Lucene search

K

123 matches found

CVE
CVE
added 2023/09/08 5:15 p.m.398 views

CVE-2023-39320

The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downlo...

9.8CVSS9.6AI score0.0059EPSS
CVE
CVE
added 2022/04/20 10:15 a.m.397 views

CVE-2022-24675

encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.

7.5CVSS9.5AI score0.00132EPSS
CVE
CVE
added 2023/11/09 5:15 p.m.391 views

CVE-2023-45283

The filepath package does not recognize paths with a ??\ prefix as special. On Windows, a path beginning with ??\ is a Root Local Device path equivalent to a path beginning with \?. Paths with a ??\ prefix may be used to access arbitrary locations on the system. For example, the path ??\c:\x is equ...

7.5CVSS7.9AI score0.00063EPSS
CVE
CVE
added 2020/07/17 4:15 p.m.387 views

CVE-2020-15586

Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.

5.9CVSS6.6AI score0.00614EPSS
CVE
CVE
added 2021/08/07 5:15 p.m.385 views

CVE-2021-29923

Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.

7.5CVSS7.5AI score0.00115EPSS
CVE
CVE
added 2022/08/10 8:15 p.m.385 views

CVE-2022-1705

Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.

6.5CVSS7.5AI score0.00053EPSS
CVE
CVE
added 2021/08/02 7:15 p.m.383 views

CVE-2021-33198

In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.

7.5CVSS7.5AI score0.00031EPSS
CVE
CVE
added 2022/04/20 10:15 a.m.377 views

CVE-2022-28327

The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.

7.5CVSS9.4AI score0.00129EPSS
CVE
CVE
added 2020/03/16 9:15 p.m.374 views

CVE-2020-7919

Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.

7.8CVSS7.3AI score0.00627EPSS
CVE
CVE
added 2021/03/11 12:15 a.m.366 views

CVE-2021-27918

encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.

7.5CVSS7.4AI score0.00028EPSS
CVE
CVE
added 2022/08/10 8:15 p.m.363 views

CVE-2022-28131

Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.

7.5CVSS7.7AI score0.00013EPSS
CVE
CVE
added 2024/06/05 4:15 p.m.363 views

CVE-2024-24789

The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects fi...

5.5CVSS6.3AI score0.00006EPSS
CVE
CVE
added 2022/01/01 5:15 a.m.361 views

CVE-2021-44716

net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.

7.5CVSS7.6AI score0.0008EPSS
CVE
CVE
added 2022/08/10 8:15 p.m.361 views

CVE-2022-30631

Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files.

7.5CVSS7.8AI score0.00041EPSS
CVE
CVE
added 2022/08/10 8:15 p.m.361 views

CVE-2022-32189

A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.

7.5CVSS7.2AI score0.001EPSS
CVE
CVE
added 2022/08/10 8:15 p.m.359 views

CVE-2022-30632

Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators.

7.5CVSS7.8AI score0.00084EPSS
CVE
CVE
added 2022/08/10 8:15 p.m.358 views

CVE-2022-1962

Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.

5.5CVSS6.7AI score0.00005EPSS
CVE
CVE
added 2022/08/10 8:15 p.m.356 views

CVE-2022-32148

Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forw...

6.5CVSS7.4AI score0.00056EPSS
CVE
CVE
added 2023/12/05 5:15 p.m.355 views

CVE-2023-45287

Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing informat...

7.5CVSS7.6AI score0.00185EPSS
CVE
CVE
added 2022/08/10 8:15 p.m.343 views

CVE-2022-30635

Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.

7.5CVSS7.7AI score0.00155EPSS
CVE
CVE
added 2019/08/13 9:15 p.m.341 views

CVE-2019-14809

net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an a...

9.8CVSS8.2AI score0.02582EPSS
In wild
CVE
CVE
added 2021/01/26 6:16 p.m.341 views

CVE-2021-3115

Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).

7.5CVSS8.1AI score0.0013EPSS
CVE
CVE
added 2022/08/10 8:15 p.m.338 views

CVE-2022-30630

Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.

7.5CVSS7.7AI score0.00034EPSS
CVE
CVE
added 2022/08/10 8:15 p.m.334 views

CVE-2022-30633

Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.

