Go@* Security Vulnerabilities and Issues — Go@* CVE List

Lucene search

GolangGo*

13 matches found

CVE•added 2020/01/14 11:15 p.m.•1295 views

CVE-2020-0601

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, l...

8.1CVSS7.6AI score0.94044EPSS

CVE•added 2020/11/18 5:15 p.m.•426 views

CVE-2020-28362

Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.

7.5CVSS7.5AI score0.0015EPSS

CVE•added 2020/08/06 6:15 p.m.•393 views

CVE-2020-16845

Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.

7.5CVSS7.7AI score0.00084EPSS

CVE•added 2020/07/17 4:15 p.m.•374 views

CVE-2020-15586

Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.

5.9CVSS6.6AI score0.00614EPSS

CVE•added 2020/03/16 9:15 p.m.•331 views

CVE-2020-7919

Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.

7.8CVSS7.3AI score0.00627EPSS

CVE•added 2020/11/18 5:15 p.m.•316 views

CVE-2020-28367

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.

7.5CVSS8.2AI score0.00272EPSS

CVE•added 2020/09/02 5:15 p.m.•286 views

CVE-2020-24553

Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.

6.1CVSS6AI score0.00184EPSS

CVE•added 2020/11/18 5:15 p.m.•232 views

CVE-2020-28366

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.

7.5CVSS8.1AI score0.00218EPSS

CVE•added 2020/12/14 8:15 p.m.•223 views

CVE-2020-29509

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications...

9.8CVSS6.1AI score0.0033EPSS

CVE•added 2020/12/14 8:15 p.m.•211 views

CVE-2020-29511

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.

9.8CVSS6.1AI score0.0033EPSS

CVE•added 2020/02/08 7:15 p.m.•207 views

CVE-2015-5741

The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.

9.8CVSS9AI score0.01751EPSS

CVE•added 2020/07/17 4:15 p.m.•152 views

CVE-2020-14039

In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete.

5.3CVSS5.5AI score0.0041EPSS

CVE•added 2020/12/14 8:15 p.m.•90 views

CVE-2020-29510

The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.

9.8CVSS6.1AI score0.00166EPSS