proglottis/gpgme: Use-after-free in GPGME bindings during container image pull

A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification...

Huawei EulerOS: Security Advisory for golang (EulerOS-SA-2017-1311)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

TopList Cross-Site Scripting Vulnerability

TopList is a content aggregation website system written in Go for getting popular headlines from other websites. A cross-site scripting vulnerability exists in versions of TopList prior to 2019-09-03. The vulnerability stems from the WEB application's lack of proper validation of client-side data...

golang: malformed hosts in URLs leads to authorization bypass

net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname nor Port, and is related to a non-numeric port number. For example, an...

UBUNTU-CVE-2019-19602

fpregsstatevalid in arch/x86/include/asm/fpu/internal.h in the Linux kernel before 5.4.2, when GCC 9 is used, allows context-dependent attackers to cause a denial of service memory corruption or possibly have unspecified other impact because of incorrect fpufpregsownerctx caching, as demonstrated...

golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling

It was discovered that net/http through net/textproto in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or ...

golang: malformed hosts in URLs leads to authorization bypass

net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname nor Port, and is related to a non-numeric port number. For example, an...

Apache Thrift Out-of-Bounds Read Vulnerability

Apache Thrift is an interface definition language and binary communication protocol for defining and creating services for multiple languages. Apache Thrift suffers from an out-of-bounds read vulnerability. An attacker can exploit this vulnerability by invalidating input data to cause a panic...

Code injection

Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates...

UBUNTU-CVE-2019-17596

Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates...

CVE-2019-17596

Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates...

The vulnerability of the `net/url` function in the Go programming language allows attackers to compromise data integrity, gain unauthorized access to protected information, and cause service interruptions.

The vulnerability of the net/url function in the Go programming language is related to an error in processing constructed path names in URL addresses, which leads to authentication bypass. Exploiting this vulnerability allows an attacker to compromise data integrity, gain unauthorized access to...

How We Developed Our EQR Plugins

Extensible Analytics with EQR’s Lightweight, Ultra-Performance Plugin System I’ve written a few posts now on the plans and development of EQR Event Query Router, the open-source tool we built to give data scientists the ability to execute large-scale queries on real-time big data streams without...

Security Bulletin: IBM Cloud Private for Data is affected by a vulnerability in Go Language (CVE-2019-6486)

Summary IBM Cloud Private for Data is affected by a denial of service vulnerability in Open Source Go Language which could allow a local attacker to consume all available CPU resources. Vulnerability Details CVEID: CVE-2019-6486 DESCRIPTION: Golang Go is vulnerable to a denial of service, caused ...

Security Bulletin: IBM Cloud Private for Data is affected by multiple vulnerabilties in Go Language (CVE-2018-16874, CVE-2018-16873, CVE-2018-16875)

Summary IBM Cloud Private for Data is affected by multiple vulnerabilities in Open Source Go Language which could allow a remote attacker to traverse directories on the system, to execute arbitrary code on the system, or mount a denial of service attack. Vulnerability Details CVEID: CVE-2018-1687...

CVE-2019-16276

Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling...

Building a New Language for Data Processing

Building a New Language for Data Translation In previous posts, we’ve talked about the plan for and implementation of EQR Event Query Router—a system we created to solve the problem of querying large quantities of disparate data by end-user analysts in real-time. As with any major project, we fac...

Botb - A Container Analysis And Exploitation Tool For Pentesters And Engineers

BOtB is a container analysis and exploitation tool designed to be used by pentesters and engineers while also being CI/CD friendly with common CI/CD technologies. What does it do? BOtB is a CLI tool which allows you to: Exploit common container vulnerabilities Perform common container post...

AZL-78948 CVE-2019-14809 affecting package golang 1.25.7-1

net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname nor Port, and is related to a non-numeric port number. For example, an...

UBUNTU-CVE-2019-14809

net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname nor Port, and is related to a non-numeric port number. For example, an...