7.5CVSS7.7AI score0.00084EPSS
CVE
CVE
added 2020/11/18 5:15 p.m.325 views

CVE-2020-28367

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.

7.5CVSS8.2AI score0.00272EPSS
CVE
CVE
added 2022/01/01 5:15 a.m.317 views

CVE-2021-44717

Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion.

5.8CVSS6.2AI score0.00547EPSS
CVE
CVE
added 2021/11/08 6:15 a.m.312 views

CVE-2021-41772

Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.

7.5CVSS7.3AI score0.00062EPSS
CVE
CVE
added 2021/10/18 6:15 a.m.308 views

CVE-2021-38297

Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.

9.8CVSS9.4AI score0.05854EPSS
Web
CVE
CVE
added 2022/09/13 6:15 p.m.300 views

CVE-2022-32190

JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.

7.5CVSS7.5AI score0.00143EPSS
CVE
CVE
added 2020/09/02 5:15 p.m.295 views

CVE-2020-24553

Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.

6.1CVSS6AI score0.00184EPSS
CVE
CVE
added 2021/11/08 6:15 a.m.286 views

CVE-2021-41771

ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.

7.5CVSS7.5AI score0.00362EPSS
CVE
CVE
added 2022/01/24 1:15 a.m.270 views

CVE-2021-39293

In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196.

7.5CVSS7.7AI score0.00022EPSS
CVE
CVE
added 2019/10/24 10:15 p.m.261 views

CVE-2019-17596

Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.

7.5CVSS7.3AI score0.0234EPSS
CVE
CVE
added 2022/08/10 8:15 p.m.243 views

CVE-2022-30580

Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.

7.8CVSS8AI score0.0003EPSS
CVE
CVE
added 2019/09/30 7:15 p.m.242 views

CVE-2019-16276

Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.

7.5CVSS7.5AI score0.09219EPSS
CVE
CVE
added 2020/11/18 5:15 p.m.242 views

CVE-2020-28366

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.

7.5CVSS8.1AI score0.00218EPSS
CVE
CVE
added 2021/01/02 6:15 a.m.240 views

CVE-2020-28851

In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)

7.5CVSS7.3AI score0.00138EPSS
CVE
CVE
added 2020/12/14 8:15 p.m.226 views

CVE-2020-29509

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications...

9.8CVSS6.1AI score0.00187EPSS
CVE
CVE
added 2018/12/14 2:29 p.m.214 views

CVE-2018-16873

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in...

8.1CVSS8.5AI score0.60127EPSS
CVE
CVE
added 2020/12/14 8:15 p.m.213 views

CVE-2020-29511

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.

9.8CVSS6.1AI score0.00187EPSS
CVE
CVE
added 2020/02/08 7:15 p.m.210 views

CVE-2015-5741

The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.

9.8CVSS9AI score0.01751EPSS
CVE
CVE
added 2022/12/07 5:15 p.m.200 views

CVE-2022-41720

On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens th...

7.5CVSS7.4AI score0.00069EPSS
CVE
CVE
added 2018/12/14 2:29 p.m.199 views

CVE-2018-16874

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode ...

8.1CVSS8.2AI score0.12882EPSS
CVE
CVE
added 2022/11/02 4:15 p.m.184 views

CVE-2022-41716

Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior...

7.5CVSS7.5AI score0.00013EPSS
CVE
CVE
added 2019/01/24 5:29 a.m.175 views

CVE-2019-6486

Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.

8.2CVSS7.9AI score0.02397EPSS
CVE
CVE
added 2018/12/14 2:29 p.m.168 views

CVE-2018-16875

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are...

7.8CVSS7.5AI score0.01525EPSS
CVE
CVE
added 2022/08/10 8:15 p.m.157 views

CVE-2022-29804

Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack.

7.5CVSS7.5AI score0.00054EPSS
CVE
CVE
added 2020/07/17 4:15 p.m.153 views

CVE-2020-14039

In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete.

5.3CVSS5.5AI score0.0041EPSS
CVE
CVE
added 2022/07/15 8:15 p.m.153 views

CVE-2022-30634

Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 <

7.5CVSS7.5AI score0.00023EPSS
CVE
CVE
added 2021/03/11 12:15 a.m.150 views

CVE-2021-27919

archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename.

5.5CVSS6AI score0.00132EPSS
Total number of security vulnerabilities123