Vulnerability Reports
GO-2024-2730
- Affects: github.com/gorilla/sessions
- Published: Apr 17, 2024
- Modified: Apr 17, 2024
(This report has been withdrawn on the grounds that it generates too many false positives. Session IDs are documented as not being suitable to hold user-provided data.) FilesystemStore does not sanitize the Session.ID value, making it vulnerable to directory traversal attacks. If an attacker has control over the contents of the session ID, this can be exploited to write to arbitrary files in the filesystem. Programs which do not set session IDs explicitly, or which only set session IDs that will not be interpreted by the filesystem, are not vulnerable.
GO-2024-2687
- CVE-2023-45288, GHSA-4v7x-pqxf-cx7m
- Affects: net/http, golang.org/x/net
- Published: Apr 03, 2024
- Modified: Apr 16, 2024
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
GO-2024-2683
- CVE-2021-41803, GHSA-hr3v-8cp3-68rf
- Affects: github.com/hashicorp/consul
- Published: Apr 05, 2024
HashiCorp Consul does not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC.
GO-2024-2682
- CVE-2024-22189, GHSA-c33x-xqrf-c478
- Affects: github.com/quic-go/quic-go
- Published: Apr 05, 2024
An attacker can cause its peer to run out of memory by sending a large number of NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame. The attacker can prevent the receiver from sending out (the vast majority of) these RETIRE_CONNECTION_ID frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate.
GO-2024-2671
- CVE-2023-3300, GHSA-v5fm-hr72-27hx
- Affects: github.com/hashicorp/nomad
- Published: Apr 04, 2024
A vulnerability was identified in Nomad such that the search HTTP API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. This vulnerability affects Nomad since 0.11.0 and was fixed in 1.4.11 and 1.5.7.
GO-2024-2670
- CVE-2023-3072, GHSA-rpvr-38xv-xvxq
- Affects: github.com/hashicorp/nomad
- Published: Apr 04, 2024
An ACL policy using a block without label can be applied to unexpected resources in Nomad, a distributed, highly available scheduler designed for effortless operations and management of applications.
GO-2024-2669
- CVE-2023-3299, GHSA-9jfx-84v9-2rr2
- Affects: github.com/hashicorp/nomad
- Published: Apr 04, 2024
A vulnerability exists in Nomad where the API caller's ACL token secret ID is exposed to Sentinel policies.
GO-2024-2668
- CVE-2024-28232, GHSA-hcw2-2r9c-gc6p
- Affects: github.com/IceWhaleTech/CasaOS-UserService
- Published: Apr 02, 2024
- Modified: Apr 03, 2024
The Casa OS Login page has a username enumeration vulnerability in the login page that was patched in Casa OS v0.4.7. The issue exists because the application response differs depending on whether the username or password is incorrect, allowing an attacker to enumerate usernames by observing the application response. For example, if the username is incorrect, the application returns "User does not exist" with return code "10006", while if the password is incorrect, it returns "User does not exist or password is invalid" with return code "10013". This allows an attacker to determine if a username exists without knowing the password.
GO-2024-2667
- CVE-2024-29893, GHSA-jhwx-mhww-rgc3
- Affects: github.com/argoproj/argo-cd/v2
- Published: Apr 16, 2024
Out of memory crash from malicious Helm registry in github.com/argoproj/argo-cd/v2
GO-2024-2666
- CVE-2024-28860, GHSA-pwqm-x5x6-5586
- Affects: github.com/cilium/cilium
- Published: Apr 16, 2024
Insecure IPsec transparent encryption in github.com/cilium/cilium
GO-2024-2661
- CVE-2019-19499, GHSA-4pwp-cx67-5cpx
- Affects: github.com/grafana/grafana
- Published: Mar 28, 2024
An authenticated attacker that has privileges to modify the data source configurations can read arbitrary files.
GO-2024-2660
- CVE-2024-1394, GHSA-78hx-gp6g-7mj6
- Affects: github.com/golang-fips/openssl/v2, github.com/microsoft/go-crypto-openssl
- Published: Mar 27, 2024
Using crafted public RSA keys can cause a small memory leak when encrypting and verifying payloads. This can be gradually leveraged into a denial of service attack.
GO-2024-2659
- CVE-2024-29018, GHSA-mq39-4gv4-mvpx
- Affects: github.com/docker/docker
- Published: Mar 22, 2024
dockerd forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics, networks marked as 'internal' can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers.
GO-2024-2658
- CVE-2024-1753, GHSA-pmf3-c36m-g5cf
- Affects: github.com/containers/buildah
- Published: Mar 22, 2024
- Modified: Apr 16, 2024
A crafted container file can use a dummy image with a symbolic link to the host filesystem as a mount source and cause the mount operation to mount the host filesystem during a build-time RUN step. The commands inside the RUN step will then have read-write access to the host filesystem.
GO-2024-2657
- CVE-2024-28250, GHSA-v6q2-4qr3-5cw6
- Affects: github.com/cilium/cilium
- Published: Mar 22, 2024
- Modified: Mar 22, 2024
In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies: traffic that should be WireGuard-encrypted is sent unencrypted between a node's Envoy proxy and pods on other nodes, and traffic that should be WireGuard-encrypted is sent unencrypted between a node's DNS proxy and pods on other nodes.
GO-2024-2656
- CVE-2024-28249, GHSA-j89h-qrvr-xc36
- Affects: github.com/cilium/cilium
- Published: Mar 22, 2024
- Modified: Mar 22, 2024
In Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, traffic that should be IPsec-encrypted between a node's Envoy proxy and pods on other nodes is sent unencrypted, and traffic that should be IPsec-encrypted between a node's DNS proxy and pods on other nodes is sent unencrypted.
GO-2024-2655
- CVE-2024-28855, GHSA-hfrg-4jwr-jfpj
- Affects: github.com/zitadel/zitadel
- Published: Mar 27, 2024
The Login UI did not sanitize input parameters. An attacker could create a malicious link, where injected code would be rendered as part of the login screen.
GO-2024-2654
- CVE-2024-21661, GHSA-6v85-wr92-q4p7
- Affects: github.com/argoproj/argo-cd/v2
- Published: Mar 22, 2024
Application may crash due to concurrent writes, leading to a denial of service. An attacker can crash the application continuously, making it impossible for legitimate users to access the service. Authentication is not required in the attack.
GO-2024-2653
- CVE-2024-28248, GHSA-68mj-9pjq-mc85
- Affects: github.com/cilium/cilium
- Published: Mar 22, 2024
Cilium's HTTP policies are not consistently applied to all traffic in the scope of the policies, leading to HTTP traffic being incorrectly and intermittently forwarded when it should be dropped.
GO-2024-2652
- CVE-2024-21662, CVE-2024-21652, and 2 more
- Affects: github.com/argoproj/argo-cd/v2
- Published: Mar 22, 2024
An attacker can effectively bypass the rate limit and brute force protections in Argo CD by exploiting the application's weak cache-based mechanism. The application's brute force protection relies on a cache mechanism that tracks login attempts for each user. An attacker can overflow this cache by bombarding it with login attempts for different users, thereby pushing out the admin account's failed attempts and effectively resetting the rate limit for that account.
GO-2024-2646
- CVE-2024-28175, GHSA-jwv5-8mqv-g387
- Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
- Published: Mar 22, 2024
Due to the improper URL protocols filtering of links specified in the link.argocd.argoproj.io annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. A malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources.
GO-2024-2643
- CVE-2023-50726, GHSA-g623-jcgg-mhmm
- Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
- Published: Mar 22, 2024
An improper validation bug allows users who have create privileges to sync a local manifest during application creation. This allows for bypassing the restriction that the manifests come from some approved git/Helm/OCI source.
GO-2024-2631
- CVE-2024-28180, GHSA-c5q2-7r4c-mv6g
- Affects: github.com/go-jose/go-jose/v4, github.com/go-jose/go-jose/v3, and 2 more
- Published: Mar 15, 2024
An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.
GO-2024-2618
- CVE-2024-28110, GHSA-5pf6-2qwx-pxm2
- Affects: github.com/cloudevents/sdk-go/v2
- Published: Mar 11, 2024
Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact.
GO-2024-2617
- CVE-2024-2048, GHSA-r3w7-mfpm-c2vw
- Affects: github.com/hashicorp/vault
- Published: Mar 14, 2024
The TLS certificate authentication method incorrectly validates client certificates when configured with a non-CA certificate as a trusted certificate. When configured this way, attackers may be able to craft a certificate that can be used to bypass authentication.
GO-2024-2616
- CVE-2024-24765, GHSA-h5gf-cmm8-cg7c
- Affects: github.com/IceWhaleTech/CasaOS-UserService
- Published: Mar 11, 2024
The UserService API contains a path traversal vulnerability that allows an attacker to obtain any file on the system, including the user database and system configuration. This can lead to privilege escalation and compromise of the system.
GO-2024-2615
- CVE-2024-24766, GHSA-c967-2652-gfjm
- Affects: github.com/IceWhaleTech/CasaOS-UserService
- Published: Mar 14, 2024
CasaOS-UserService is vulnerable to a username enumeration issue, when an attacker can enumerate the CasaOS username using the application response. If the username is incorrect, the application gives the error 'User does not exist'. If the password is incorrect, the application gives the error 'Invalid password'.
GO-2024-2614
- CVE-2024-24767, GHSA-c69x-5xmw-v44x
- Affects: github.com/IceWhaleTech/CasaOS-UserService
- Published: Mar 18, 2024
The CasaOS web application does not have protection against password brute force attacks. An attacker can use a password brute force attack to find and gain full access to the server. This vulnerability allows attackers to get super user-level access over the server.
GO-2024-2613
- CVE-2024-27288, GHSA-26w3-q4j8-4xjp
- Affects: github.com/1Panel-dev/1Panel
- Published: Mar 14, 2024
If the user attempts to access a secure entry point and intercepts with Burp, they can get access to the console page. This access does not return data nor allow modification operations.
GO-2024-2611
- CVE-2024-24786, GHSA-8r3f-844c-mc37
- Affects: google.golang.org/protobuf
- Published: Mar 05, 2024
- Modified: Apr 05, 2024
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
GO-2024-2610
- CVE-2024-24785
- Affects: html/template
- Published: Mar 05, 2024
If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.
GO-2024-2609
- CVE-2024-24784
- Affects: net/mail
- Published: Mar 05, 2024
The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.
GO-2024-2608
- CVE-2024-27916, GHSA-v627-69v2-xx37
- Affects: github.com/stacklok/minder
- Published: Mar 11, 2024
A Minder user can use the endpoints to access any repository in the DB, irrespective of who owns the repo and any permissions that user may have. The DB query used checks by repo owner, repo name and provider name (which is always "github"). These query values are not distinct for the particular user, as long as the user has valid credentials and a provider, they can set the repo owner/name to any value they want and the server will return information on this repo. DeleteRepositoryByName uses the same query and a user can delete another user's repo using this technique. The GetArtifactByName endpoint also uses this DB query.
GO-2024-2606
- CVE-2024-27304, GHSA-mrww-27vc-gghv, and 1 more
- Affects: github.com/jackc/pgproto3/v2, github.com/jackc/pgx/v4, and 1 more
- Published: Mar 14, 2024
An integer overflow in the calculated message size of a query or bind message could allow a single large message to be sent as multiple messages under the attacker's control. This could lead to SQL injection if an attacker can cause a single query or bind message to exceed 4 GB in size.
GO-2024-2605
- CVE-2024-27289, GHSA-m7wr-2xf7-cm9p
- Affects: github.com/jackc/pgx/v4
- Published: Mar 11, 2024
SQL injection is possible when the database uses the non-default simple protocol, a minus sign directly precedes a numeric placeholder followed by a string placeholder on the same line, and both parameter values are user-controlled.
GO-2024-2604
- CVE-2024-27302, GHSA-fgxv-gw55-r5fq
- Affects: github.com/zeromicro/go-zero
- Published: Mar 11, 2024
The CORS Filter feature in go-zero allows users to specify an array of domains allowed in the CORS policy. However, the isOriginAllowed function uses strings.HasSuffix to check the origin, which can lead to a bypass via a domain like "evil-victim.com". This vulnerability is capable of breaking CORS policy and thus allowing any page to make requests and retrieve data on behalf of other users.
GO-2024-2602
- CVE-2024-27918, GHSA-7cc2-r658-7xpf
- Affects: github.com/coder/coder, github.com/coder/coder/v2
- Published: Mar 11, 2024
A vulnerability in Coder's OIDC authentication could allow an attacker to bypass the CODER_OIDC_EMAIL_DOMAIN verification and create an account with an email not in the allowlist. Deployments are only affected if the OIDC provider allows users to create accounts on the provider (such as public providers like google.com). During OIDC registration, the user's email was improperly validated against the allowed CODER_OIDC_EMAIL_DOMAINs.
GO-2024-2600
- CVE-2023-45289
- Affects: net/http, net/http/cookiejar
- Published: Mar 05, 2024
When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.
GO-2024-2599
- CVE-2023-45290
- Affects: net/textproto
- Published: Mar 05, 2024
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.
GO-2024-2598
- CVE-2024-24783
- Affects: crypto/x509
- Published: Mar 05, 2024
Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.
GO-2024-2587
- CVE-2022-45786, GHSA-6p5q-h963-pwwf
- Affects: github.com/apache/age/drivers/golang
- Published: Mar 04, 2024
SQL injection in github.com/apache/age/drivers/golang
GO-2024-2584
- GHSA-86h5-xcpx-cfqc
- Affects: github.com/cosmos/cosmos-sdk
- Published: Mar 05, 2024
Slashing evasion in github.com/cosmos/cosmos-sdk
GO-2024-2583
- GHSA-x5r5-2qrx-rqj8
- Affects: github.com/edgelesssys/marblerun
- Published: Mar 04, 2024
Encryption bypass in github.com/edgelesssys/marblerun
GO-2024-2554
- CVE-2024-25620, GHSA-v53g-5gjp-272r
- Affects: helm.sh/helm/v3
- Published: Feb 29, 2024
Path traversal in helm.sh/helm/v3
GO-2024-2539
- CVE-2024-23319, GHSA-4fp6-574p-fc35
- Affects: github.com/mattermost/mattermost-plugin-jira
- Published: Mar 18, 2024
Cross-site request forgery via logout button in github.com/mattermost/mattermost-plugin-jira
GO-2024-2538
- CVE-2024-1329, GHSA-c866-8gpw-p3mv
- Affects: github.com/hashicorp/nomad
- Published: Mar 04, 2024
Symlink attack in github.com/hashicorp/nomad
GO-2024-2536
- CVE-2023-32193, GHSA-r8f4-hv23-6qp6
- Affects: github.com/rancher/norman
- Published: Feb 20, 2024
Cross-site scripting in public API in github.com/rancher/norman
GO-2024-2534
- CVE-2023-32192, GHSA-833m-37f7-jq55
- Affects: github.com/rancher/apiserver
- Published: Feb 15, 2024
Unauthenticated cross-site scripting in github.com/rancher/apiserver
GO-2024-2497
- CVE-2024-23653, GHSA-wr6v-9f75-vh2g
- Affects: github.com/moby/buildkit
- Published: Feb 07, 2024
BuildKit provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special security.insecure entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request.
GO-2024-2494
- CVE-2024-23652, GHSA-4v98-7qmw-rqr8
- Affects: github.com/moby/buildkit
- Published: Feb 12, 2024
A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system.
GO-2024-2493
- CVE-2024-23651, GHSA-m3r6-h7wv-7xxv
- Affects: github.com/moby/buildkit
- Published: Feb 13, 2024
Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container.
GO-2024-2492
- CVE-2024-23650, GHSA-9p26-698r-w4hx
- Affects: github.com/moby/buildkit
- Published: Feb 12, 2024
A malicious BuildKit client or frontend could craft a request that could lead to a BuildKit daemon crashing with a panic.
GO-2024-2490
- CVE-2024-24579, GHSA-hpxr-w9w7-g4gv
- Affects: github.com/anchore/stereoscope
- Published: Feb 13, 2024
It is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory.
GO-2024-2482
- CVE-2024-23840, GHSA-h3q2-8whx-c29h
- Affects: github.com/goreleaser/goreleaser
- Published: Feb 13, 2024
Secret values can be printed to the --debug log when using a a custom publisher.
GO-2024-2471
- GHSA-qr8r-m495-7hc4
- Affects: github.com/cometbft/cometbft
- Published: Jan 23, 2024
A vulnerability in CometBFT’s validation logic for VoteExtensionsEnableHeight can result in a chain halt when triggered through a governance parameter change proposal on an ABCI2 Application Chain. If a parameter change proposal including a VoteExtensionsEnableHeight modification is passed, nodes running the affected versions may panic, halting the network.
