Go Security Vulnerabilities and Issues — Go CVE List

Lucene search

GolangGo

9 matches found

CVE•added 2021/07/15 2:15 p.m.•552 views

CVE-2021-34558

The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.

6.5CVSS7AI score0.00839EPSS

CVE•added 2023/07/11 8:15 p.m.•496 views

CVE-2023-29406

The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.

6.5CVSS7.2AI score0.00131EPSS

CVE•added 2021/01/26 6:16 p.m.•449 views

CVE-2021-3114

In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field.

6.5CVSS7AI score0.00043EPSS

CVE•added 2023/09/08 5:15 p.m.•395 views

CVE-2023-39319

The html/template package does not apply the proper rules for handling occurrences of "

6.1CVSS7.1AI score0.00062EPSS

CVE•added 2023/09/08 5:15 p.m.•380 views

CVE-2023-39318

The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in [removed] contexts. This may cause the template parser to improperly interpret the contents of [removed] contexts, causing actions to be improperly escaped. This may be leveraged to ...

6.1CVSS7AI score0.00062EPSS

CVE•added 2022/08/10 8:15 p.m.•345 views

CVE-2022-1705

Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.

6.5CVSS7.5AI score0.00039EPSS

CVE•added 2022/08/10 8:15 p.m.•316 views

CVE-2022-32148

Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forw...

6.5CVSS7.4AI score0.00048EPSS

CVE•added 2020/09/02 5:15 p.m.•284 views

CVE-2020-24553

Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.

6.1CVSS6AI score0.00184EPSS

CVE•added 2019/03/13 8:29 a.m.•125 views

CVE-2019-9741

An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.

6.1CVSS6.3AI score0.00979EPSS