at build time when
cgo is in use. This may occur when running go get on a malicious
package, or any other command that builds untrusted code. This
can be caused by malicious unquoted symbol names.
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.016 Low
EPSS
Percentile
87.0%