GO-2024-2469
- GHSA-f6jh-hvg2-9525
- Affects: github.com/kudelskisecurity/crystals-go
- Published: Jan 17, 2024
Kyberslash timing attack possible in github.com/kudelskisecurity/crystals-go
GO-2024-2466
- CVE-2023-49568, GHSA-mw99-9chc-xw7r
- Affects: gopkg.in/src-d/go-git.v4, github.com/go-git/go-git/v5
- Published: Jan 23, 2024
Denial of service in github.com/go-git/go-git/v5 and gopkg.in/src-d/go-git.v4
GO-2024-2464
- CVE-2024-22197, GHSA-pxmr-q2x3-9x9m
- Affects: github.com/0xJacky/Nginx-UI
- Published: Jan 17, 2024
Remote command execution in github.com/0xJacky/Nginx-UI
GO-2024-2463
- CVE-2024-22196, GHSA-h374-mm57-879c
- Affects: github.com/0xJacky/Nginx-UI
- Published: Jan 17, 2024
SQL injection in github.com/0xJacky/Nginx-UI
GO-2024-2462
- CVE-2024-22198, GHSA-8r25-68wm-jw35
- Affects: github.com/0xJacky/Nginx-UI
- Published: Jan 30, 2024
Arbitrary command execution in github.com/0xJacky/Nginx-UI
GO-2024-2461
- CVE-2024-22199, GHSA-4mq2-gc4j-cmw6
- Affects: github.com/gofiber/template/django/v3
- Published: Jan 17, 2024
Cross-site scripting in github.com/gofiber/template/django/v3
GO-2024-2459
- CVE-2023-49295, GHSA-ppxx-5m9h-6vxf
- Affects: github.com/quic-go/quic-go
- Published: Jan 23, 2024
Denial of service via path validation in github.com/quic-go/quic-go
GO-2024-2456
- CVE-2023-49569, GHSA-449p-3h89-pw88
- Affects: gopkg.in/src-d/go-git.v4, github.com/go-git/go-git/v5
- Published: Jan 23, 2024
Path traversal and RCE in github.com/go-git/go-git/v5 and gopkg.in/src-d/go-git.v4
GO-2024-2454
- CVE-2024-21664, GHSA-pvcr-v8j8-j5q3
- Affects: github.com/lestrrat-go/jwx, github.com/lestrrat-go/jwx/v2
- Published: Jan 23, 2024
- Modified: Feb 16, 2024
Panic due to nil pointer dereference in github.com/lestrrat-go/jwx/v2
GO-2024-2453
- GHSA-9763-4f94-gfch
- Affects: github.com/cloudflare/circl
- Published: Jan 18, 2024
Timing side channel in github.com/cloudflare/circl
GO-2024-2451
- Affects: github.com/bincyber/go-sqlcrypter
- Published: Jan 30, 2024
There is a risk of an IV collision using the awskms or aesgcm provider. NIST SP 800-38D section 8.3 states that it is unsafe to encrypt more than 2^32 plaintexts under the same key when using a random IV. The limit could easily be reached given the use case of database column encryption. Ciphertexts are likely to be persisted and stored together. IV collision could enable an attacker with access to the ciphertexts to decrypt all messages encrypted with the affected key. The aesgcm provider cannot be fixed without a breaking change, so users should not encrypt more than 2^32 values with any key. The awskms package can be fixed without a breaking change by switching to a counter-based IV.
GO-2023-2413
- CVE-2023-49922, GHSA-hj4r-2c9c-29h3
- Affects: github.com/elastic/beats/v7
- Published: Jan 03, 2024
Sensitive information logged in github.com/elastic/beats/v7
GO-2023-2412
- GHSA-7ww5-4wqc-m92c
- Affects: github.com/containerd/containerd
- Published: Jan 02, 2024
RAPL accessibility in github.com/containerd/containerd
GO-2023-2409
- GHSA-mhpq-9638-x6pw
- Affects: github.com/dvsekhvalnov/jose2go
- Published: Dec 20, 2023
- Modified: Dec 20, 2023
An attacker controlled input of a PBES2 encrypted JWE blob can have a very large p2c value that, when decrypted, produces a denial-of-service.
GO-2023-2402
- CVE-2023-48795, GHSA-45x7-px36-x8w8
- Affects: golang.org/x/crypto
- Published: Dec 18, 2023
- Modified: Dec 20, 2023
A protocol weakness allows a MITM attacker to compromise the integrity of the secure channel before it is established, allowing the attacker to prevent transmission of a number of messages immediately after the secure channel is established without either side being aware. The impact of this attack is relatively limited, as it does not compromise confidentiality of the channel. Notably this attack would allow an attacker to prevent the transmission of the SSH2_MSG_EXT_INFO message, disabling a handful of newer security features. This protocol weakness was also fixed in OpenSSH 9.6.
GO-2023-2400
- CVE-2023-50424, GHSA-92cg-ghq6-9587, and 1 more
- Affects: github.com/sap/cloud-security-client-go
- Published: Dec 16, 2023
- Modified: Dec 20, 2023
An unauthenticated attacker can obtain arbitrary permissions within the application under certain conditions.
GO-2023-2399
- CVE-2023-6337, GHSA-6p62-6cg9-f5f5
- Affects: github.com/hashicorp/vault
- Published: Jan 03, 2024
Unauthenticated and authenticated HTTP requests from a client will be attempted to be mapped to memory. Large requests may result in the exhaustion of available memory on the host, which may cause crashes and denial of service.
GO-2023-2394
- CVE-2023-50463, GHSA-rxg9-hgq7-8pwx
- Affects: github.com/shift72/caddy-geo-ip
- Published: Jan 02, 2024
The caddy-geo-ip (aka GeoIP) middleware for Caddy 2 allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions).
GO-2023-2386
- CVE-2023-45292, GHSA-5mmw-p5qv-w3x5
- Affects: github.com/mojocn/base64Captcha
- Published: Dec 08, 2023
- Modified: Dec 14, 2023
When using the default implementation of Verify to check a Captcha, verification can be bypassed. For example, if the first parameter is a non-existent id, the second parameter is an empty string, and the third parameter is true, the function will always consider the Captcha to be correct.
GO-2023-2385
- CVE-2023-26154, GHSA-5844-q3fc-56rh
- Affects: github.com/pubnub/go, github.com/pubnub/go/v5, and 3 more
- Published: Jan 02, 2024
There is insufficient entropy in the implementation of the AES-256-CBC cryptographic algorithm. The provided encrypt functions are less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file. Users are encouraged to migrate to the new crypto package introduced in v7.2.0.
GO-2023-2383
- CVE-2023-45285
- Affects: cmd/go
- Published: Dec 06, 2023
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
GO-2023-2382
- CVE-2023-39326
- Affects: net/http/internal
- Published: Dec 06, 2023
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.
GO-2023-2380
- CVE-2023-49292, GHSA-8j98-cjfr-qx3h
- Affects: github.com/ecies/go/v2
- Published: Dec 11, 2023
An attacker may be able to recover private keys due to a bug in the ECDH function. The library does not check whether the provided public key is on the curve, which means that an attacker can create a public key that is not on the curve and use it to recover the private key. A workaround is to manually check that the public key is valid by calling the IsOnCurve function from the secp256k1 libraries.
GO-2023-2379
- CVE-2023-49290, GHSA-7f9x-gw85-8grf
- Affects: github.com/lestrrat-go/jwx, github.com/lestrrat-go/jwx/v2
- Published: Dec 11, 2023
The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c (PBES2 Count). This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its purpose is to intentionally slow down the key derivation function, making password brute-force and dictionary attacks more resource-intensive. However, if an attacker sets the p2c parameter in JWE to a very large number, it can cause excessive computational consumption.
GO-2023-2375
- CVE-2023-45287
- Affects: crypto/tls
- Published: Dec 05, 2023
Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.
GO-2023-2334
- GHSA-2c7c-3mj9-8fqh
- Affects: github.com/go-jose/go-jose/v3, github.com/square/go-jose
- Published: Nov 21, 2023
- Modified: Dec 13, 2023
The go-jose package is subject to a "billion hashes attack" causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.
GO-2023-2333
- GHSA-rjjm-x32p-m3f7
- Affects: github.com/consensys/gnark
- Published: Nov 15, 2023
Range checker gadget allows wider inputs than allowed in github.com/consensys/gnark
GO-2023-2328
- CVE-2023-45286, GHSA-xwh9-gc39-5298
- Affects: github.com/go-resty/resty/v2
- Published: Nov 27, 2023
- Modified: Jan 04, 2024
A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.
GO-2023-2186
- CVE-2023-45284
- Affects: path/filepath
- Published: Nov 08, 2023
On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now correctly reports these names as non-local.
GO-2023-2185
- CVE-2023-45283
- Affects: path/filepath, internal/safefilepath, and 1 more
- Published: Nov 08, 2023
- Modified: Dec 06, 2023
The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example, the path \??\c:\x is equivalent to the more common path c:\x. Before fix, Clean could convert a rooted path such as \a\..\??\b into the root local device path \??\b. Clean will now convert this to .\??\b. Similarly, Join(\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \??\b. Join will now convert this to \.\??\b. In addition, with fix, IsAbs now correctly reports paths beginning with \??\ as absolute, and VolumeName correctly reports the \??\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \?, resulting in filepath.Clean(\?\c:) returning \?\c: rather than \?\c:\ (among other effects). The previous behavior has been restored.
GO-2023-2181
- CVE-2023-46737, GHSA-vfp6-jrw2-99g9
- Affects: github.com/sigstore/cosign, github.com/sigstore/cosign/v2
- Published: Nov 09, 2023
An attacker who controls a remote registry can return a high number of attestations and/or signatures to cosign. This can cause cosign to enter a long loop resulting in a denial of service, i.e., endless data attack.
GO-2023-2163
- CVE-2023-46129, GHSA-mr45-rx8q-wcm9
- Affects: github.com/nats-io/nkeys
- Published: Nov 02, 2023
- Modified: Nov 17, 2023
Curve KeyPairs always use the same (all-zeros) key to encrypt data, and provide no security.
GO-2023-2162
- CVE-2023-41891, GHSA-r847-6w6h-r8g4
- Affects: github.com/flyteorg/flyteadmin
- Published: Nov 02, 2023
A malicious user can send a REST request to a List endpoint with filters that contain custom SQL statements. This can result in SQL injection.
GO-2023-2160
- CVE-2023-46239, GHSA-3q6m-v84f-6p9h
- Affects: github.com/quic-go/quic-go
- Published: Nov 02, 2023
- Modified: Nov 17, 2023
The QUIC handshake can cause a panic when processing a certain sequence of frames. A malicious peer can deliberately trigger this panic.
GO-2023-2158
- CVE-2023-4457, GHSA-37x5-qpm8-53rq
- Affects: github.com/grafana/google-sheets-datasource
- Published: Nov 02, 2023
Error messages for the Google Sheets data source plugin were improperly sanitized. The Google Sheet API-key could potentially be exposed.
GO-2023-2153
- GHSA-m425-mq94-257g
- Affects: google.golang.org/grpc
- Published: Nov 01, 2023
- Modified: Dec 14, 2023
An attacker can send HTTP/2 requests, cancel them, and send subsequent requests. This is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit, grpc.MaxConcurrentStreams. This results in a denial of service due to resource consumption.
GO-2023-2137
- CVE-2023-45825, GHSA-q24m-6h38-5xj8
- Affects: github.com/ydb-platform/ydb-go-sdk/v3
- Published: Oct 24, 2023
A custom credentials object that does not implement the fmt.Stringer interface may leak sensitive information (e.g., credentials) via logs.
GO-2023-2133
- CVE-2023-47090, GHSA-fr2g-9hjm-wr23
- Affects: github.com/nats-io/nats-server/v2
- Published: Oct 24, 2023
- Modified: Dec 14, 2023
Without any authorization rules in the nats-server, users can connect without authentication. Before nats-server 2.2.0, all authentication and authorization rules for a nats-server lived in an "authorization" block, defining users. With nats-server 2.2.0 all users live inside accounts. When using the authorization block, whose syntax predates this, those users will be placed into the implicit global account, "$G". Users inside accounts go into the newer "accounts" block. If an "accounts" block is defined, in simple deployment scenarios this is often used only to enable client access to the system account. When the only account added is the system account "$SYS", the nats-server would create an implicit user in "$G" and set it as the "no_auth_user" account, enabling the same "without authentication" logic as without any rules. This preserved the ability to connect simply, and then add one authenticated login for system access. But with an "authorization" block, this is wrong. Users exist in the global account, with login rules. And in simple testing, they might still connect fine without administrators seeing that authentication has been disabled. In the fixed versions, using an "authorization" block will inhibit the implicit creation of a "$G" user and setting it as the "no_auth_user" target. In unfixed versions, just creating a second account, with no users, will also inhibit this behavior.
GO-2023-2119
- GHSA-7p92-x423-vwj6
- Affects: github.com/consensys/gnark
- Published: Oct 24, 2023
A a third party may derive a valid proof from a valid initial tuple {proof, public_inputs}, corresponding to the same public inputs as the initial proof. This vulnerability is due to randomness being generated using a small part of the scratch memory describing the state, allowing for degrees of freedom in the transcript. Note that the impact is limited to the PlonK verifier smart contract.
GO-2023-2116
- CVE-2023-45141, GHSA-mv73-f69x-444p
- Affects: github.com/gofiber/fiber/v2
- Published: Oct 24, 2023
A cross-site request forgery vulnerability can allow an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user's behalf, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. The CSRF token is validated against tokens in storage but was is not tied to the original requestor that generated it, allowing for token reuse.
GO-2023-2115
- CVE-2023-45128, GHSA-94w9-97p3-p368
- Affects: github.com/gofiber/fiber/v2
- Published: Oct 24, 2023
A cross-site request forgery vulnerability in this package can allow an attacker to inject arbitrary values and forge malicious requests on behalf of a user. The attacker may inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. For 'safe' methods, the token is extracted from the cookie and saved to storage without further validation or sanitization. In addition, the CSRF token is validated against tokens in storage but not associated with a session, nor by using a Double Submit Cookie Method, allowing for token reuse.
GO-2023-2114
- CVE-2023-45683, GHSA-267v-3v32-g6q5
- Affects: github.com/crewjam/saml
- Published: Oct 24, 2023
The package does not validate the ACS Location URI according to the SAML binding being parsed. If abused, this flaw allows attackers to register malicious Service Providers at the IdP and inject Javascript in the ACS endpoint definition, achieving Cross-Site-Scripting (XSS) in the IdP context during the redirection at the end of a SAML SSO Flow. Consequently, an attacker may perform any authenticated action as the victim once the victim's browser loads the SAML IdP initiated SSO link for the malicious service provider.
GO-2023-2113
- CVE-2023-45142, GHSA-rcjv-mgp8-qvmr
- Affects: go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful, go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin, and 5 more
- Published: Oct 16, 2023
- Modified: Dec 13, 2023
Memory exhaustion in go.opentelemetry.io/contrib/instrumentation
GO-2023-2102
- CVE-2023-39325, GHSA-4374-p667-p6c8
- Affects: net/http, golang.org/x/net
- Published: Oct 11, 2023
- Modified: Nov 27, 2023
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
GO-2023-2101
- GHSA-pffg-92cg-xf5c
- Affects: github.com/consensys/gnark-crypto
- Published: Oct 09, 2023
Incorrect exponentiation results in github.com/consensys/gnark-crypto
GO-2023-2098
- CVE-2023-44378, GHSA-498w-5j49-vqjg
- Affects: github.com/consensys/gnark
- Published: Oct 09, 2023
Unsoundness in variable comparison / non-unique binary decomposition in github.com/consensys/gnark
GO-2023-2096
- CVE-2023-44273, GHSA-9xfq-8j3r-xp5g
- Affects: github.com/consensys/gnark-crypto
- Published: Oct 05, 2023
Signature malleability in github.com/consensys/gnark-crypto
GO-2023-2095
- CVE-2023-39323
- Affects: cmd/go
- Published: Oct 05, 2023
Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.
GO-2023-2077
- CVE-2023-43644, GHSA-r5hm-mp3j-285g
- Affects: github.com/sagernet/sing
- Published: Oct 02, 2023
Authentication bypass in github.com/sagernet/sing
GO-2023-2074
- CVE-2023-42821, GHSA-m9xq-6h2j-65r2
- Affects: github.com/gomarkdown/markdown
- Published: Sep 22, 2023
- Modified: Dec 13, 2023
Parser out-of-bounds read caused by a malformed markdown input in github.com/gomarkdown/markdown
GO-2023-2052
- CVE-2023-41338, GHSA-3q5p-3558-364f
- Affects: github.com/gofiber/fiber/v2
- Published: Sep 12, 2023
The Ctx.IsFromLocal function can incorrectly report a request as being sent from localhost when the request contains an X-Forwarded-For header containing a localhost IP address.
GO-2023-2048
- GHSA-6xv5-86q9-7xr8
- Affects: github.com/cyphar/filepath-securejoin
- Published: Sep 13, 2023
- Modified: Dec 13, 2023
Certain rootfs and path combinations result in generated paths that are outside of the provided rootfs on Windows.
GO-2023-2046
- CVE-2023-40591, GHSA-ppjg-v974-84cm
- Affects: github.com/ethereum/go-ethereum
- Published: Oct 25, 2023
Unbounded memory consumption in github.com/ethereum/go-ethereum
GO-2023-2045
- CVE-2023-39322
- Affects: crypto/tls
- Published: Sep 07, 2023
- Modified: Sep 11, 2023
QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size.
GO-2023-2044
- CVE-2023-39321
- Affects: crypto/tls
- Published: Sep 07, 2023
- Modified: Sep 11, 2023
Processing an incomplete post-handshake message for a QUIC connection can cause a panic.
GO-2023-2043
- CVE-2023-39319
- Affects: html/template
- Published: Sep 07, 2023
The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.
GO-2023-2042
- CVE-2023-39320
- Affects: cmd/go
- Published: Sep 07, 2023
The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.
GO-2023-2041
- CVE-2023-39318
- Affects: html/template
- Published: Sep 07, 2023
The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.
GO-2023-2024
- CVE-2023-40583, GHSA-gcq9-qqwx-rgj3
- Affects: github.com/libp2p/go-libp2p
- Published: Sep 13, 2023
- Modified: Nov 17, 2023
A malicious actor can store an arbitrary amount of data in the memory of a remote node by sending the node a message with a signed peer record. Signed peer records from randomly generated peers can be sent by a malicious actor. This memory does not get garbage collected and so the remote node can run out of memory (OOM).
GO-2023-2017
- CVE-2023-38976, GHSA-8697-479h-5mfp
- Affects: github.com/weaviate/weaviate
- Published: Nov 02, 2023
A type conversion issue in Weaviate may allow a remote attack that would cause a denial of service.
GO-2023-2003
- GHSA-8c37-7qx3-4c4p
- Affects: github.com/supranational/blst
- Published: Aug 10, 2023
- Modified: Dec 13, 2023
When complemented with a check for infinity, blst skips performing a signature group-check. Formally speaking, infinity is the identity element of the elliptic curve group and as such it is a member of the group, so the group-check should be performed. The fix performs the check even in the presence of infinity.
GO-2023-2000
- CVE-2023-39533, GHSA-876p-8259-xjgg
- Affects: github.com/libp2p/go-libp2p
- Published: Aug 08, 2023
- Modified: Dec 13, 2023
Large RSA keys can lead to resource exhaustion attacks. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits.
