GoogleOSV:GHSA-MV93-WVCP-7M7Rgolang.org/x/net/html Improper Validation of Array Index vulnerability
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.3 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.004 Low
EPSS
Percentile
73.1%
The html package (aka x/net/html) through 2018-09-25 in Go mishandles <math><template><mn><b></template>, leading to a โpanic: runtime errorโ (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call.
| CPE | Name | Operator | Version |
|---|---|---|---|
| golang.org/x/net | lt | 0.0.0-20190125002852-4b62a64f59f7 |
References
github.com/golang/go/issues/27846
go.dev/cl/159397
go.dev/issue/27846
go.googlesource.com/net/+/4b62a64f59f73840b9ab79204c94fee61cd1ba2c
lists.fedoraproject.org/archives/list/[email protected]/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHON
lists.fedoraproject.org/archives/list/[email protected]/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBK
nvd.nist.gov/vuln/detail/CVE-2018-17848
pkg.go.dev/vuln/GO-2022-0197
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.3 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.004 Low
EPSS
Percentile
73.1%