53 matches found
PT-2026-38570
Name of the Vulnerable Software and Affected Versions Go affected versions not specified Description A flaw in the go command's validation of module checksums allows a malicious module proxy to bypass checksum database validation. This occurs when the checksum database returns a successful respon...
EUVD-2023-43052
Malicious code in bioql PyPI...
httpd: NULL pointer dereference in mod_proxy
A flaw was found in the modproxy module of httpd. A NULL pointer dereference can be triggered when processing a specially crafted HTTP request, causing the httpd server to crash, and resulting in a denial of service...
EulerOS 2.0 SP10 : golang (EulerOS-SA-2024-1335)
According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the...
EulerOS 2.0 SP10 : golang (EulerOS-SA-2024-1313)
According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the...
BIT-GOLANG-2023-39320 Arbitrary code execution via go.mod toolchain directive in cmd/go
The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules...
BIT-GOLANG-2023-45285 Command 'go get' may unexpectedly fallback to insecure git in cmd/go
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module...
RHEL 7 : go-toolset-1.19-golang (RHSA-2024:1041)
The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1041 advisory. Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fixes: golang:...
Insecure Protocol Handling
github.com/golang/go is vulnerable to Insecure Protocol Handling. The vulnerability exists in the repoRootFromVCSPaths function of vcs.go when using go get to fetch a module with the .git suffix. It may unexpectedly fallback to the insecure git:// protocol if the module is unavailable via the...
Golang 1.20.x < 1.20.12, 1.21.x < 1.21.5 Multiple Vulnerabilities
The version of Golang running on the remote host is prior to 1.20.12 or 1.21.x prior to 1.21.5. It is, therefore, is affected by multiple vulnerabilities : - A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from t...
CVE-2023-45285
A flaw was found in the Golang package cmd/go. This issue permits the fallback to insecure "git://" if trying to fetch a .git module that has no "https://" or "git+ssh://" available. Mitigation This issue only affects users who are not using the module proxy and are fetching modules directly i.e...
AZL-32101 CVE-2023-45285 affecting package golang for versions less than 1.21.6-1
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module...
DEBIAN-CVE-2023-45285
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module...
CVE-2023-45285
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module...
Code injection
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module...
CVE-2023-45285
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module...
GO-2023-2383 Command 'go get' may unexpectedly fallback to insecure git in cmd/go
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module...
CVE-2023-45285
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module...
Golang 1.21.x < 1.21.1 RCE
The version of Golang Go installed on the remote host is affected by a remote code execution vulnerability. The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the 'go' command was executed within the...
CVE-2023-39320
A flaw was found in Golang. The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module...