GO-2023-1998
- CVE-2023-37896, GHSA-2xx4-jj5v-6mff
- Affects: github.com/projectdiscovery/nuclei/v2
- Published: Aug 23, 2023
Improper path sanitization in sandbox mode in github.com/projectdiscovery/nuclei/v2
GO-2023-1992
- CVE-2019-11841, GHSA-x3jr-pf6g-c48f
- Affects: golang.org/x/crypto
- Published: Aug 23, 2023
The clearsign package accepts some malformed messages, making it possible for an attacker to trick a human user (but not a Go program) into thinking unverified text is part of the message. With fix, messages with malformed headers in the SIGNED MESSAGE section are rejected.
GO-2023-1990
- CVE-2023-29407, GHSA-j3p8-6mrq-6g7h
- Affects: golang.org/x/image
- Published: Aug 02, 2023
- Modified: Nov 09, 2023
A maliciously-crafted image can cause excessive CPU consumption in decoding. A tiled image with a height of 0 and a very large width can cause excessive CPU consumption, despite the image size (width * height) appearing to be zero.
GO-2023-1989
- CVE-2023-29408, GHSA-x92r-3vfx-4cv3
- Affects: golang.org/x/image
- Published: Aug 02, 2023
- Modified: Nov 09, 2023
The TIFF decoder does not place a limit on the size of compressed tile data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height, and encoded size) to make the decoder decode large amounts of compressed data, consuming excessive memory and CPU.
GO-2023-1988
- CVE-2023-3978, GHSA-2wrh-6pvc-2jm9
- Affects: golang.org/x/net
- Published: Aug 02, 2023
- Modified: Oct 12, 2023
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
GO-2023-1987
- CVE-2023-29409
- Affects: crypto/tls
- Published: Aug 02, 2023
Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.
GO-2023-1941
- CVE-2023-37788, GHSA-4r8x-2p26-976p
- Affects: github.com/elazarl/goproxy
- Published: Jul 31, 2023
An invalid request can cause a panic when running in MITM mode.
GO-2023-1930
- CVE-2023-37475, GHSA-9x44-9pgq-cf45
- Affects: github.com/hamba/avro/v2, github.com/hamba/avro
- Published: Jul 25, 2023
- Modified: Jul 27, 2023
Unrestricted memory consumption in github.com/hamba/avro
GO-2023-1923
- CVE-2019-14243, GHSA-85c5-ccm8-vr96
- Affects: github.com/mastercactapus/proxyprotocol
- Published: Jul 25, 2023
Panic when handling invalid HAProxy PROXY v2 request in github.com/mastercactapus/proxyprotocol
GO-2023-1914
- GHSA-f28g-86hc-823q
- Affects: github.com/superfly/tokenizer
- Published: Jul 25, 2023
Brute-force of token secrets in github.com/superfly/tokenizer
GO-2023-1904
- CVE-2022-47931
- Affects: github.com/bnb-chain/tss-lib, github.com/binance-chain/tss-lib
- Published: Jul 11, 2023
Collision of hash values in github.com/bnb-chain/tss-lib.
GO-2023-1883
- CVE-2023-34451, GHSA-w24w-wp77-qffm
- Affects: github.com/cometbft/cometbft
- Published: Jul 13, 2023
A bug in the CometBFT middleware causes the mempool's two data structures to fall out of sync. This can lead to duplicate transactions that cannot be removed, even after they are committed in a block. The only way to remove the transaction is to restart the node. This can be exploited by an attacker to bring down a node by repeatedly submitting duplicate transactions.
GO-2023-1882
- CVE-2023-34450, GHSA-mvj3-qrqh-cjvr
- Affects: github.com/cometbft/cometbft
- Published: Jul 06, 2023
An internal modification to the way PeerState is serialized to JSON introduced a deadlock when the new function MarshalJSON is called. This function can be called in two ways. The first is via logs, by setting the consensus logging module to "debug" level (which should not happen in production), and setting the log output format to JSON. The second is via RPC dump_consensus_state.
GO-2023-1881
- GHSA-w5w5-2882-47pc
- Affects: github.com/cosmos/cosmos-sdk
- Published: Jul 06, 2023
- Modified: Dec 14, 2023
If a transaction is sent to the x/crisis module to check an invariant, the ConstantFee parameter of the chain is not charged. No patch will be released, as the package is planned to be deprecated and replaced.
GO-2023-1878
- CVE-2023-29406
- Affects: net/http
- Published: Jul 11, 2023
The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.
GO-2023-1874
- CVE-2023-40586, GHSA-c2pj-v37r-2p6h
- Affects: github.com/corazawaf/coraza/v2, github.com/corazawaf/coraza/v3
- Published: Jul 05, 2023
- Modified: Sep 11, 2023
Due to the misuse of log.Fatalf, Coraza may crash after receiving crafted requests from attackers.
GO-2023-1872
- CVE-2023-35933, GHSA-hr9r-8phq-5x8j
- Affects: github.com/openfga/openfga
- Published: Jul 05, 2023
OpenFGA is vulnerable to a denial of service attack when certain Check and ListObjects calls are executed against authorization models that contain circular relationship definitions.
GO-2023-1867
- CVE-2022-47930
- Affects: github.com/bnb-chain/tss-lib, github.com/binance-chain/tss-lib
- Published: Jul 11, 2023
Replay attacks involving proofs in github.com/bnb-chain/tss-lib.
GO-2023-1861
- GHSA-j2cr-jc39-wpx5, GHSA-w44m-8mv2-v78h
- Affects: github.com/cosmos/cosmos-sdk
- Published: Jun 22, 2023
- Modified: Jul 13, 2023
The cosmos-sdk module is affected by the vulnerability codenamed "Barberry".
GO-2023-1860
- Affects: github.com/cosmos/ibc-go/v7, github.com/cosmos/ibc-go/v6, and 2 more
- Published: Jun 15, 2023
The ibc-go module is affected by the Inter-Blockchain Communication (IBC) protocol "Huckleberry" vulnerability.
GO-2023-1859
- GHSA-rm8v-mxj3-5rmq
- Affects: github.com/lestrrat-go/jwx, github.com/lestrrat-go/jwx/v2
- Published: Jun 22, 2023
AES-CBC decryption is vulnerable to a timing attack which may permit an attacker to recover the plaintext of JWE data.
GO-2023-1857
- GHSA-f99h-w337-mv56
- Affects: github.com/malfunkt/iprange
- Published: Jul 11, 2023
- Modified: Jul 24, 2023
Parsing a range with a mask larger than 32 bits causes a panic.
GO-2023-1842
- CVE-2023-29405
- Affects: cmd/go, cmd/cgo
- Published: Jun 08, 2023
- Modified: Dec 14, 2023
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
GO-2023-1841
- CVE-2023-29404
- Affects: cmd/go
- Published: Jun 08, 2023
- Modified: Dec 14, 2023
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.
GO-2023-1840
- CVE-2023-29403
- Affects: runtime
- Published: Jun 08, 2023
- Modified: Jun 12, 2023
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.
GO-2023-1839
- CVE-2023-29402
- Affects: cmd/go
- Published: Jun 08, 2023
- Modified: Jun 12, 2023
The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).
GO-2023-1832
- CVE-2023-33959, GHSA-xhg5-42rf-296r
- Affects: github.com/notaryproject/notation-go
- Published: Jun 26, 2023
An attacker who controls or compromises a registry can lead a user to verify the wrong artifact.
GO-2023-1826
- CVE-2023-34205, GHSA-jqvr-j2vg-gjrv
- Affects: github.com/moov-io/signedxml
- Published: Jun 09, 2023
- Modified: Jun 12, 2023
Signature validation canonicalizes the input XML document before validating the signature. Parsing the uncanonicalized and canonicalized forms can produce different results. An attacker can exploit this variation to bypass signature validation. Users of signature validation must only parse the canonicalized form of the validated document. The Validator.Validate function does not return the canonical form, and cannot be used safely. Users should only use the Validator.ValidateReferences function and only parse the canonical form which it returns. The Validator.Validate function was removed in github.com/moov-io/signedxml v1.1.0.
GO-2023-1821
- GHSA-qfc5-6r3j-jj22
- Affects: github.com/cosmos/cosmos-sdk
- Published: Jul 05, 2023
If an invariant check fails on a Cosmos SDK network, and a transaction is sent to the x/crisis package to halt the chain, the chain does not halt as originally intended. No patch will be released, as the package is planned to be deprecated and replaced.
GO-2023-1792
- CVE-2018-20744, GHSA-927h-x4qj-r242
- Affects: github.com/rs/cors
- Published: Jun 08, 2023
- Modified: Jun 14, 2023
The CORS handler actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.
GO-2023-1788
- CVE-2023-32698, GHSA-w7jw-q4fg-qc4c
- Affects: github.com/goreleaser/nfpm/v2
- Published: Jun 01, 2023
- Modified: Jun 12, 2023
When nfpm packages files without additional configuration to enforce its own permissions, the files could be packaged with incorrect permissions (chmod 666 or 777). Anyone who uses nfpm to create packages and does not check or set file permissions before packaging could result in files or folders being packaged with incorrect permissions.
GO-2023-1772
- CVE-2023-2253, GHSA-hqxw-f8mx-cpmw
- Affects: github.com/distribution/distribution
- Published: May 24, 2023
- Modified: Jun 12, 2023
Systems that run distribution built after a specific commit running on memory-restricted environments can suffer from denial of service by a crafted malicious /v2/_catalog API endpoint request.
GO-2023-1766
- CVE-2023-25568, GHSA-m974-xj4j-7qv5, and 1 more
- Affects: github.com/ipfs/go-libipfs, github.com/ipfs/go-bitswap
- Published: Jun 14, 2023
- Modified: Jun 14, 2023
An attacker can cause a Bitswap server to allocate and leak unbounded amounts of memory.
GO-2023-1765
- CVE-2023-1732, GHSA-2q89-485c-9j2x
- Affects: github.com/cloudflare/circl
- Published: May 24, 2023
- Modified: Jun 12, 2023
When sampling randomness for a shared secret, the implementation of Kyber and FrodoKEM, did not check whether crypto/rand.Read() returns an error. In rare deployment cases (error thrown by the Read() function), this could lead to a predictable shared secret. The tkn20 and blindrsa components did not check whether enough randomness was returned from the user provided randomness source. Typically the user provides crypto/rand.Reader, which in the vast majority of cases will always return the right number random bytes. In the cases where it does not, or the user provides a source that does not, the blinding for blindrsa is weak and integrity of the plaintext is not ensured in tkn20.
GO-2023-1753
- CVE-2023-29400
- Affects: html/template
- Published: May 05, 2023
- Modified: Jun 12, 2023
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
GO-2023-1752
- CVE-2023-24540
- Affects: html/template
- Published: May 05, 2023
- Modified: Jun 12, 2023
Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
GO-2023-1751
- CVE-2023-24539
- Affects: html/template
- Published: May 05, 2023
- Modified: Jun 12, 2023
Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.
GO-2023-1737
- CVE-2023-29401, GHSA-2c4m-59x9-fr2g
- Affects: github.com/gin-gonic/gin
- Published: May 11, 2023
- Modified: Jun 12, 2023
The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat". If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.
GO-2023-1733
- CVE-2023-26557
- Affects: github.com/bnb-chain/tss-lib, github.com/binance-chain/tss-lib
- Published: Jul 11, 2023
Timing attack from non-constant time scalar arithmetic in github.com/bnb-chain/tss-lib.
GO-2023-1732
- CVE-2023-26556
- Affects: github.com/bnb-chain/tss-lib, github.com/binance-chain/tss-lib
- Published: Jul 11, 2023
Timing attack from non-constant time scalar multiplication in github.com/bnb-chain/tss-lib.
GO-2023-1717
- CVE-2023-29194, GHSA-735r-hv67-g38f
- Affects: vitess.io/vitess
- Published: Apr 12, 2023
- Modified: Dec 14, 2023
Users can create a keyspace containing '/'. Future attempts to view keyspaces from some tools (including VTAdmin and "vtctldclient GetKeyspaces") receive an error.
GO-2023-1713
- CVE-2023-1800, GHSA-xq3x-grrj-fj6x
- Affects: github.com/sjqzhang/go-fastdfs
- Published: Apr 12, 2023
- Modified: Dec 14, 2023
An attacker can craft a remote request to upload a file to "/group1/upload" that uses path traversal to instead write the file contents to an attacker controlled path on the server.
GO-2023-1709
- CVE-2023-25000, GHSA-vq4h-9ghm-qmrr
- Affects: github.com/hashicorp/vault
- Published: Apr 12, 2023
- Modified: Jun 12, 2023
HashiCorp Vault's implementation of Shamir's secret sharing uses precomputed table lookups, and is vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares.
GO-2023-1705
- CVE-2023-24536
- Affects: mime/multipart, net/textproto
- Published: Apr 05, 2023
- Modified: Jun 22, 2023
Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.
GO-2023-1704
- CVE-2023-24534
- Affects: net/textproto
- Published: Apr 05, 2023
- Modified: Jun 12, 2023
HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.
GO-2023-1703
- CVE-2023-24538
- Affects: html/template
- Published: Apr 05, 2023
- Modified: Jun 12, 2023
Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution.
GO-2023-1702
- CVE-2023-24537
- Affects: go/scanner
- Published: Apr 05, 2023
- Modified: Jun 12, 2023
Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.
GO-2023-1681
- CVE-2023-0778, GHSA-qwqv-rqgf-8qh8
- Affects: github.com/containers/podman/v4
- Published: Apr 03, 2023
- Modified: Jun 12, 2023
A Time-of-check Time-of-use (TOCTOU) flaw appears in this version of podman. This issue may allow a malicious user to replace a normal file in a volume with a symlink while exporting the volume, allowing for access to arbitrary files on the host file system.
GO-2023-1664
- CVE-2023-28119, GHSA-5mqj-xc49-246p
- Affects: github.com/crewjam/saml
- Published: Aug 23, 2023
Denial of service via deflate compression bomb in github.com/crewjam/saml
GO-2023-1640
- CVE-2023-28105, GHSA-5g39-ppwg-6xx8
- Affects: github.com/dablelv/go-huge-util
- Published: Aug 23, 2023
Path traversal when unzipping files in github.com/dablelv/go-huge-util
GO-2023-1631
- CVE-2023-24535, GHSA-hw7c-3rfg-p46j
- Affects: google.golang.org/protobuf
- Published: Mar 14, 2023
- Modified: Jun 12, 2023
Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.
GO-2023-1623
- CVE-2023-27483, GHSA-vfvj-3m3g-m532
- Affects: github.com/crossplane/crossplane-runtime
- Published: Mar 13, 2023
- Modified: Jun 12, 2023
An out of memory panic vulnerability exists in the crossplane-runtime libraries. Applications that use the Paved type's SetValue method with user-provided input that is not properly validated might use excessive amounts of memory and cause an out of memory panic. In the fieldpath package, the Paved.SetValue method sets a value on the Paved object according to the provided path, without any validation. This allows setting values in slices at any provided index, which grows the target array up to the requested index. The index is currently capped at max uint32 (4294967295), a large value. If callers do not validate paths' indexes on their own, this could allow users to consume arbitrary amounts of memory. Applications that do not use the Paved type's SetValue method are not affected. Users unable to upgrade can work around this issue by parsing and validating the path before passing it to the SetValue method of the Paved type, constraining the index size as deemed appropriate.
GO-2023-1621
- CVE-2023-24532
- Affects: crypto/internal/nistec
- Published: Mar 08, 2023
- Modified: Jun 12, 2023
The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh.
GO-2023-1611
- CVE-2023-27475, GHSA-fx2v-qfhr-4chv
- Affects: github.com/gookit/goutil
- Published: Mar 08, 2023
- Modified: Jun 12, 2023
fsutil.Unzip is vulnerable to path traversal attacks due to improper validation of paths.
GO-2023-1602
- CVE-2023-26483, GHSA-6gc3-crp7-25w5
- Affects: github.com/russellhaering/gosaml2
- Published: Mar 03, 2023
- Modified: Dec 14, 2023
A bug in SAML authentication library can result in Denial of Service attacks. Attackers can craft a "deflate"-compressed request which will consume significantly more memory during processing than the size of the original request. This may eventually lead to memory exhaustion and the process being killed.
GO-2023-1600
- CVE-2023-26047, GHSA-p2pf-g8cq-3gq5
- Affects: github.com/kitabisa/teler-waf
- Published: Mar 02, 2023
- Modified: Jun 12, 2023
Improper handling of payload with special characters, such as CR/LF and horizontal tab, can lead to execution of arbitrary JavaScript code.
GO-2023-1597
- CVE-2023-26046, GHSA-9f95-hhg4-pg4f
- Affects: github.com/kitabisa/teler-waf
- Published: Mar 02, 2023
- Modified: Jun 12, 2023
Improper sanitization and filtering of HTML entities in user input can lead to cross-site scripting (XSS) attacks where arbitrary JavaScript code is executed in the browser.
GO-2023-1595
- CVE-2023-24533, GHSA-f6hc-9g49-xmx7
- Affects: filippo.io/nistec
- Published: Feb 28, 2023
- Modified: Jun 12, 2023
Multiplication of certain unreduced P-256 scalars produce incorrect results. There are no protocols known at this time that can be attacked due to this.
GO-2023-1589
- CVE-2023-25656, GHSA-87x9-7grx-m28v
- Affects: github.com/notaryproject/notation-go
- Published: Jul 11, 2023
Parsing PKIX distinguished names containing the string "=#" can cause excessive memory consumption.
GO-2023-1578
- CVE-2023-0475, GHSA-jpxj-2jvg-6jv9
- Affects: github.com/hashicorp/go-getter/v2, github.com/hashicorp/go-getter
- Published: Feb 17, 2023
- Modified: Jun 12, 2023
HashiCorp go-getter is vulnerable to decompression bombs. This can lead to excessive memory consumption and denial-of-service attacks.
GO-2023-1574
- CVE-2023-25173, GHSA-hmfx-3pcx-653p
- Affects: github.com/containerd/containerd, github.com/containerd/containerd
- Published: Feb 17, 2023
- Modified: Jun 12, 2023
Supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases and potentially escalate privileges in the container. Uses of the containerd client library may also have improperly setup supplementary groups.
