The vulnerability of the Parse function in the Go programming language, which allows a hacker to trigger a service failure

The vulnerability of the Parse function in the Go programming language is related to an uncontrolled recursion. Exploiting this vulnerability could allow a malicious actor, operating remotely, to cause service failures...

CLSA-2024-1726163202 expat: Fix of 3 CVEs

The release version was raised because it corresponds to version 13 - CVE-2024-45490: reject negative len for XMLParseBuffer to prevent improper restriction of XML External Entity Reference - CVE-2024-45491: prevent integer overflow in dtdCopy - CVE-2024-45492: prevent integer overflow in...

SUSE-SU-2024:3214-1 Security update for go1.23

This update for go1.23 fixes the following issues: - Update go v1.23.1 - CVE-2024-34155: Fixed stack exhaustion in all Parse functions. bsc1230252 - CVE-2024-34156: Fixed stack exhaustion in Decoder.Decode. bsc1230253 - CVE-2024-34158: Fixed stack exhaustion in Parse. bsc1230254...

SUSE-SU-2024:3213-1 Security update for go1.22

This update for go1.22 fixes the following issues: - Update go v1.22.7 - CVE-2024-34155: Fixed stack exhaustion in all Parse functions. bsc1230252 - CVE-2024-34156: Fixed stack exhaustion in Decoder.Decode. bsc1230253 - CVE-2024-34158: Fixed stack exhaustion in Parse. bsc1230254...

In x/text in Go before v0.3.5 a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)

...

In x/text in Go 1.15.4 an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)

...

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named `__proto__` allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype which is the commonly understood definition of Prototype Pollution. However polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys but could include denial of service cross-site scripting elevation

...

SUSE SLES12 Security Update : go1.23 (SUSE-SU-2024:3197-1)

The remote SUSE Linux SLES12 / SLESSAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:3197-1 advisory. - Update go v1.23.1 - CVE-2024-34155: Fixed stack exhaustion in all Parse functions. bsc1230252 - CVE-2024-34156: Fixed stack...

SUSE SLES12 Security Update : go1.22 (SUSE-SU-2024:3196-1)

The remote SUSE Linux SLES12 / SLESSAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:3196-1 advisory. - Update to go v1.22.7 - CVE-2024-34155: Fixed stack exhaustion in all Parse functions. bsc1230252 - CVE-2024-34156: Fixed stack...

The vulnerability of the `torch.jit.annotations.parse_type_line()` function in the PyTorch machine learning framework allows a hacker to execute arbitrary code.

The vulnerability of the torch.jit.annotations.parsetypeline function in the PyTorch machine learning framework is related to incorrect code generation. Exploiting this vulnerability could allow a remote attacker to execute arbitrary code...

SUSE-SU-2024:3197-1 Security update for go1.23

This update for go1.23 fixes the following issues: - Update go v1.23.1 - CVE-2024-34155: Fixed stack exhaustion in all Parse functions. bsc1230252 - CVE-2024-34156: Fixed stack exhaustion in Decoder.Decode. bsc1230253 - CVE-2024-34158: Fixed stack exhaustion in Parse. bsc1230254...

SUSE-SU-2024:3196-1 Security update for go1.22

This update for go1.22 fixes the following issues: - Update to go v1.22.7 - CVE-2024-34155: Fixed stack exhaustion in all Parse functions. bsc1230252 - CVE-2024-34156: Fixed stack exhaustion in Decoder.Decode. bsc1230253 - CVE-2024-34158: Fixed stack exhaustion in Parse. bsc1230254...

BIT-GOLANG-2024-34155 Stack exhaustion in all Parse functions in go/parser

Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion...

BIT-GOLANG-2024-34158 Stack exhaustion in Parse in go/build/constraint

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion...

PT-2024-39044 · WordPress · Affiliate Super Assistent

Name of the Vulnerable Software and Affected Versions: The Affiliate Super Assistent plugin for WordPress versions up to, and including, 1.5.3 Description: The issue is due to the software allowing users to supply arbitrary shortcodes in comments when the 'Parse comments' option is enabled. This...

CVE-2024-34155

A flaw was found in the go/parser package of the Golang standard library. Calling any Parse functions on Go source code containing deeply nested literals can cause a panic due to stack exhaustion. Mitigation Mitigation for this issue is either not available or the currently available options do n...

CVE-2024-34158

A flaw was found in the go/build/constraint package of the Golang standard library. Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. Mitigation Mitigation for this issue is either not available or the currently available optio...

CVE-2024-34158

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion...

CVE-2024-34158

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion...

AZL-79078 CVE-2024-34158 affecting package golang 1.25.7-1

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion...