10 matches found
CVE-2022-23773
CVE-2022-23773 affects the Go toolchain component cmd/go. Impact: branch names may be misinterpreted as version tags, potentially granting inappropriate access to create branches but not tags. Affected: Go before 1.16.14 and 1.17.x before 1.17.7. Mitigation: upgrade to fixed releases (Go 1.16.14+...
CVE-2021-3114
CVE-2021-3114 affects Go’s elliptic curve implementation on the P-224 curve. Affected products/versions: Go before 1.14.14 and 1.15.x before 1.15.7. Root cause: the crypto/elliptic/p224.go path can produce incorrect outputs due to an underflow of the lowest limb during the final complete reductio...
CVE-2022-23806
CVE-2022-23806 affects Go's crypto/elliptic IsOnCurve, which can incorrectly return true when a big.Int value is not a valid field element. Impact: potential impact to availability and integrity as implied by the vulnerability description. Root cause is an out-of-spec check in IsOnCurve for inval...
CVE-2020-28362
CVE-2020-28362 affects Go up to 1.14.12 and 1.15.x up to 1.15.4. The issue is a Denial of Service caused by a panic in math/big during recursive division of very large numbers, exploitable via Go tooling/build processes. Remediation: upgrade Go to a remediate version (Go 1.14.12+ or 1.15.4+ as ap...
CVE-2022-23772
CVE-2022-23772 affects Go (golang) where Rat.SetString in math/big can overflow, leading to uncontrolled memory consumption. Connected advisories confirm this issue alongside other Go vulnerabilities (e.g., CVE-2022-23773, CVE-2022-23806) across multiple Go components (cmd/go, crypto/elliptic, ar...
CVE-2021-33195
CVE-2021-33195 affects Go's net package: LookupCNAME/LookupSRV/LookupMX/LookupNS/LookupAddr may return DNS data that isn’t RFC1035-compliant, enabling unsafe injections (e.g., XSS). Affected: Go before 1.15.13 and 1.16.x before 1.16.5. Remediation: upgrade Go to 1.15.13+ or 1.16.5+ (and newer). T...
CVE-2021-3115
The CVE-2021-3115 entry involves the Go toolchain (golang) prior to Go 1.14.14 and 1.15.x prior to 1.15.7 on Windows, where using go get to fetch modules that use cgo can lead to command injection and remote code execution. The vulnerability stems from cgo-enabled module fetch that can execute a ...
CVE-2019-16276
CVE-2019-16276 affects the Go programming language’s net/http handling, allowing HTTP Request Smuggling when an HTTP header contains spaces before the colon. The issue is publicly documented across multiple advisories; Go versions prior to fixes described in the connected documents are affected. ...
CVE-2020-28366
CVE-2020-28366 affects the Go toolchain: code injection/arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file, impacting go commands using cgo before Go 1.14.12 and Go 1.15.5. The described impact is at build time, not runtime, with a high-severity pr...
CVE-2022-30634
CVE-2022-30634 describes an infinite loop in Read in crypto/rand prior to Go 1.17.11 and Go 1.18.3 on Windows, triggered by buffers larger than 1<