GO-2023-1573
- CVE-2023-25153, GHSA-259w-8hf6-59c2
- Affects: github.com/containerd/containerd, github.com/containerd/containerd
- Published: Feb 17, 2023
- Modified: Jun 12, 2023
When importing an OCI image, there was no limit on the number of bytes read from the io.Reader passed into ImportIndex. A large number of bytes could be read from this and could cause a denial of service.
GO-2023-1572
- CVE-2022-41727, GHSA-qgc7-mgm3-q253
- Affects: golang.org/x/image
- Published: Feb 16, 2023
- Modified: Jun 12, 2023
An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.
GO-2023-1571
- CVE-2022-41723, GHSA-vvpx-j8f3-3w6h
- Affects: net/http, golang.org/x/net
- Published: Feb 16, 2023
- Modified: Jun 12, 2023
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
GO-2023-1570
- CVE-2022-41724
- Affects: crypto/tls
- Published: Feb 16, 2023
- Modified: Jun 12, 2023
Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).
GO-2023-1569
- CVE-2022-41725
- Affects: mime/multipart
- Published: Feb 21, 2023
- Modified: Jun 12, 2023
A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, "If stored on disk, the File's underlying concrete type will be an *os.File.". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader.
GO-2023-1568
- CVE-2022-41722
- Affects: path/filepath
- Published: Feb 16, 2023
- Modified: Jun 12, 2023
A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".\c:\b".
GO-2023-1567
- CVE-2022-28923, GHSA-qpm3-vr34-h8w8
- Affects: github.com/caddyserver/caddy/v2
- Published: Feb 16, 2023
- Modified: Jun 12, 2023
Due to improper request sanitization, a crafted URL can cause the static file handler to redirect to an attacker chosen URL, allowing for open redirect attacks.
GO-2023-1566
- CVE-2022-25978, GHSA-9w8x-5hv5-r6gw
- Affects: github.com/usememos/memos
- Published: Feb 15, 2023
- Modified: Dec 14, 2023
A malicious actor can introduce links starting with a "javascript:" scheme due to insufficient checks on external resources. This can be used as a part of Cross-site Scripting (XSS) attack.
GO-2023-1559
- CVE-2023-23631, GHSA-4gj3-6r43-3wfc
- Affects: github.com/ipfs/go-unixfsnode
- Published: Feb 14, 2023
- Modified: Jun 12, 2023
Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by a bogus fanout parameter in the HAMT directory nodes. There are no known workarounds (users are advised to upgrade).
GO-2023-1558
- CVE-2023-23626, GHSA-2h6c-j3gf-xp9r
- Affects: github.com/ipfs/go-bitfield
- Published: Feb 14, 2023
- Modified: Dec 14, 2023
When feeding untrusted user input into the size parameter of NewBitfield and FromBytes functions, an attacker can trigger panics. This happens when the size is a not a multiple of 8 or is negative. A workaround is to ensure size%8 == 0 && size >= 0 yourself before calling NewBitfield or FromBytes.
GO-2023-1557
- CVE-2023-23625, GHSA-q264-w97q-q778
- Affects: github.com/ipfs/go-unixfs
- Published: Feb 14, 2023
- Modified: Dec 14, 2023
Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus "fanout" parameter in the HAMT directory nodes. A workaround is to not feed untrusted user data to the decoding functions.
GO-2023-1549
- CVE-2023-0229, GHSA-5465-xc2j-6p84
- Affects: github.com/openshift/apiserver-library-go
- Published: Feb 16, 2023
- Modified: Jun 12, 2023
Low-privileged users can set the seccomp profile for pods they control to "unconfined." By default, the seccomp profile used in the restricted-v2 Security Context Constraint (SCC) is "runtime/default," allowing users to disable seccomp for pods they can create and modify.
GO-2023-1548
- CVE-2023-25163, GHSA-mv6w-j4xc-qpfw
- Affects: github.com/argoproj/argo-cd/v2
- Published: Feb 15, 2023
- Modified: Dec 14, 2023
Argo CD has an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an Application via the Argo CD API (and therefor the UI or CLI). The user must have "applications, create" or "applications, update" RBAC access to reach the code which may produce the error. The user is not guaranteed to be able to trigger the error message. They may attempt to spam the API with requests to trigger a rate limit error from the upstream repository. If the user has "repositories, update" access, they may edit an existing repository to introduce a URL typo or otherwise force an error message.
GO-2023-1547
- CVE-2023-25165, GHSA-pwcw-6f5g-gxf8
- Affects: helm.sh/helm/v3
- Published: Feb 14, 2023
- Modified: Dec 14, 2023
An information disclosure vulnerability exists in the getHostByName template function. The function getHostByName is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with "helm install|upgrade|template" or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject getHostByName into a chart in order to disclose values to a malicious DNS server.
GO-2023-1546
- CVE-2023-25151, GHSA-5r5m-65gx-7vrh
- Affects: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
- Published: Apr 05, 2023
- Modified: Jun 12, 2023
The otelhttp package of opentelemetry-go-contrib is vulnerable to a denial-of-service attack. The otelhttp package uses the httpconv.ServerRequest function to annotate metric measurements for the http.server.request_content_length, http.server.response_content_length, and http.server.duration instruments. The ServerRequest function sets the http.target attribute value to be the whole request URI (including the query string). The metric instruments do not "forget" previous measurement attributes when "cumulative" temporality is used, meaning that the cardinality of the measurements allocated is directly correlated with the unique URIs handled. If the query string is constantly random, this will result in a constant increase in memory allocation that can be used in a denial-of-service attack.
GO-2023-1535
- GHSA-hxp2-xqf3-v83h
- Affects: github.com/pion/dtls/v2
- Published: Feb 13, 2023
- Modified: Jun 12, 2023
Unmarshalling a Server Hello can panic, which could allow a denial of service.
GO-2023-1534
- GHSA-4xgv-j62q-h3rj
- Affects: github.com/pion/dtls/v2
- Published: Feb 13, 2023
- Modified: Jun 12, 2023
Unmarshalling a Hello Verify request can panic, which could allow a denial of service.
GO-2023-1526
- CVE-2023-24623, GHSA-v9mp-j8g7-2q6m
- Affects: github.com/hakobe/paranoidhttp
- Published: Feb 14, 2023
- Modified: Jun 12, 2023
Paranoidhttp before is vulnerable to SSRF because [::] is equivalent to the 127.0.0.1 address, but does not match the filter for private addresses.
GO-2023-1519
- CVE-2022-31249, GHSA-qrg7-hfx7-95c5
- Affects: github.com/rancher/wrangler
- Published: Feb 14, 2023
- Modified: Jun 12, 2023
A command injection vulnerability exists in the Wrangler Git package. Specially crafted commands can be passed to Wrangler that will change their behavior and cause confusion when executed through Git, resulting in command injection in the underlying host. A workaround is to sanitize input passed to the Git package to remove potential unsafe and ambiguous characters. Otherwise, the best course of action is to update to a patched Wrangler version.
GO-2023-1515
- CVE-2022-43756, GHSA-8fcj-gf77-47mg
- Affects: github.com/rancher/wrangler
- Published: Feb 14, 2023
- Modified: Jun 12, 2023
A denial of service (DoS) vulnerability exists in the Wrangler Git package. Specially crafted Git credentials can result in a denial of service (DoS) attack on an application that uses Wrangler due to the exhaustion of the available memory and CPU resources. This is caused by a lack of input validation of Git credentials before they are used, which may lead to a denial of service in some cases. This issue can be triggered when accessing both private and public Git repositories. A workaround is to sanitize input passed to the Git package to remove potential unsafe and ambiguous characters. Otherwise, the best course of action is to update to a patched Wrangler version.
GO-2023-1505
- CVE-2022-47747, GHSA-hj4g-4w36-x8hp
- Affects: github.com/uber/kraken
- Published: May 17, 2023
- Modified: Jun 12, 2023
kraken contains an arbitrary file read vulnerability via component testfs.
GO-2023-1497
- CVE-2022-23538, GHSA-7p8m-22h4-9pj7
- Affects: github.com/sylabs/scs-library-client, github.com/sylabs/scs-library-client
- Published: Feb 01, 2023
- Modified: Jun 12, 2023
When the scs-library-client is used to pull a container image, with authentication, the HTTP Authorization header sent by the client to the library service may be incorrectly leaked to an S3 backing storage provider.
GO-2023-1495
- CVE-2022-41721, GHSA-fxg5-wq6x-vr4w
- Affects: golang.org/x/net
- Published: Jan 13, 2023
- Modified: Jun 12, 2023
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
GO-2023-1494
- CVE-2014-125064, GHSA-g7mw-9pf9-p2pm
- Affects: github.com/elgs/gosqljson
- Published: Feb 01, 2023
- Modified: Jun 12, 2023
There is a potential for SQL injection through manipulation of the sqlStatement argument.
GO-2023-1295
- CVE-2020-36645, GHSA-3hc7-2xcc-7p8f
- Affects: github.com/square/squalor
- Published: Feb 01, 2023
- Modified: Jun 12, 2023
There is a potential for SQL injection in the table name parameter.
GO-2023-1269
- CVE-2023-22460, GHSA-c653-6hhg-9x92
- Affects: github.com/ipld/go-ipld-prime
- Published: Jan 18, 2023
- Modified: Jun 12, 2023
Encoding data using the 'json' codec which contains a 'Bytes' type Node will cause the encoder to panic. The decoder is not impacted. If the codec is used to encode user supplied data, this may be used as a vector for a denial of service attack.
GO-2023-1268
- CVE-2022-48195, GHSA-gvfj-fxx3-j323
- Affects: mellium.im/sasl
- Published: Jan 18, 2023
- Modified: Jun 12, 2023
An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When performing SCRAM-based SASL authentication, if the remote end advertises support for channel binding, no random nonce is generated (instead, the nonce is empty). This causes authentication to fail in the best case, but (if paired with a remote end that does not validate the length of the nonce) could lead to insufficient randomness being used during authentication.
GO-2022-1213
- CVE-2018-25060, GHSA-hhxg-px5h-jc32
- Affects: github.com/go-macaron/csrf
- Published: Jan 03, 2023
- Modified: Jun 12, 2023
The Options.Secure value is ignored, and cookies created by Generate never have the secure attribute.
GO-2022-1201
- CVE-2021-4294, GHSA-m7qp-cj9p-gj85
- Affects: github.com/openshift/osin
- Published: Jan 03, 2023
- Modified: Jun 12, 2023
Client secret checks are vulnerable to timing attacks, which could permit an attacker to determine client secrets.
GO-2022-1188
- CVE-2022-4741, GHSA-qvx2-59g8-8hph
- Affects: code.sajari.com/docconv
- Published: Jan 12, 2023
- Modified: Jun 12, 2023
An attacker can remotely supply a specially crafted input that causes uncontrolled memory allocation.
GO-2022-1187
- CVE-2020-36627, GHSA-jwrv-x6rx-8vfm
- Affects: github.com/go-macaron/i18n
- Published: Dec 28, 2022
- Modified: Jun 12, 2023
A user controlled string could lead to open redirect.
GO-2022-1184
- CVE-2022-4643, GHSA-6m4h-hfpp-x8cx
- Affects: code.sajari.com/docconv
- Published: Dec 27, 2022
- Modified: Jun 12, 2023
The manipulation of the argument path to docconv.{ConvertPDF,PDFHasImage} leads to os command injection.
GO-2022-1180
- CVE-2022-47633, GHSA-m3cq-xcx9-3gvm
- Affects: github.com/kyverno/kyverno
- Published: Dec 27, 2022
- Modified: Dec 14, 2023
A malicious proxy/registry can bypass verifyImages rules.
GO-2022-1178
- CVE-2022-39304, GHSA-h4q8-96p6-jcgr
- Affects: github.com/bradleyfalzon/ghinstallation
- Published: Dec 22, 2022
- Modified: Jun 12, 2023
Errors returned by ghinstallation.Transport can include the JWT used for the failed operation. If the error is exposed to an untrusted party, this JWT could be extracted and used to authenticate further requests.
GO-2022-1175
- CVE-2022-23536, GHSA-cq2g-pw6q-hf7j
- Affects: github.com/cortexproject/cortex
- Published: Dec 22, 2022
- Modified: Dec 14, 2023
A malicious actor could remotely read local files by submitting to the Alertmanager Set Configuration API maliciously crafted inputs. Only users of the Alertmanager service where "-experimental.alertmanager.enable-api" or "enable_api: true" is configured are affected.
GO-2022-1167
- CVE-2022-23524, GHSA-6rx9-889q-vv2r
- Affects: helm.sh/helm/v3
- Published: Dec 14, 2022
- Modified: Jun 12, 2023
Applications that use the strvals package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes an error that cannot be recovered from. The strvals package contains a parser that turns strings into Go structures. For example, the Helm client has command line flags like --set, --set-string, and others that enable the user to pass in strings that are merged into the values. The strvals package converts these strings into structures Go can work with. Some string inputs can cause can cause a stack overflow to be created causing a stack overflow error. Stack overflow errors cannot be recovered from. The Helm Client will panic with input to --set, --set-string, and other value setting flags that causes a stack overflow. Helm is not a long running service so the error will not affect future uses of the Helm client.
GO-2022-1166
- CVE-2022-23526, GHSA-67fx-wx78-jx33
- Affects: helm.sh/helm/v3
- Published: Dec 22, 2022
- Modified: Jun 12, 2023
Certain JSON schema validation files can cause a Helm Client to panic, leading to a possible denial of service. The chartutil package contains a parser that loads a JSON Schema validation file. For example, the Helm client when rendering a chart will validate its values with the schema file. The chartutil package parses the schema file and loads it into memory, but some schema files can cause array data structures to be created causing a memory violation. The Helm Client will panic with a schema file that causes a memory violation panic. Helm is not a long running service so the panic will not affect future uses of the Helm client.
GO-2022-1165
- CVE-2022-23525, GHSA-53c4-hhmh-vw5q
- Affects: helm.sh/helm/v3
- Published: Dec 22, 2022
- Modified: Jun 12, 2023
Applications that use the repo package in the Helm SDK to parse an index file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The repo package contains a handler that processes the index file of a repository. For example, the Helm client adds references to chart repositories where charts are managed. The repo package parses the index file of the repository and loads it into memory. Some index files can cause array data structures to be created causing a memory violation. The Helm Client will panic with an index file that causes a memory violation panic. Helm is not a long running service so the panic will not affect future uses of the Helm client.
GO-2022-1159
- CVE-2022-4123, GHSA-rprg-4v7q-87v7
- Affects: github.com/containers/podman/v4
- Published: Dec 22, 2022
- Modified: Jun 12, 2023
The local path and the lowest subdirectory may be disclosed due to incorrect absolute path traversal, resulting in an impact to confidentiality.
GO-2022-1155
- CVE-2022-23495, GHSA-x39j-h85h-3f46
- Affects: github.com/ipfs/go-merkledag
- Published: Dec 22, 2022
- Modified: Jun 12, 2023
A ProtoNode may be modified in such a way as to cause various encode errors which will trigger a panic on common method calls that don't allow for error returns. Additionally, use of the ProtoNode.SetCidBuilder() method to set non-functioning CidBuilder (such as one that refers to a multihash where an implementation of that hash function is not available) may cause the same methods to panic as a new CID is required but cannot be created.
GO-2022-1148
- CVE-2022-23492, GHSA-j7qp-mfxf-8xjw
- Affects: github.com/libp2p/go-libp2p
- Published: Dec 14, 2022
- Modified: Jun 12, 2023
go-libp2p is vulnerable to targeted resource exhaustion attacks. These attacks target libp2p's connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory ultimately leading to the process getting killed by the host's operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. It's recommend to update to v0.21.0 onwards to get some useful functionality that will help in production environments like better metrics around resource usage, Grafana dashboards around resource usage, allow list support, and default autoscaling limits.
GO-2022-1144
- CVE-2022-41717, GHSA-xrjj-mj9h-534m
- Affects: net/http, golang.org/x/net
- Published: Dec 08, 2022
- Modified: Jun 12, 2023
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
GO-2022-1143
- CVE-2022-41720
- Affects: os, net/http
- Published: Dec 07, 2022
- Modified: Jun 12, 2023
On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error.
GO-2022-1130
- CVE-2022-46146, GHSA-7rg2-cxvp-9p7p
- Affects: github.com/prometheus/exporter-toolkit
- Published: Nov 29, 2022
- Modified: Jun 12, 2023
If an attacker has access to a Prometheus web.yml file and users' bcrypted passwords, it would be possible to bypass security via the built-in authentication cache.
GO-2022-1129
- CVE-2022-41912, GHSA-j2jp-wvqg-wc2g
- Affects: github.com/crewjam/saml
- Published: Nov 29, 2022
- Modified: Jun 12, 2023
Authentication bypass is possible when processing SAML responses containing multiple Assertion elements.
GO-2022-1118
- CVE-2022-39199, GHSA-6cqj-6969-p57x
- Affects: github.com/codenotary/immudb
- Published: Dec 22, 2022
- Modified: Jun 12, 2023
A malicious server can trick a client into treating it as a different server by changing the reported UUID. immudb client SDKs use the server's UUID to distinguish between different server instance so that the client can connect to different immudb instances and keep the state for multiple servers. The SDK does not validate this UUID and accepts any value reported by the server. A malicious server can therefore change the reported UUID and trick the client into treating it as a different server.
GO-2022-1117
- CVE-2022-36111, GHSA-672p-m5jq-mrh8
- Affects: github.com/codenotary/immudb
- Published: Dec 22, 2022
- Modified: Jun 12, 2023
In certain scenarios, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability.
GO-2022-1114
- CVE-2022-41920, GHSA-pp3f-xrw5-q5j4
- Affects: github.com/duke-git/lancet, github.com/duke-git/lancet/v2
- Published: Dec 07, 2022
- Modified: Jun 12, 2023
A ZipSlip vulnerability exists when using the fileutil package to unzip files.
