BIT-GOLANG-2022-28131 Stack exhaustion from deeply nested XML documents in encoding/xml

Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document...

BIT-GOLANG-2022-30630 Stack exhaustion in Glob on certain paths in io/fs

Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators...

BIT-GOLANG-2022-30631 Stack exhaustion when reading certain archives in compress/gzip

Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files...

BIT-GOLANG-2022-30632 Stack exhaustion on crafted paths in path/filepath

Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators...

BIT-GOLANG-2022-30635 Stack exhaustion when decoding certain messages in encoding/gob

Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures...

BIT-GOLANG-2022-32148 Exposure of client IP addresses in net/http

Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the...

Rocky Linux 8 : grafana-pcp (RLSA-2022:7648)

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:7648 advisory. - Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if...

Amazon Linux 2022 : golang, golang-bin, golang-misc (ALAS2022-2022-128)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-128 advisory. A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating chunked encoding. This issue could allow request smuggling, but only if combined with an...

Rocky Linux 9 : toolbox (RLSA-2022:8098)

The remote Rocky Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2022:8098 advisory. - Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containi...

Oracle Linux 9 : grafana (ELSA-2022-8057)

The remote Oracle Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2022-8057 advisory. - resolve CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse functions - resolve CVE-2022-1705 golang: net/http: improper sanitization of...

Oracle Linux 8 : container-tools:3.0 (ELSA-2022-7529)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-7529 advisory. - fixes CVE-2021-3602 - amend CVE-2022-1708 - fix CVE-2022-1708 - thanks to Peter Hunt - fix CVE-2022-27650 - fixes CVE-2021-3602 - rc95 fixes...

AlmaLinux 8 : grafana-pcp (ALSA-2022:7648)

The remote AlmaLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2022:7648 advisory. - Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if...

Oracle Linux 8 : ol8addon (ELSA-2022-23681)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-23681 advisory. golang 1.17.13-1.0.1 - Update tarball to 1.17.12 - Add patches between Go 1.17.12 and Go 1.17.13 - Reviewed-by: David Faust 1.17.12-1 - Update Go to...

CVE-2022-32148

Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the...

CVE-2022-30635

Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures...

AZL-10537 CVE-2022-30635 affecting package golang for versions less than 1.18.5-1

Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures...

CVE-2022-30633

Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag...

CVE-2022-30635

Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures...

CVE-2022-30631

Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files...

CVE-2022-30632

Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators...