Go Vulnerability Database

• Affects: github.com/gorilla/sessions
• Published: Apr 17, 2024
• Modified: Apr 17, 2024

(This report has been withdrawn on the grounds that it generates too many false positives. Session IDs are documented as not being suitable to hold user-provided data.) FilesystemStore does not sanitize the Session.ID value, making it vulnerable to directory traversal attacks. If an attacker has control over the contents of the session ID, this can be exploited to write to arbitrary files in the filesystem. Programs which do not set session IDs explicitly, or which only set session IDs that will not be interpreted by the filesystem, are not vulnerable.

• CVE-2023-45288, GHSA-4v7x-pqxf-cx7m
• Affects: net/http, golang.org/x/net
• Published: Apr 03, 2024
• Modified: Apr 16, 2024

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

• CVE-2021-41803, GHSA-hr3v-8cp3-68rf
• Affects: github.com/hashicorp/consul
• Published: Apr 05, 2024

HashiCorp Consul does not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC.

• CVE-2024-22189, GHSA-c33x-xqrf-c478
• Affects: github.com/quic-go/quic-go
• Published: Apr 05, 2024

An attacker can cause its peer to run out of memory by sending a large number of NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame. The attacker can prevent the receiver from sending out (the vast majority of) these RETIRE_CONNECTION_ID frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate.

• CVE-2023-3300, GHSA-v5fm-hr72-27hx
• Affects: github.com/hashicorp/nomad
• Published: Apr 04, 2024

A vulnerability was identified in Nomad such that the search HTTP API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. This vulnerability affects Nomad since 0.11.0 and was fixed in 1.4.11 and 1.5.7.