GO-2022-1113
- CVE-2022-39383, GHSA-m5xf-x7q6-3rm7
- Affects: github.com/oam-dev/kubevela
- Published: Dec 07, 2022
- Modified: Jun 12, 2023
When using Helm Chart as the component delivery method, the request address of the warehouse is not restricted, and there is a blind SSRF vulnerability.
GO-2022-1098
- CVE-2022-44797, GHSA-2chg-86hq-7w38
- Affects: github.com/btcsuite/btcd
- Published: Nov 08, 2022
- Modified: Jun 12, 2023
Erroneous message decoding can cause denial of service. Improper checking of maximum witness size during node message decoding prevented nodes in Lightning Labs lnd (before 0.15.2-beta) to sync.
GO-2022-1095
- CVE-2022-41716
- Affects: syscall, os/exec
- Published: Nov 01, 2022
- Modified: Jun 12, 2023
Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".
GO-2022-1086
- CVE-2022-38580, GHSA-f2rj-m42r-6jm2
- Affects: github.com/zalando/skipper
- Published: Nov 02, 2022
- Modified: Jun 12, 2023
An attacker can access the internal metadata server or other unauthenticated URLs by adding a specific header (X-Skipper-Proxy) to the http request.
GO-2022-1083
- CVE-2022-43677, GHSA-59hj-62f5-fgmc
- Affects: github.com/free5gc/aper
- Published: Nov 02, 2022
- Modified: Dec 14, 2023
A malformed message can crash the free5gc/amf and free5gc/ngap decoders via an index-out-of-range panic in aper.GetBitString.
GO-2022-1071
- CVE-2022-39272, GHSA-f4p5-x4vc-mh4v
- Affects: github.com/fluxcd/helm-controller/api, github.com/fluxcd/image-automation-controller/api, and 4 more
- Published: Oct 28, 2022
- Modified: Dec 14, 2023
Flux controllers are vulnerable to a denial of service attack. Users that have permissions to change Flux's objects, either through a Flux source or directly within a cluster, can provide invalid data to fields .spec.interval or .spec.timeout (and structured variations of these fields), causing the entire object type to stop being processed. The issue has two root causes: a) the Kubernetes type metav1.Duration is not fully compatible with the Go type time.Duration as explained in https://github.com/kubernetes/apimachinery/issues/131, and b) a lack of validation within Flux to restrict allowed values.
GO-2022-1059
- CVE-2022-32149, GHSA-69ch-w2m2-3vjp
- Affects: golang.org/x/text
- Published: Oct 11, 2022
- Modified: Jun 12, 2023
An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
GO-2022-1053
- GHSA-x279-68rr-jp4p
- Affects: github.com/supranational/blst
- Published: Oct 18, 2022
- Modified: Jun 12, 2023
Potential creation of an invalid signature from correct inputs. Some inputs to the blst_fp_eucl_inverse function can produce incorrect outputs. This could theoretically permit the creation of an invalid signature from correct inputs.
GO-2022-1052
- CVE-2021-21271, GHSA-p658-8693-mhvg
- Affects: github.com/tendermint/tendermint
- Published: Oct 14, 2022
- Modified: Jun 12, 2023
Mishandling of timestamps during consensus process can cause a denial of service. While reaching consensus, different tendermint nodes can observe a different timestamp for a consensus evidence. This mismatch can cause the evidence to be invalid, upon which the node producing the evidence will be asked to generate a new evidence. This new evidence will be the same, which means it will again be rejected by other nodes involved in the consensus. This loop will continue until the peer nodes decide to disconnect from the node producing the evidence.
GO-2022-1045
- CVE-2022-39237, GHSA-m5m3-46gj-wch8
- Affects: github.com/sylabs/sif/v2
- Published: Oct 21, 2022
- Modified: Jun 12, 2023
The Singularity Image Format (SIF) reference implementation does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures.
GO-2022-1043
- CVE-2022-39273, GHSA-67x4-qr35-qvrm
- Affects: github.com/flyteorg/flyteadmin
- Published: Oct 31, 2022
- Modified: Jun 12, 2023
Default authorization server's configuration settings contain a known hardcoded hashed password. Users who enable auth but do not override this setting may unknowingly allow public traffic in by way of this default password with attackers effectively impersonating propeller.
GO-2022-1040
- CVE-2021-21303, GHSA-c38g-469g-cmgx
- Affects: helm.sh/helm/v3
- Published: Oct 18, 2022
- Modified: Jun 12, 2023
Helm does not sanitize all fields read from repository data files. A maliciously crafted data file may contain strings containing arbitrary data. If printed to a terminal, a malicious string could obscure or alter data on the screen.
GO-2022-1039
- CVE-2022-41715
- Affects: regexp/syntax
- Published: Oct 06, 2022
- Modified: Jun 12, 2023
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.
GO-2022-1038
- CVE-2022-2880
- Affects: net/http/httputil
- Published: Oct 06, 2022
- Modified: Jun 12, 2023
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
GO-2022-1037
- CVE-2022-2879
- Affects: archive/tar
- Published: Oct 06, 2022
- Modified: Jun 12, 2023
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
GO-2022-1031
- CVE-2022-40083, GHSA-crxj-hrmp-4rwf
- Affects: github.com/labstack/echo/v4
- Published: Oct 11, 2022
- Modified: Jun 12, 2023
Labstack Echo contains an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF).
GO-2022-1027
- CVE-2022-40082, GHSA-c9qr-f6c8-rgxf
- Affects: github.com/cloudwego/hertz
- Published: Oct 05, 2022
- Modified: Jun 12, 2023
Improper path sanitization on Windows permits path traversal attacks. Static file serving with the Static or StaticFS functions allows an attacker to access files from outside the filesystem root. This vulnerability does not affect non-Windows systems.
GO-2022-1026
- CVE-2022-3347, GHSA-jr65-gpj5-cw74
- Affects: github.com/peterzen/goresolver
- Published: Sep 29, 2022
- Modified: Dec 14, 2023
DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. Root DNSSEC public keys are not validated, permitting an attacker to present a self-signed root key and delegation chain.
GO-2022-1008
- CVE-2022-2990, GHSA-fjm8-m7m6-2fjp
- Affects: github.com/containers/buildah
- Published: Sep 21, 2022
- Modified: Jun 12, 2023
SGID programs executed in a container can access files that have negative group permissions for the user's primary group. Consider a file which is owned by user u1 and group g1, permits user and other read access, and does NOT permit group read access. This file is readable by u1 and all other users except for ones in group g1. A program with the set-group-ID (SGID) bit set assumes the primary group of the program's group when it executes. A user with the primary group g1 who executes an SGID program owned by group g2 should not be able to access the file described above. While the program executes with the primary group g2, the group g1 should remain in its supplementary groups, blocking access to the file. Buildah does not correctly add g1 to the supplementary groups in this scenario, permitting unauthorized access.
GO-2022-1004
- GHSA-3633-5h82-39pq
- Affects: github.com/theupdateframework/go-tuf
- Published: Sep 21, 2022
- Modified: Jun 12, 2023
An attacker with the ability to insert public keys into a TUF repository can cause clients to accept a staged change that has not been signed by the correct threshold of signatures.
GO-2022-1002
- CVE-2022-39213, GHSA-xhmf-mmv2-4hhx
- Affects: github.com/pandatix/go-cvss
- Published: Sep 21, 2022
- Modified: Jun 12, 2023
ParseVector can panic when provided with invalid input.
GO-2022-0998
- CVE-2022-36056, GHSA-8gw7-4j42-w388
- Affects: github.com/sigstore/cosign
- Published: Nov 09, 2023
Improper blob verification in github.com/sigstore/cosign
GO-2022-0988
- CVE-2022-32190
- Affects: net/url
- Published: Sep 12, 2022
- Modified: Jun 12, 2023
JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.
GO-2022-0980
- CVE-2022-38149, GHSA-8449-7gc2-pwrp
- Affects: github.com/hashicorp/consul-template
- Published: Sep 21, 2022
- Modified: Jun 12, 2023
The text of errors returned by Template.Execute can contain Vault secrets, potentially revealing these secrets in logs or error reports.
GO-2022-0979
- CVE-2022-3346, GHSA-87mm-qxm5-cp3f
- Affects: github.com/peterzen/goresolver
- Published: Sep 29, 2022
- Modified: Dec 14, 2023
DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. The owner name of RRSIG RRs is not validated, permitting an attacker to present the RRSIG for an attacker-controlled domain in a response for any other domain.
GO-2022-0978
- CVE-2022-36085, GHSA-f524-rf33-2jjr
- Affects: github.com/open-policy-agent/opa
- Published: Sep 13, 2022
- Modified: Dec 14, 2023
Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) WithUnsafeBuiltins function, which allows users to provide a set of built-in functions that should be deemed unsafe and rejected by the compiler if encountered in the policy compilation stage. A bypass of this protection is possible when using the "with" keyword to mock a built-in function that isn't taken into account by WithUnsafeBuiltins.
GO-2022-0972
- CVE-2022-41719, GHSA-jr77-8gx4-h5qh
- Affects: github.com/shamaton/msgpack/v2
- Published: Nov 10, 2022
- Modified: Jun 12, 2023
Unmarshal can panic on some inputs, possibly allowing for denial of service attacks.
GO-2022-0969
- CVE-2022-27664, GHSA-69cg-p879-7622
- Affects: net/http, golang.org/x/net
- Published: Sep 12, 2022
- Modified: Jun 12, 2023
HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.
GO-2022-0968
- CVE-2021-43565, GHSA-gwc9-m7rh-j2ww
- Affects: golang.org/x/crypto
- Published: Sep 13, 2022
- Modified: Jun 12, 2023
Unauthenticated clients can cause a panic in SSH servers. When using AES-GCM or ChaCha20Poly1305, consuming a malformed packet which contains an empty plaintext causes a panic.
GO-2022-0965
- GHSA-74fp-r6jw-h4mp
- Affects: k8s.io/apimachinery
- Published: Sep 02, 2022
- Modified: Jun 12, 2023
Unbounded recursion in JSON parsing allows malicious JSON input to cause excessive memory consumption or panics.
GO-2022-0963
- CVE-2022-36078, GHSA-4p6f-m4f9-ch88
- Affects: github.com/gagliardetto/binary
- Published: Sep 02, 2022
- Modified: Jun 12, 2023
A memory allocation vulnerability can be exploited to allocate arbitrarily large slices, which can exhaust available memory or crash the program. When parsing data from untrusted sources of input (e.g. the blockchain), the length of the slice to allocate is read directly from the data itself without any checks, which could lead to an allocation of excessive memory.
GO-2022-0962
- CVE-2022-36055, GHSA-7hfp-qfw3-5jxh
- Affects: helm.sh/helm/v3
- Published: Sep 02, 2022
- Modified: Jun 12, 2023
Applications that use the strvals package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The strvals package contains a parser that turns strings into Go structures. For example, the Helm client has command line flags like --set, --set-string, and others that enable the user to pass in strings that are merged into the values. The strvals package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. The Helm Client will panic with input to --set, --set-string, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client.
GO-2022-0957
- CVE-2020-36066, GHSA-wjm3-fq3r-5x46
- Affects: github.com/tidwall/gjson
- Published: Aug 25, 2022
- Modified: Dec 14, 2023
A maliciously crafted JSON input can cause a denial of service attack.
GO-2022-0956
- CVE-2022-3064, GHSA-6q6q-88xp-6f2r
- Affects: gopkg.in/yaml.v2
- Published: Aug 29, 2022
- Modified: Jun 12, 2023
Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.
GO-2022-0952
- CVE-2022-36009, GHSA-grvv-h2f9-7v9c
- Affects: github.com/matrix-org/gomatrixserverlib
- Published: Aug 22, 2022
- Modified: Jun 12, 2023
Power level parsing does not parse the "events_default" key of the m.room.power_levels event, setting the event default power level to zero in all cases. This can cause events to be improperly accepted or rejected in rooms where the event_default power level has been changed.
GO-2022-0945
- CVE-2016-9122, GHSA-77gc-fj98-665h
- Affects: gopkg.in/square/go-jose.v1
- Published: Aug 22, 2022
- Modified: Jun 12, 2023
The go-jose library suffers from multiple signatures exploitation. When validating a signed message, the API did not indicate which signature was valid, which creates the potential for confusion.
GO-2022-0942
- CVE-2022-37315, GHSA-h3qm-jrrf-cgj3
- Affects: github.com/graphql-go/graphql
- Published: Aug 23, 2022
- Modified: Jun 12, 2023
graphql-go (aka GraphQL for Go) has infinite recursion in the type definition parser.
GO-2022-0762
- CVE-2021-29272, GHSA-3x58-xr87-2fcj
- Affects: github.com/microcosm-cc/bluemonday
- Published: May 18, 2021
- Modified: Dec 14, 2023
An XSS injection was possible because the sanitization of the Cyrillic character i bypass a protection mechanism against user-inputted HTML elements such as the <script> tag.
GO-2022-0761
- CVE-2016-5386
- Affects: net/http, net/http/cgi
- Published: Aug 09, 2022
- Modified: Jun 12, 2023
An input validation flaw in the CGI components allows the HTTP_PROXY environment variable to be set by the incoming Proxy header, which changes where Go by default proxies all outbound HTTP requests. This environment variable is also used to set the outgoing proxy, enabling an attacker to insert a proxy into outgoing requests of a CGI program. Read more about "httpoxy" here: https://httpoxy.org.
GO-2022-0758
- CVE-2022-35929, GHSA-vjxv-45g9-9296
- Affects: github.com/sigstore/cosign
- Published: Nov 09, 2023
Improper verification of signature attestations in github.com/sigstore/cosign
GO-2022-0755
- CVE-2019-13209, GHSA-xhg2-rvm8-w2jh
- Affects: github.com/rancher/rancher
- Published: May 18, 2021
- Modified: Jun 12, 2023
Rancher 2 is vulnerable to a Cross-Site Websocket Hijacking attack that allows an exploiter to gain access to clusters managed by Rancher.
GO-2022-0706
- CVE-2021-22133, GHSA-qqc5-rgcc-cjqh
- Affects: go.elastic.co/apm
- Published: May 18, 2021
- Modified: Jun 12, 2023
Sensitive HTTP headers may not be properly sanitized before being sent to the APM server if the program panics.
GO-2022-0701
- CVE-2015-5305, GHSA-jp32-vmm6-3vf5
- Affects: k8s.io/kubernetes
- Published: Feb 15, 2022
- Modified: Jun 12, 2023
Crafted object type names can cause directory traversal in Kubernetes. Object names are not validated before being passed to etcd. This allows attackers to write arbitrary files via a crafted object name, hence causing directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0.
GO-2022-0646
- CVE-2020-8911, CVE-2020-8912, and 2 more
- Affects: github.com/aws/aws-sdk-go
- Published: Feb 11, 2022
- Modified: Jun 12, 2023
The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket. Files encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until re-encrypted with the new client.
GO-2022-0643
- CVE-2017-11480, GHSA-9q3g-m353-cp4p
- Affects: github.com/elastic/beats
- Published: Feb 15, 2022
- Modified: Jun 12, 2023
A local attacker can cause a panic if they are able to send arbitrary traffic to a monitored port, due to an out of bounds read.
GO-2022-0629
- CVE-2020-8568, GHSA-5cgx-vhfp-6cf9
- Affects: sigs.k8s.io/secrets-store-csi-driver
- Published: Feb 15, 2022
- Modified: Jun 12, 2023
Modifying pod status allows host directory traversal. Kubernetes Secrets Store CSI Driver allows an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets.
GO-2022-0621
- CVE-2019-10223, CVE-2019-17110, and 2 more
- Affects: k8s.io/kube-state-metrics
- Published: May 18, 2021
- Modified: Jun 12, 2023
Exposing annotations as metrics can leak secrets. An experimental feature of kube-state-metrics enables annotations to be exposed as metrics. By default, metrics only expose metadata about secrets. However, a combination of the default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels.
GO-2022-0619
- CVE-2022-1996, GHSA-r48q-9g5r-8q2h
- Affects: github.com/emicklei/go-restful, github.com/emicklei/go-restful/v2, and 1 more
- Published: Aug 15, 2022
- Modified: Jun 12, 2023
CORS filters that use an AllowedDomains configuration parameter can match domains outside the specified set, permitting an attacker to avoid the CORS policy. The AllowedDomains configuration parameter is documented as a list of allowed origin domains, but values in this list are applied as regular expression matches. For example, an allowed domain of "example.com" will match the Origin header "example.com.malicious.domain".
GO-2022-0603
- CVE-2022-28948, GHSA-hp87-p4gw-j4gq
- Affects: gopkg.in/yaml.v3
- Published: Aug 22, 2022
- Modified: Jun 12, 2023
An issue in the Unmarshal function can cause a program to panic when attempting to deserialize invalid input.
GO-2022-0588
- CVE-2021-42576, GHSA-x95h-979x-cf3j
- Affects: github.com/microcosm-cc/bluemonday
- Published: Aug 15, 2022
- Modified: Dec 14, 2023
The bluemonday HTML sanitizer can leak the contents of a "style" element into HTML output, potentially causing XSS vulnerabilities. The default bluemonday sanitization policies are not vulnerable. Only user-defined policies allowing "select", "style", and "option" elements are affected. Permitting the "style" element in policies is hazardous, because bluemonday does not contain a CSS sanitizer. Newer versions of bluemonday suppress "style" and "script" elements even when allowed by a policy unless the policy explicitly requests unsafe processing.
GO-2022-0587
- CVE-2022-28946, GHSA-x7f3-62pm-9p38
- Affects: github.com/open-policy-agent/opa
- Published: May 20, 2022
- Modified: Jun 12, 2023
An issue in ast.Parser in Open Policy Agent causes the application to incorrectly interpret expressions, allowing a Denial of Service (DoS) via triggering out-of-range memory access.
GO-2022-0586
- CVE-2022-26945, CVE-2022-30321, and 6 more
- Affects: github.com/hashicorp/go-getter, github.com/hashicorp/go-getter/v2, and 2 more
- Published: May 26, 2022
- Modified: Jun 12, 2023
Malicious HTTP responses can cause a number of misbehaviors, including overwriting local files, resource exhaustion, and panics. * Protocol switching, endless redirect, and configuration bypass are possible through abuse of custom HTTP response header processing. * Arbitrary host access is possible through go-getter path traversal, symlink processing, and command injection flaws. * Asymmetric resource exhaustion can occur when go-getter processes malicious HTTP responses. * A panic can be triggered when go-getter processed password-protected ZIP files.
