5 matches found
CVE-2021-34558
CVE-2021-34558 affects the Go crypto/tls implementation. In Go up to 1.16.5, the certificate public-key type is not properly validated for RSA-based key exchanges, allowing a TLS server to trigger a panic in the client. Several connected advisories link this to Go’s TLS handling and note remediat...
CVE-2020-7919
The CVE-2020-7919 issue affects Go before 1.12.16 and Go 1.13.x before 1.13.7, including the crypto/cryptobyte package (0.0.0-20200124225646-8b5121be2f68). A malformed X.509 certificate can cause a panic in clients, enabling denial-of-service conditions. In practice, Helm advisories note Go 1.14....
CVE-2021-44716
CVE-2021-44716 affects Go's net/http implementation: before Go 1.16.12 and 1.17.x before 1.17.5, HTTP/2 header canonicalization can cause uncontrolled memory consumption. The vulnerability is rooted in the header cache behavior. Multiple connected advisories indicate that upgrades resolve the iss...
CVE-2022-28131
CVE-2022-28131: Uncontrolled recursion in Decoder.Skip in encoding/xml can panic due to stack exhaustion when parsing deeply nested XML. Affected: Go's encoding/xml package. Root cause: recursion while skipping nested XML elements. Impact: potential denial of service via panic/availability loss. ...
CVE-2021-39293
CVE-2021-39293: In Go's archive/zip, a crafted ZIP header can cause a panic. Connected advisories show affected Go versions include: Go before 1.15.13 and 1.16.x before 1.16.5 (Astra Linux), and the initial entry references Go 1.16.8 and 1.17.1 as contexts. Several advisories note this as an inco...