GO-2022-0574
- CVE-2022-33082, GHSA-2m4x-4q9j-w97g
- Affects: github.com/open-policy-agent/opa
- Published: Jul 01, 2022
- Modified: Jun 12, 2023
An issue in the AST parser of Open Policy Agent makes it possible for attackers to cause a Denial of Service attack from a crafted input.
GO-2022-0572
- CVE-2021-30080, GHSA-28r6-jm5h-mrgg
- Affects: github.com/astaxie/beego, github.com/beego/beego, and 1 more
- Published: Aug 22, 2022
- Modified: Dec 14, 2023
An issue was discovered in the route lookup process in beego which attackers to bypass access control.
GO-2022-0569
- CVE-2022-31836, GHSA-95f9-94vc-665h
- Affects: github.com/astaxie/beego, github.com/beego/beego, and 1 more
- Published: Aug 23, 2022
- Modified: Jun 12, 2023
The leafInfo.match() function uses path.join() to deal with wildcard values which can lead to cross directory risk.
GO-2022-0564
- CVE-2022-31053, GHSA-75rw-34q6-72cr
- Affects: github.com/biscuit-auth/biscuit-go
- Published: Aug 15, 2022
- Modified: Jun 12, 2023
An attacker can forge Biscuit v1 tokens with any access level. There is no known workaround for Biscuit v1. The Biscuit v2 specification avoids this vulnerability.
GO-2022-0563
- CVE-2021-46398, GHSA-72wf-hwcq-65h9
- Affects: github.com/filebrowser/filebrowser/v2
- Published: Feb 05, 2022
- Modified: Jun 12, 2023
A Cross-Site Request Forgery vulnerability exists in Filebrowser that allows attackers to create a backdoor user with admin privilege and get access to the filesystem via a malicious HTML webpage that is sent to the victim.
GO-2022-0558
- CVE-2022-1227, GHSA-66vw-v2x9-hw75
- Affects: github.com/containers/psgo
- Published: Aug 22, 2022
- Modified: Jun 12, 2023
The psgo package executes the 'nsenter' binary, potentially allowing privilege escalation when used in environments where nsenter is provided by an untrusted source.
GO-2022-0537
- CVE-2022-32189
- Affects: math/big
- Published: Aug 01, 2022
- Modified: Jun 12, 2023
Decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service.
GO-2022-0536
- CVE-2019-9512, CVE-2019-9514, and 2 more
- Affects: net/http, golang.org/x/net
- Published: Aug 01, 2022
- Modified: Jun 12, 2023
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. Servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
GO-2022-0535
- CVE-2020-0601
- Affects: crypto/x509
- Published: Aug 01, 2022
- Modified: Jun 12, 2023
A Windows vulnerability allows attackers to spoof valid certificate chains when the system root store is in use. A workaround is present in Go 1.12.6+ and Go 1.13.7+, but affected users should additionally install the Windows security update to protect their system. See https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0601 for details on the Windows vulnerability.
GO-2022-0534
- CVE-2022-24912, GHSA-jxqv-jcvh-7gr4
- Affects: github.com/runatlantis/atlantis
- Published: Aug 11, 2022
- Modified: Jun 12, 2023
Validation of Gitlab requests can leak secrets. The package github.com/runatlantis/atlantis/server/controllers/events uses a non-constant time comparison for secrets while validating a Gitlab request. This allows for a timing attack where an attacker can recover a secret and then forge the request.
GO-2022-0533
- CVE-2022-29804
- Affects: path/filepath
- Published: Jul 28, 2022
- Modified: Dec 14, 2023
On Windows, the filepath.Clean function can convert certain invalid paths to valid, absolute paths, potentially allowing a directory traversal attack. For example, Clean(".\c:") returns "c:".
GO-2022-0532
- CVE-2022-30580
- Affects: os/exec
- Published: Jul 26, 2022
- Modified: Jun 12, 2023
On Windows, executing Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset will unintentionally trigger execution of any binaries in the working directory named either "..com" or "..exe".
GO-2022-0531
- CVE-2022-30629
- Affects: crypto/tls
- Published: Jul 28, 2022
- Modified: Jun 12, 2023
An attacker can correlate a resumed TLS session with a previous connection. Session tickets generated by crypto/tls do not contain a randomly generated ticket_age_add, which allows an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
GO-2022-0528
- CVE-2022-25891, GHSA-477v-w82m-634j
- Affects: github.com/containrrr/shoutrrr
- Published: Jul 30, 2022
- Modified: Jun 12, 2023
Sending a message exactly 2000, 4000, or 6000 characters in length to Discord causes a panic.
GO-2022-0527
- CVE-2022-30630
- Affects: io/fs
- Published: Jul 20, 2022
- Modified: Jun 12, 2023
Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.
GO-2022-0526
- CVE-2022-30635
- Affects: encoding/gob
- Published: Jul 20, 2022
- Modified: Jun 12, 2023
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.
GO-2022-0525
- CVE-2022-1705
- Affects: net/http
- Published: Jul 25, 2022
- Modified: Jun 12, 2023
The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.
GO-2022-0524
- CVE-2022-30631
- Affects: compress/gzip
- Published: Jul 20, 2022
- Modified: Jun 12, 2023
Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion.
GO-2022-0523
- CVE-2022-30633
- Affects: encoding/xml
- Published: Jul 20, 2022
- Modified: Jun 12, 2023
Unmarshaling an XML document into a Go struct which has a nested field that uses the 'any' field tag can panic due to stack exhaustion.
GO-2022-0522
- CVE-2022-30632
- Affects: path/filepath
- Published: Jul 20, 2022
- Modified: Jun 12, 2023
Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.
GO-2022-0521
- CVE-2022-28131
- Affects: encoding/xml
- Published: Jul 20, 2022
- Modified: Jun 12, 2023
Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion.
GO-2022-0520
- CVE-2022-32148
- Affects: net/http
- Published: Jul 28, 2022
- Modified: Jun 12, 2023
Client IP adresses may be unintentionally exposed via X-Forwarded-For headers. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy sets the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function sets the X-Forwarded-For header value to nil, ReverseProxy leaves the header unmodified as expected.
GO-2022-0519
- CVE-2022-31145, GHSA-qwrj-9hmp-gpxh
- Affects: github.com/flyteorg/flyteadmin
- Published: Jul 30, 2022
- Modified: Jun 12, 2023
Improper validation of access tokens can permit use of expired tokens.
GO-2022-0515
- CVE-2022-1962
- Affects: go/parser
- Published: Jul 20, 2022
- Modified: Jun 12, 2023
Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion.
GO-2022-0503
- GHSA-9x4h-8wgm-8xfg
- Affects: github.com/ipld/go-car, github.com/ipld/go-car/v2
- Published: Jul 30, 2022
- Modified: Jun 12, 2023
Decoding malformed CAR data can cause panics or excessive memory usage.
GO-2022-0493
- CVE-2022-29526, GHSA-p782-xgp4-8hr8
- Affects: syscall, golang.org/x/sys
- Published: Jul 15, 2022
- Modified: Dec 11, 2023
When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.
GO-2022-0492
- CVE-2022-25856, GHSA-qpgx-64h2-gc3c
- Affects: github.com/argoproj/argo-events
- Published: Jul 15, 2022
- Modified: Jun 12, 2023
GitArtifactReader is vulnerable to directory traversal attacks. The GitArtifactReader.Read function reads and returns the contents of a Git repository file. A maliciously crafted repository can exploit this to cause Read to read from arbitrary files on the filesystem.
GO-2022-0477
- CVE-2022-30634
- Affects: crypto/rand
- Published: Jun 09, 2022
- Modified: Jun 12, 2023
On Windows, rand.Read will hang indefinitely if passed a buffer larger than 1 << 32 - 1 bytes.
GO-2022-0476
- CVE-2020-28367
- Affects: cmd/go
- Published: Jul 28, 2022
- Modified: Jun 12, 2023
The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by malicious gcc flags specified via a cgo directive.
GO-2022-0475
- CVE-2020-28366
- Affects: cmd/go, cmd/cgo
- Published: Jul 28, 2022
- Modified: Jun 12, 2023
The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by malicious unquoted symbol name in a linked object file.
GO-2022-0470
- CVE-2022-31022, GHSA-9w9f-6mg8-jp7w
- Affects: github.com/blevesearch/bleve, github.com/blevesearch/bleve/v2
- Published: Jul 15, 2022
- Modified: Jun 12, 2023
HTTP handlers provide unauthenticated access to the local filesystem. The Bleve http package is intended for demonstration purposes and contains no authentication, authorization, or validation of user inputs. Exposing handlers from this package can permit attackers to create files and delete directories.
GO-2022-0463
- CVE-2022-31259, GHSA-qx32-f6g6-fcfr
- Affects: github.com/astaxie/beego, github.com/beego/beego, and 1 more
- Published: Jul 01, 2022
- Modified: Dec 14, 2023
Routes in the beego HTTP router can match unintended patterns. This overly-broad matching may permit an attacker to bypass access controls. For example, the pattern "/a/b/:name" can match the URL "/a.xml/b/". This may bypass access control applied to the prefix "/a/".
GO-2022-0462
- CVE-2022-29222, GHSA-w45j-f832-hxvh
- Affects: github.com/pion/dtls/v2
- Published: Jul 01, 2022
- Modified: Jun 12, 2023
Client-provided certificates are not correctly validated, and must not be trusted. DTLS client certificates must be accompanied by proof that the client possesses the private key for the certificate. The Pion DTLS server accepted client certificates unaccompanied by this proof, permitting an attacker to present any certificate and have it accepted as valid.
GO-2022-0461
- CVE-2022-29189, GHSA-cx94-mrg9-rq4j
- Affects: github.com/pion/dtls/v2
- Published: Jul 01, 2022
- Modified: Jun 12, 2023
Attacker can cause unbounded memory consumption. The Pion DTLS client and server buffer handshake data with no upper limit, permitting an attacker to cause unbounded memory consumption by sending an unterminated handshake.
GO-2022-0460
- CVE-2022-29190, GHSA-cm8f-h6j3-p25c
- Affects: github.com/pion/dtls/v2
- Published: Jul 01, 2022
- Modified: Jun 12, 2023
An attacker can send packets that send the DTLS server or client into an infinite loop.
GO-2022-0444
- CVE-2022-29173, GHSA-66x3-6cw3-v5gj
- Affects: github.com/theupdateframework/go-tuf
- Published: Jul 01, 2022
- Modified: Jun 12, 2023
The TUF client is vulnerable to rollback attacks, in which an attacker causes a client to install software older than the software the client previously knew to be available.
GO-2022-0438
- CVE-2022-29810, GHSA-27rq-4943-qcwp
- Affects: github.com/hashicorp/go-getter
- Published: Jul 01, 2022
- Modified: Jun 12, 2023
The getter package can write SSH credentials to its logfile, exposing credentials to local users able to read the logfile.
GO-2022-0435
- CVE-2022-28327
- Affects: crypto/elliptic
- Published: May 20, 2022
- Modified: Jun 12, 2023
A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.
GO-2022-0434
- CVE-2022-27536
- Affects: crypto/x509
- Published: May 23, 2022
- Modified: Jun 12, 2023
Verifying certificate chains containing certificates which are not compliant with RFC 5280 causes Certificate.Verify to panic on macOS. These chains can be delivered through TLS and can cause a crypto/tls or net/http client to crash.
GO-2022-0433
- CVE-2022-24675
- Affects: encoding/pem
- Published: May 20, 2022
- Modified: Jun 12, 2023
encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.
GO-2022-0427
- CVE-2022-24863, CVE-2024-25712, and 1 more
- Affects: github.com/swaggo/http-swagger
- Published: Feb 29, 2024
The httpSwagger package's HTTP handler provides WebDAV read/write access to an in-memory filesystem. An attacker can exploit this to cause memory exhaustion by uploading many files, XSS attacks by uploading malicious files, or other unexpected behaviors.
GO-2022-0425
- CVE-2021-4239, GHSA-6cr6-fmvc-vw2p, and 1 more
- Affects: github.com/flynn/noise
- Published: Feb 15, 2022
- Modified: Jun 12, 2023
The Noise protocol implementation suffers from weakened cryptographic security after encrypting 2^64 messages, and a potential denial of service attack. After 2^64 (~18.4 quintillion) messages are encrypted with the Encrypt function, the nonce counter will wrap around, causing multiple messages to be encrypted with the same key and nonce. In a separate issue, the Decrypt function increments the nonce state even when it fails to decrypt a message. If an attacker can provide an invalid input to the Decrypt function, this will cause the nonce state to desynchronize between the peers, resulting in a failure to encrypt all subsequent messages.
GO-2022-0422
- CVE-2022-2584, GHSA-967g-cjx4-h7j6, and 1 more
- Affects: github.com/ipld/go-codec-dagpb
- Published: Jul 01, 2022
- Modified: Jun 12, 2023
The dag-pb codec can panic when decoding invalid blocks.
GO-2022-0417
- CVE-2022-27651, GHSA-c3g4-w6cv-6v7h
- Affects: github.com/containers/buildah
- Published: Jul 01, 2022
- Modified: Jun 12, 2023
Containers are created with non-empty inheritable Linux process capabilities, permitting programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug does not affect the container security sandbox, as the inheritable set never contains more capabilities than are included in the container's bounding set.
GO-2022-0414
- CVE-2022-21235, GHSA-6635-c626-vj4r
- Affects: github.com/Masterminds/vcs
- Published: Jul 01, 2022
- Modified: Jun 12, 2023
Passing untrusted inputs to VCS functions can permit an attacker to execute arbitrary commands. The vcs package executes version control commands with user-provided arguments. These arguments can be interpreted as command-line flags, which can be used to perform command injection.
GO-2022-0411
- CVE-2021-4238, GHSA-3839-6r69-m497, and 1 more
- Affects: github.com/Masterminds/goutils
- Published: Jul 01, 2022
- Modified: Jun 12, 2023
Randomly-generated alphanumeric strings contain significantly less entropy than expected. The RandomAlphaNumeric and CryptoRandomAlphaNumeric functions always return strings containing at least one digit from 0 to 9. This significantly reduces the amount of entropy in short strings generated by these functions.
GO-2022-0402
- CVE-2020-26521, GHSA-h2fg-54x9-5qhq, and 1 more
- Affects: github.com/nats-io/jwt
- Published: Jul 01, 2022
- Modified: Jun 12, 2023
A malicious account can create and sign a User JWT which causes a panic when decoded by the NATS JWT library.
GO-2022-0400
- CVE-2022-2583, GHSA-4348-x292-h437, and 1 more
- Affects: github.com/ntbosscher/gobase
- Published: Jul 01, 2022
- Modified: Jun 12, 2023
A race condition can cause incorrect HTTP request routing.
GO-2022-0391
- CVE-2022-2582, GHSA-6jvc-q2x7-pchv, and 1 more
- Affects: github.com/aws/aws-sdk-go
- Published: Jul 01, 2022
- Modified: Jun 12, 2023
The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext, if the hash is readable to the attacker. AWS now blocks this metadata field, but older SDK versions still send it.
GO-2022-0386
- CVE-2021-3127, GHSA-62mh-w5cv-p88c, and 2 more
- Affects: github.com/nats-io/jwt, github.com/nats-io/jwt/v2
- Published: Jul 01, 2022
- Modified: Jun 12, 2023
Import tokens valid for one account may be used for any other account. Validation of Import token bindings incorrectly warns on mismatches, rather than rejecting the Goken. This permits a token for one account to be used for any other account.
GO-2022-0384
- CVE-2021-32690, GHSA-56hp-xqp3-w2jf, and 1 more
- Affects: helm.sh/helm/v3
- Published: Jul 15, 2022
- Modified: Jun 12, 2023
The username and password credentials associated with a Helm repository can be passed to another domain referenced by that Helm repository. If the index.yaml for a Helm repository is hosted on one domain and references a chart archive on a different domain, Helm will provide the credentials for the index.yaml's domain when fetching those archives.
GO-2022-0380
- CVE-2020-26892, GHSA-2c64-vj8g-vwrq, and 1 more
- Affects: github.com/nats-io/jwt
- Published: Jul 15, 2022
- Modified: Jun 12, 2023
The AccountClaims.IsRevoked and Export.IsRevoked functions improperly validate expired credentials using the current system time rather than the issue time of the JWT to be tested. These functions cannot be used properly. Newer versions of the jwt package provide an IsClaimRevoked method which performs correct validation. In these versions, the IsRevoked method always return true.
GO-2022-0379
- GHSA-qq97-vm5h-rrhg
- Affects: github.com/docker/distribution
- Published: Jul 29, 2022
- Modified: Jun 12, 2023
Systems that rely on digest equivalence for image attestations may be vulnerable to type confusion. A maliciously crafted OCI Container Image can cause registry clients to parse the same image in two different ways without modifying the image's digest, invalidating the common pattern of relying on container image digests for equivalence. This problem has been addressed in newer versions by improving validation in manifest unmarshalling.
GO-2022-0370
- CVE-2022-24968, GHSA-h289-x5wc-xcv8, and 1 more
- Affects: mellium.im/xmpp
- Published: Jul 29, 2022
- Modified: Jun 12, 2023
Websocket client connections are vulnerable to man-in-the-middle attacks via DNS spoofing. When looking up a WSS endpoint using a DNS TXT record, the server TLS certificate is incorrectly validated using the name of the server returned by the TXT record request, not the name of the the server being connected to. This permits any attacker that can spoof a DNS record to redirect the user to a server of their choosing. Providing a *tls.Config with a ServerName field set to the correct destination hostname will avoid this issue.
GO-2022-0355
- CVE-2022-21221, GHSA-fx95-883v-4q4h
- Affects: github.com/valyala/fasthttp
- Published: Jul 27, 2022
- Modified: Jun 12, 2023
The fasthttp.FS request handler is vulnerable to directory traversal attacks on Windows systems, and can serve files from outside the provided root directory. URL path normalization does not handle Windows path separators (backslashes), permitting an attacker to construct requests with relative paths.
GO-2022-0346
- CVE-2021-3762, GHSA-mq47-6wwv-v79w
- Affects: github.com/quay/claircore
- Published: Jul 15, 2022
- Modified: Jun 12, 2023
A maliciously crafted RPM file can cause the Scanner.Scan function to write files with arbitrary contents to arbitrary locations on the local filestem.
GO-2022-0345
- CVE-2021-3602, GHSA-7638-r9r3-rmjj
- Affects: github.com/containers/buildah
- Published: Jul 15, 2022
- Modified: Jun 12, 2023
The RunUsingChroot function unintentionally propagates environment variables from the current process to the child process.
GO-2022-0326
- CVE-2022-23649, GHSA-ccxc-vr6p-4858
- Affects: github.com/sigstore/cosign
- Published: Nov 09, 2023
Cosign can be manipulated to claim that an entry for a signature in the OCI registry exists in the Rekor transparency log even if it does not. This requires the attacker to have pull and push permissions for the signature in OCI. This can happen with both standard signing with a keypair and "keyless signing" with Fulcio certificate authority.
GO-2022-0322
- CVE-2022-21698, GHSA-cg3q-j54f-5p7p
- Affects: github.com/prometheus/client_golang
- Published: Jul 15, 2022
- Modified: Dec 14, 2023
The Prometheus client_golang HTTP server is vulnerable to a denial of service attack when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of the promhttp.InstrumentHandler* middleware except RequestsInFlight; not filter any specific methods (e.g GET) before middleware; pass a metric with a "method" label name to a middleware; and not have any firewall/LB/proxy that filters away requests with unknown "method".
GO-2022-0318
- CVE-2022-23773
- Affects: cmd/go/internal/modfetch
- Published: Aug 01, 2022
- Modified: Jun 12, 2023
Incorrect access control is possible in the go command. The go command can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is authorized to create branches but not tags.
GO-2022-0316
- CVE-2022-23628, GHSA-hcw3-j74m-qc58
- Affects: github.com/open-policy-agent/opa
- Published: Jul 27, 2022
- Modified: Jun 12, 2023
Pretty-printing an AST that contains synthetic nodes can change the logic of some statements by reordering array literals.
GO-2022-0300
- CVE-2022-21708, GHSA-mh3m-8c74-74xh
- Affects: github.com/graph-gophers/graphql-go
- Published: Jul 15, 2022
- Modified: Jun 12, 2023
Malicious inputs can cause a panic. A maliciously crafted input can cause a stack overflow and panic. Any user with access to the GraphQL can send such a query. This issue only occurs when using the graphql.MaxDepth schema option (which is highly recommended in most cases).
GO-2022-0294
- CVE-2022-0317, GHSA-99cg-575x-774p
- Affects: github.com/google/go-attestation
- Published: Jul 15, 2022
- Modified: Jun 12, 2023
A local attacker can defeat remotely-attested measured boot. Improper input validation in AKPublic.Verify can cause it to succeed when provided with a maliciously-formed Quote over no/some PCRs. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the authentication performed by quote verification, meaning a local attacker can couple this vulnerability with a maliciously-formed TCG log in Eventlog.Verify to spoof events in the TCG log, defeating remotely-attested measured-boot.
GO-2022-0289
- CVE-2021-44717
- Affects: syscall
- Published: May 18, 2022
- Modified: Jun 12, 2023
When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.
GO-2022-0288
- CVE-2021-44716, GHSA-vc3p-29h2-gpcp
- Affects: net/http, golang.org/x/net
- Published: Jul 15, 2022
- Modified: Jun 12, 2023
An attacker can cause unbounded memory growth in servers accepting HTTP/2 requests.
GO-2022-0274
- CVE-2021-43784, GHSA-v95c-p5hm-xq8f
- Affects: github.com/opencontainers/runc
- Published: Jul 15, 2022
- Modified: Jun 12, 2023
An attacker with partial control over the bind mount sources of a new container can bypass namespace restrictions.
GO-2022-0273
- CVE-2021-39293
- Affects: archive/zip
- Published: May 18, 2022
- Modified: Jun 12, 2023
The NewReader and OpenReader functions in archive/zip can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size. This is caused by an incomplete fix for CVE-2021-33196.
GO-2022-0272
- CVE-2021-23772, GHSA-jcxc-rh6w-wf49
- Affects: github.com/kataras/iris/v12, github.com/kataras/iris
- Published: Jul 15, 2022
- Modified: Jun 12, 2023
The Context.UploadFormFiles function is vulnerable to directory traversal attacks, and can be made to write to arbitrary locations outside the destination directory. This vulnerability only occurs when built with Go versions prior to 1.17. Go 1.17 and later strip directory paths from filenames returned by "mime/multipart".Part.FileName, which avoids this issue.
GO-2022-0256
- CVE-2021-41173, GHSA-59hh-656j-3p7v
- Affects: github.com/ethereum/go-ethereum
- Published: Jul 15, 2022
- Modified: Jun 12, 2023
A maliciously crafted snap/1 protocol message can cause a panic.
GO-2022-0254
- CVE-2021-39137, GHSA-9856-9gg9-qcmq
- Affects: github.com/ethereum/go-ethereum
- Published: Jul 15, 2022
- Modified: Jun 12, 2023
A vulnerability in the Geth EVM can cause a node to reject the canonical chain. A memory-corruption bug within the EVM can cause a consensus error, where vulnerable nodes obtain a different stateRoot when processing a maliciously crafted transaction. This, in turn, would lead to the chain being split in two forks.
GO-2022-0253
- CVE-2021-3912, GHSA-g9wh-3vrx-r7hg
- Affects: github.com/cloudflare/cfrpki
- Published: Jul 15, 2022
- Modified: Jun 12, 2023
The HTTPFetcher.GetXML function reads a response of unlimited size into memory, permitting resource exhaustion.
GO-2022-0252
- CVE-2021-3911, GHSA-w6ww-fmfx-2x22
- Affects: github.com/cloudflare/cfrpki
- Published: Jul 15, 2022
- Modified: Jun 12, 2023
OctoRPKI crashes when a repository returns an ROA with a IP address that contains too many bits.
GO-2022-0251
- CVE-2021-3910, GHSA-5mxh-2qfv-4g7j
- Affects: github.com/cloudflare/cfrpki
- Published: Jul 15, 2022
- Modified: Jun 12, 2023
OctoRPKI crashes when a repository returns an invalid ROA that is only an encoded NUL character (\0).
GO-2022-0248
- CVE-2021-3907, GHSA-cqh2-vc2f-q4fh, and 1 more
- Affects: github.com/cloudflare/cfrpki
- Published: Jul 15, 2022
- Modified: Nov 06, 2023
Manifest path extraction is vulnerable to directory traversal attacks. The ExtractPathManifest function permits file paths containing relative directory components (".."), permitting files to reference arbitrary locations on the filesystem.
GO-2022-0247
- CVE-2021-38297
- Affects: cmd/link
- Published: May 24, 2022
- Modified: Dec 13, 2023
When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments due to a buffer overflow error. If using wasm_exec.js to execute WASM modules, users will need to replace their copy (as described in https://golang.org/wiki/WebAssembly#getting-started) after rebuilding any modules.
GO-2022-0246
- CVE-2021-3761, GHSA-c8xp-8mf3-62h9
- Affects: github.com/cloudflare/cfrpki
- Published: Jul 15, 2022
- Modified: Jun 12, 2023
The ROAEntry.Validate function fails to perform bounds checks on the MaxLength field, allowing invalid values to pass validation.
GO-2022-0244
- CVE-2021-3538, GHSA-33m6-q9v5-62r7
- Affects: github.com/satori/go.uuid
- Published: Jul 15, 2022
- Modified: Jun 12, 2023
Random data used to create UUIDs can contain zeros, resulting in predictable UUIDs and possible collisions.
GO-2022-0236
- CVE-2021-31525, GHSA-h86h-8ppg-mxmh
- Affects: net/http, golang.org/x/net
- Published: Jul 15, 2022
- Modified: Jun 12, 2023
A malicious HTTP server or client can cause the net/http client or server to panic. ReadRequest and ReadResponse can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client. This also affects golang.org/x/net/http2/h2c and HeaderValuesContainsToken in golang.org/x/net/http/httpguts.
GO-2022-0233
- CVE-2021-23409, GHSA-xcf7-q56x-78gh
- Affects: github.com/pires/go-proxyproto
- Published: Jul 01, 2022
- Modified: Jun 12, 2023
The PROXY protocol server does not impose a timeout on reading the header from new connections, allowing a malicious client to cause resource exhaustion and a denial of service by opening many connections and sending no data on them. v0.6.0 of the proxyproto package adds support for a user-defined header timeout. v0.6.1 adds a default timeout of 200ms and v0.6.2 increases the default timeout to 10s.
GO-2022-0230
- CVE-2021-20206, GHSA-xjqr-g762-pxwp
- Affects: github.com/containernetworking/cni
- Published: Jul 01, 2022
- Modified: Jun 12, 2023
The FindInPath function is vulnerable to directory traversal attacks, potentially permitting attackers to execute arbitrary binaries. This function does not sanitize its plugin parameter, so parameter names containing "../" or other such elements may reference arbitrary locations on the filesystem.
GO-2022-0229
- CVE-2020-7919, GHSA-cjjc-xp8v-855w
- Affects: crypto/x509, golang.org/x/crypto
- Published: Jul 06, 2022
- Modified: Jun 12, 2023
On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected.
GO-2022-0220
- CVE-2019-9634
- Affects: runtime, syscall
- Published: May 25, 2022
- Modified: Mar 07, 2024
Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.
GO-2022-0217
- CVE-2019-6486
- Affects: crypto/elliptic
- Published: May 24, 2022
- Modified: Jun 12, 2023
A DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU. These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.
GO-2022-0213
- CVE-2019-17596
- Affects: crypto/dsa
- Published: May 24, 2022
- Modified: Jun 12, 2023
Invalid DSA public keys can cause a panic in dsa.Verify. In particular, using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates don't chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Moreover, an application might crash invoking crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate request, parsing a golang.org/x/crypto/openpgp Entity, or during a golang.org/x/crypto/otr conversation. Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host key, while a server could panic if either PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts a certificate with a malformed public key.
GO-2022-0212
- CVE-2019-16276
- Affects: net/textproto
- Published: May 23, 2022
- Modified: Dec 13, 2023
net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same upstream connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications.
GO-2022-0211
- CVE-2019-14809
- Affects: net/url
- Published: Jul 01, 2022
- Modified: Jun 12, 2023
The url.Parse function accepts URLs with malformed hosts, such that the Host field can have arbitrary suffixes that appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications.
GO-2022-0209
- CVE-2019-11840, GHSA-r5c5-pr8j-pfp7
- Affects: golang.org/x/crypto
- Published: Jul 01, 2022
- Modified: Jun 12, 2023
XORKeyStream generates incorrect and insecure output for very large inputs. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications. The issue might affect uses of golang.org/x/crypto/nacl with extremely large messages. Architectures other than amd64 and uses that generate less than 256 GiB of keystream for a single salsa20.XORKeyStream invocation are unaffected.
GO-2022-0203
- CVE-2018-7187
- Affects: cmd/go
- Published: Aug 09, 2022
- Modified: Jun 12, 2023
The "go get" command is vulnerable to remote code execution. When the -insecure command-line option is used, "go get" does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
GO-2022-0201
- CVE-2018-6574
- Affects: cmd/go
- Published: Aug 09, 2022
- Modified: Jun 12, 2023
The "go get" command with cgo is vulnerable to remote command execution by leveraging the gcc or clang plugin feature. When cgo is enabled, the build step during "go get" invokes the host C compiler, gcc or clang, adding compiler flags specified in the Go source files. Both gcc and clang support a plugin mechanism in which a shared-library plugin is loaded into the compiler, as directed by compiler flags. This means that a Go package repository can contain an attack.so file along with a Go source file that says (for example) "// #cgo CFLAGS: -fplugin=attack.so" causing the attack plugin to be loaded into the host C compiler during the build. Gcc and clang plugins are completely unrestricted in their access to the host system.
GO-2022-0197
- CVE-2018-17847, CVE-2018-17848, and 2 more
- Affects: golang.org/x/net
- Published: Jul 01, 2022
- Modified: Jun 12, 2023
The Parse function can panic on some invalid inputs. For example, the Parse function panics on the input "<svg><template><desc><t><svg></template>".
GO-2022-0193
- CVE-2018-17143, GHSA-fcf9-6fv2-fc5v
- Affects: golang.org/x/net
- Published: Jul 06, 2022
- Modified: Dec 14, 2023
The Parse function can panic on some invalid inputs. For example, the Parse function panics on the input "<template><tBody><isindex/action=0>".
GO-2022-0192
- CVE-2018-17142, GHSA-2wp2-chmh-r934
- Affects: golang.org/x/net
- Published: Jul 01, 2022
- Modified: Dec 14, 2023
The Parse function can panic on some invalid inputs. For example, the Parse function panics on the input "<math><template><mo><template>".
GO-2022-0191
- CVE-2018-16875
- Affects: crypto/x509
- Published: Jul 15, 2022
- Modified: Jun 12, 2023
The crypto/x509 package does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients verifying certificates are affected.
GO-2022-0190
- CVE-2018-16874
- Affects: cmd/go/internal/get
- Published: Aug 02, 2022
- Modified: Jun 12, 2023
The "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly brace (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.
GO-2022-0189
- CVE-2018-16873
- Affects: cmd/go/internal/get
- Published: Aug 04, 2022
- Modified: Jun 12, 2023
The "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running "go get -u". Note that forbidding import paths with a .git element might not be sufficient to mitigate this issue, as on certain systems there can be other aliases for VCS state folders.
GO-2022-0187
- CVE-2017-8932
- Affects: crypto/elliptic
- Published: Jul 01, 2022
- Modified: Jun 12, 2023
The ScalarMult implementation of curve P-256 for amd64 architectures generates incorrect results for certain specific input points. An adaptive attack can progressively extract the scalar input to ScalarMult by submitting crafted points and observing failures to derive correct output. This leads to a full key recovery attack against static ECDH, as used in popular JWT libraries.
GO-2022-0177
- CVE-2017-15041
- Affects: cmd/go
- Published: Aug 09, 2022
- Modified: Jun 12, 2023
The "go get" command allows remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get".
GO-2022-0171
- CVE-2017-1000097
- Affects: crypto/x509
- Published: May 24, 2022
- Modified: Jun 12, 2023
On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate.
GO-2022-0166
- CVE-2016-3959
- Affects: crypto/dsa
- Published: May 24, 2022
- Modified: Jun 12, 2023
The Verify function in crypto/dsa passed certain parameters unchecked to the underlying big integer library, possibly leading to extremely long-running computations, which in turn makes Go programs vulnerable to remote denial of service attacks. Programs using HTTPS client certificates or the Go SSH server libraries are both exposed to this vulnerability.
GO-2021-0412
- CVE-2022-24778, GHSA-8v99-48m9-c8pm
- Affects: github.com/containerd/imgcrypt
- Published: Apr 28, 2022
- Modified: Dec 14, 2023
The imgcrypt library provides API extensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function CheckAuthorization is supposed to check whether the current used is authorized to access an encrypted image and prevent the user from running an image that another user previously decrypted on the same system. In versions prior to 1.1.4, a failure occurs when an image with a ManifestList is used and the architecture of the local host is not the first one in the ManifestList. Only the first architecture in the list was tested, which may not have its layers available locally since it could not be run on the host architecture. Therefore, the verdict on unavailable layers was that the image could be run anticipating that image run failure would occur later due to the layers not being available. However, this verdict to allow the image to run enabled other architectures in the ManifestList to run an image without providing keys if that image had previously been decrypted. A patch has been applied to imgcrypt 1.1.4. Workarounds may include usage of different namespaces for each remote user.
GO-2021-0356
- CVE-2022-27191, GHSA-8c26-wmh5-6g9v
- Affects: golang.org/x/crypto
- Published: Apr 25, 2022
- Modified: Jun 22, 2023
Attackers can cause a crash in SSH servers when the server has been configured by passing a Signer to ServerConfig.AddHostKey such that 1) the Signer passed to AddHostKey does not implement AlgorithmSigner, and 2) the Signer passed to AddHostKey returns a key of type “ssh-rsa” from its PublicKey method. Servers that only use Signer implementations provided by the ssh package are unaffected.
GO-2021-0347
- CVE-2022-24921
- Affects: regexp
- Published: May 23, 2022
- Modified: Jun 12, 2023
On 64-bit platforms, an extremely deeply nested expression can cause regexp.Compile to cause goroutine stack exhaustion, forcing the program to exit. Note this applies to very large expressions, on the order of 2MB.
GO-2021-0319
- CVE-2022-23806
- Affects: crypto/elliptic
- Published: May 23, 2022
- Modified: Jun 12, 2023
Some big.Int values that are not valid field elements (negative or overflowing) might cause Curve.IsOnCurve to incorrectly return true. Operating on those values may cause a panic or an invalid curve operation. Note that Unmarshal will never return such values.
GO-2021-0317
- CVE-2022-23772
- Affects: math/big
- Published: May 23, 2022
- Modified: Jun 12, 2023
Rat.SetString had an overflow issue that can lead to uncontrolled memory consumption.
GO-2021-0265
- CVE-2021-42248, CVE-2021-42836, and 2 more
- Affects: github.com/tidwall/gjson
- Published: Aug 15, 2022
- Modified: Dec 14, 2023
A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.
GO-2021-0264
- CVE-2021-41772
- Affects: archive/zip
- Published: Jan 13, 2022
- Modified: Jun 12, 2023
Previously, opening a zip with (*Reader).Open could result in a panic if the zip contained a file whose name was exclusively made up of slash characters or ".." path elements. Open could also panic if passed the empty string directly as an argument. Now, any files in the zip whose name could not be made valid for fs.FS.Open will be skipped, and no longer added to the fs.FS file list, although they are still accessible through (*Reader).File. Note that it was already the case that a file could be accessible from (*Reader).Open with a name different from the one in (*Reader).File, as the former is the cleaned name, while the latter is the original one. Finally, the actual panic site was made robust as a defense-in-depth measure.
GO-2021-0263
- CVE-2021-41771
- Affects: debug/macho
- Published: Jan 13, 2022
- Modified: Jun 12, 2023
Calling File.ImportedSymbols on a loaded file which contains an invalid dynamic symbol table command can cause a panic, in particular if the encoded number of undefined symbols is larger than the number of symbols in the symbol table.
GO-2021-0258
- CVE-2021-41230, GHSA-j6wp-3859-vxfg
- Affects: github.com/pomerium/pomerium
- Published: Jan 14, 2022
- Modified: Jun 12, 2023
Pomerium is an open source identity-aware access proxy. Changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using allowed_idp_claims as part of policy. If using allowed_idp_claims and a user's claims are changed, Pomerium can make incorrect authorization decisions. For users unable to upgrade clear data on databroker service by clearing redis or restarting the in-memory databroker to force claims to be updated.
GO-2021-0245
- CVE-2021-36221
- Affects: net/http/httputil
- Published: Feb 17, 2022
- Modified: Jun 12, 2023
ReverseProxy can panic after encountering a problem copying a proxied response body.
GO-2021-0243
- CVE-2021-34558
- Affects: crypto/tls
- Published: Feb 17, 2022
- Modified: Jun 12, 2023
crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters. net/http clients performing HTTPS requests are also affected.
GO-2021-0242
- CVE-2021-33198
- Affects: math/big
- Published: Feb 17, 2022
- Modified: Jun 12, 2023
Rat.SetString and Rat.UnmarshalText may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents.
GO-2021-0241
- CVE-2021-33197
- Affects: net/http/httputil
- Published: Feb 17, 2022
- Modified: Jun 12, 2023
ReverseProxy can be made to forward certain hop-by-hop headers, including Connection. If the target of the ReverseProxy is itself a reverse proxy, this lets an attacker drop arbitrary headers, including those set by the ReverseProxy.Director.
GO-2021-0240
- CVE-2021-33196
- Affects: archive/zip
- Published: Feb 17, 2022
- Modified: Jun 12, 2023
NewReader and OpenReader can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size.
GO-2021-0239
- CVE-2021-33195
- Affects: net
- Published: Feb 17, 2022
- Modified: Jun 12, 2023
The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions and their respective methods on the Resolver type may return arbitrary values retrieved from DNS which do not follow the established RFC 1035 rules for domain names. If these names are used without further sanitization, for instance unsafely included in HTML, they may allow for injection of unexpected content. Note that LookupTXT may still return arbitrary values that could require sanitization before further use.
GO-2021-0238
- CVE-2021-33194, GHSA-83g2-8m93-v3w7
- Affects: golang.org/x/net
- Published: Feb 17, 2022
- Modified: Jun 12, 2023
An attacker can craft an input to ParseFragment that causes it to enter an infinite loop and never return.
GO-2021-0237
- CVE-2021-32721, GHSA-mj9r-wwm8-7q52
- Affects: github.com/AndrewBurian/powermux
- Published: Jan 11, 2022
- Modified: Jun 12, 2023
Attackers may be able to craft phishing links and other open redirects by exploiting PowerMux's trailing slash redirection feature. This may lead to users being redirected to untrusted sites after following an attacker crafted link.
GO-2021-0235
- CVE-2021-3114
- Affects: crypto/elliptic
- Published: Feb 17, 2022
- Modified: Jun 12, 2023
The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult.
GO-2021-0234
- CVE-2021-27918
- Affects: encoding/xml
- Published: Feb 17, 2022
- Modified: Jun 12, 2023
The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by xml.NewTokenDecoder may enter an infinite loop when operating on a custom xml.TokenReader which returns an EOF in the middle of an open XML element.
GO-2021-0228
- CVE-2020-7664, GHSA-vpx7-vm66-qx8r
- Affects: github.com/unknwon/cae
- Published: Jan 14, 2022
- Modified: Jun 12, 2023
The ExtractTo function doesn't securely escape file paths in zip archives which include leading or non-leading "..". This allows an attacker to add or replace files system-wide.
GO-2021-0227
- CVE-2020-29652, GHSA-3vm4-22fp-5rfm
- Affects: golang.org/x/crypto
- Published: Feb 17, 2022
- Modified: Jun 12, 2023
Clients can cause a panic in SSH servers. An attacker can craft an authentication request message for the “gssapi-with-mic” method which will cause NewServerConn to panic via a nil pointer dereference if ServerConfig.GSSAPIWithMICConfig is nil.
GO-2021-0226
- CVE-2020-24553
- Affects: net/http/cgi, net/http/fcgi
- Published: Jan 13, 2022
- Modified: Jun 12, 2023
When a Handler does not explicitly set the Content-Type header, the the package would default to “text/html”, which could cause a Cross-Site Scripting vulnerability if an attacker can control any part of the contents of a response. The Content-Type header is now set based on the contents of the first Write using http.DetectContentType, which is consistent with the behavior of the net/http package. Although this protects some applications that validate the contents of uploaded files, not setting the Content-Type header explicitly on any attacker-controlled file is unsafe and should be avoided.
GO-2021-0224
- CVE-2020-15586
- Affects: net/http
- Published: Feb 17, 2022
- Modified: Jun 12, 2023
HTTP servers where the Handler concurrently reads the request body and writes a response can encounter a data race and crash. The httputil.ReverseProxy Handler is affected.
GO-2021-0223
- CVE-2020-14039
- Affects: crypto/x509
- Published: Feb 17, 2022
- Modified: Jun 12, 2023
On Windows, if VerifyOptions.Roots is nil, Certificate.Verify does not check the EKU requirements specified in VerifyOptions.KeyUsages. This may allow a certificate to be used for an unintended purpose.
GO-2021-0178
- CVE-2017-15042
- Affects: net/smtp
- Published: Jan 07, 2022
- Modified: Jun 12, 2023
SMTP clients using net/smtp can use the PLAIN authentication scheme on network connections not secured with TLS, exposing passwords to man-in-the-middle SMTP servers.
GO-2021-0172
- CVE-2017-1000098
- Affects: mime/multipart
- Published: Feb 15, 2022
- Modified: Jun 12, 2023
When parsing large multipart/form-data, an attacker can cause a HTTP server to open a large number of file descriptors. This may be used as a denial-of-service vector.
GO-2021-0163
- CVE-2016-3958
- Affects: syscall
- Published: Jan 05, 2022
- Modified: Jun 12, 2023
Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.
GO-2021-0160
- CVE-2015-8618
- Affects: math/big
- Published: Jan 05, 2022
- Modified: Jun 12, 2023
Int.Exp Montgomery mishandled carry propagation and produced an incorrect output, which makes it easier for attackers to obtain private RSA keys via unspecified vectors. This issue can affect RSA computations in crypto/rsa, which is used by crypto/tls. TLS servers on 32-bit systems could plausibly leak their RSA private key due to this issue. Other protocol implementations that create many RSA signatures could also be impacted in the same way. Specifically, incorrect results in one part of the RSA Chinese Remainder computation can cause the result to be incorrect in such a way that it leaks one of the primes. While RSA blinding should prevent an attacker from crafting specific inputs that trigger the bug, on 32-bit systems the bug can be expected to occur at random around one in 2^26 times. Thus collecting around 64 million signatures (of known data) from an affected server should be enough to extract the private key used. Note that on 64-bit systems, the frequency of the bug is so low (less than one in 2^50) that it would be very difficult to exploit.
GO-2021-0159
- CVE-2015-5739, CVE-2015-5740, and 1 more
- Affects: net/http
- Published: Jan 05, 2022
- Modified: Jun 12, 2023
HTTP headers were not properly parsed, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.
GO-2021-0154
- CVE-2014-7189
- Affects: crypto/tls
- Published: May 25, 2022
- Modified: Jun 12, 2023
When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle attackers to spoof clients via unspecified vectors. If the server enables TLS client authentication using certificates (this is rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config, then a malicious client can falsely assert ownership of any client certificate it wishes.
GO-2021-0142
- CVE-2020-16845, GHSA-q6gq-997w-f55g
- Affects: encoding/binary
- Published: Jul 01, 2022
- Modified: Jun 12, 2023
ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs. Certain invalid inputs to ReadUvarint or ReadVarint can cause these functions to read an unlimited number of bytes from the ByteReader parameter before returning an error. This can lead to processing more input than expected when the caller is reading directly from a network and depends on ReadUvarint or ReadVarint only consuming a small, bounded number of bytes, even from invalid inputs.
GO-2021-0113
- CVE-2021-38561, GHSA-ppp9-7jff-5vj2
- Affects: golang.org/x/text
- Published: Oct 06, 2021
- Modified: Jun 12, 2023
Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.
GO-2021-0112
- CVE-2021-20329, GHSA-f6mq-5m25-4r72
- Affects: go.mongodb.org/mongo-driver
- Published: Jul 28, 2021
- Modified: Jun 12, 2023
Due to improper input sanitization when marshalling Go objects into BSON, a maliciously constructed Go structure could allow an attacker to inject additional fields into a MongoDB document. Users are affected if they use this package to handle untrusted user input.
GO-2021-0110
- CVE-2020-15222, GHSA-v3q9-2p3m-7g43
- Affects: github.com/ory/fosite
- Published: Jul 28, 2021
- Modified: Jun 12, 2023
Uniqueness of JWT IDs (jti) are not checked, allowing the JWT to be replayed.
GO-2021-0109
- CVE-2020-15223, GHSA-7mqr-2v3q-v2wm
- Affects: github.com/ory/fosite
- Published: Jul 28, 2021
- Modified: Jun 12, 2023
Due to improper error handling, an error with the underlying token storage may cause a user to believe a token has been successfully revoked when it is in fact still valid. An attackers ability to exploit this relies on an ability to trigger errors in the underlying storage.
GO-2021-0108
- CVE-2020-15111, GHSA-9cx9-x2gp-9qvh
- Affects: github.com/gofiber/fiber
- Published: Jul 28, 2021
- Modified: Jun 12, 2023
Due to improper input sanitization, a maliciously constructed filename could cause a file download to use an attacker controlled filename, as well as injecting additional headers into an HTTP response.
GO-2021-0107
- CVE-2021-4236, GHSA-5gjg-jgh4-gppm, and 1 more
- Affects: github.com/ecnepsnai/web
- Published: Jul 28, 2021
- Modified: Jun 12, 2023
Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or authentication bypass. This issue only affects WebSockets with an AuthenticateMethod hook. Request handlers that do not explicitly use WebSockets are not vulnerable.
GO-2021-0106
- CVE-2020-36566, GHSA-jpf8-h7h7-3ppm
- Affects: github.com/whyrusleeping/tar-utils
- Published: Jul 28, 2021
- Modified: Jun 12, 2023
Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.
GO-2021-0105
- CVE-2020-26265, GHSA-xw37-57qp-9mm4
- Affects: github.com/ethereum/go-ethereum
- Published: Jul 28, 2021
- Modified: Jun 12, 2023
Due to an incorrect state calculation, a specific set of transactions could cause a consensus disagreement, causing users of this package to reject a canonical chain.
GO-2021-0104
- CVE-2021-28681, GHSA-74xm-qj29-cq8p
- Affects: github.com/pion/webrtc/v3
- Published: Jul 28, 2021
- Modified: Jun 12, 2023
Due to improper error handling, DTLS connections were not killed when certificate verification failed, causing users who did not check the connection state to continue to use the connection. This could allow allow an attacker which holds the ICE password, but not a valid certificate, to bypass this restriction.
GO-2021-0103
- CVE-2020-26242, GHSA-jm5c-rv3w-w83m
- Affects: github.com/holiman/uint256
- Published: Jul 28, 2021
- Modified: Jun 12, 2023
Due to improper bounds checking, certain mathematical operations can cause a panic via an out of bounds read. If this package is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.
GO-2021-0102
- CVE-2019-11289, GHSA-5796-p3m6-9qj4
- Affects: code.cloudfoundry.org/gorouter, github.com/cloudfoundry/gorouter
- Published: Jul 28, 2021
- Modified: Jun 12, 2023
Due to improper input validation, a maliciously crafted input can cause a panic, due to incorrect nonce size. If this package is used to decrypt user supplied messages without checking the size of supplied nonces, this may be used as a vector for a denial of service attack.
GO-2021-0101
- CVE-2019-0210, GHSA-jq7p-26h5-w78r
- Affects: github.com/apache/thrift
- Published: Jul 28, 2021
- Modified: Jun 12, 2023
Due to an improper bounds check, parsing maliciously crafted messages can cause panics. If this package is used to parse untrusted input, this may be used as a vector for a denial of service attack.
GO-2021-0100
- CVE-2021-20291, GHSA-7qw8-847f-pggm
- Affects: github.com/containers/storage
- Published: Jul 28, 2021
- Modified: Jun 12, 2023
Due to a goroutine deadlock, using github.com/containers/storage/pkg/archive.DecompressStream on a xz archive returns a reader which will hang indefinitely when Close is called. An attacker can use this to cause denial of service if they are able to cause the caller to attempt to decompress an archive they control.
GO-2021-0099
- CVE-2021-21272, GHSA-g5v4-5x39-vwhx
- Affects: github.com/deislabs/oras
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to improper path validation, using the github.com/deislabs/oras/pkg/content.FileStore content store may result in directory traversal during archive extraction, allowing a malicious archive to write paths to arbitrary paths that the process can write to.
GO-2021-0098
- CVE-2021-21237, GHSA-cx3w-xqmc-84g5
- Affects: github.com/git-lfs/git-lfs
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to the standard library behavior of exec.LookPath on Windows a number of methods may result in arbitrary code execution when cloning or operating on untrusted Git repositories.
GO-2021-0097
- CVE-2020-29242, CVE-2020-29243, and 6 more
- Affects: github.com/dhowden/tag
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to improper bounds checking, a number of methods can trigger a panic due to attempted out-of-bounds reads. If the package is used to parse user supplied input, this may be used as a vector for a denial of service attack.
GO-2021-0096
- CVE-2020-8945, GHSA-m6wg-2mwg-4rfq
- Affects: github.com/proglottis/gpgme
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to improper setting of finalizers, memory passed to C may be freed before it is used, leading to crashes due to memory corruption or possible code execution.
GO-2021-0095
- CVE-2020-8918, GHSA-5x29-3hr9-6wpw
- Affects: github.com/google/go-tpm
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to repeated usage of a XOR key an attacker that can eavesdrop on the TPM 1.2 transport is able to calculate usageAuth for keys created using CreateWrapKey, despite it being encrypted, allowing them to use the created key.
GO-2021-0094
- CVE-2020-29529, GHSA-2g5j-5x95-r6hr
- Affects: github.com/hashicorp/go-slug
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Protections against directory traversal during archive extraction can be bypassed by chaining multiple symbolic links within the archive. This allows a malicious attacker to cause files to be created outside of the target directory. Additionally if the attacker is able to read extracted files they may create symbolic links to arbitrary files on the system which the unpacker has permissions to read.
GO-2021-0090
- CVE-2020-15091, GHSA-6jqj-f58p-mrw3
- Affects: github.com/tendermint/tendermint
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Proposed commits may contain signatures for blocks not contained within the commit. Instead of skipping these signatures, they cause failure during verification. A malicious proposer can use this to force consensus failures.
GO-2021-0089
- CVE-2020-10675, GHSA-rmh2-65xw-9m6q
- Affects: github.com/buger/jsonparser
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Parsing malformed JSON which contain opening brackets, but not closing brackets, leads to an infinite loop. If operating on untrusted user input this can be used as a denial of service vector.
GO-2021-0088
- CVE-2019-3564, GHSA-x4rg-4545-4w7w
- Affects: github.com/facebook/fbthrift
- Published: Apr 14, 2021
- Modified: Dec 14, 2023
Skip ignores unknown fields, rather than failing. A malicious user can craft small messages with unknown fields which can take significant resources to parse. If a server accepts messages from an untrusted user, it may be used as a denial of service vector.
GO-2021-0087
- CVE-2019-19921, GHSA-fh74-hm69-rqjw
- Affects: github.com/opencontainers/runc
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
A race while mounting volumes allows a possible symlink-exchange attack, allowing a user whom can start multiple containers with custom volume mount configurations to escape the container.
GO-2021-0086
- CVE-2019-19619, GHSA-wmwp-pggc-h4mj
- Affects: github.com/documize/community
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
HTML content in markdown is not sanitized during rendering, possibly allowing XSS if used to render untrusted user input.
GO-2021-0085
- CVE-2019-16884, GHSA-fgv8-vj5c-2ppq
- Affects: github.com/opencontainers/runc, github.com/opencontainers/selinux
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
AppArmor restrictions may be bypassed due to improper validation of mount targets, allowing a malicious image to mount volumes over e.g. /proc.
GO-2021-0084
- CVE-2019-16354, CVE-2019-16355, and 2 more
- Affects: github.com/astaxie/beego
- Published: Apr 14, 2021
- Modified: Feb 13, 2024
Session data is stored using permissive permissions, allowing local users with filesystem access to read arbitrary data.
GO-2021-0083
- CVE-2019-12496, GHSA-vfxc-r2gx-v2vq
- Affects: github.com/hybridgroup/gobot
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
TLS certificate verification is skipped when connecting to a MQTT server. This allows an attacker who can MITM the connection to read, or forge, messages passed between the client and server.
GO-2021-0082
- CVE-2019-11939, GHSA-w3r9-r9w7-8h48
- Affects: github.com/facebook/fbthrift
- Published: Apr 14, 2021
- Modified: Dec 14, 2023
Thrift Servers preallocate memory for the declared size of messages before checking the actual size of the message. This allows a malicious user to send messages that declare that they are significantly larger than they actually are, allowing them to force the server to allocate significant amounts of memory. This can be used as a denial of service vector.
GO-2021-0081
- CVE-2019-10214, GHSA-85p9-j7c9-v4gr
- Affects: github.com/containers/image
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
The HTTP client used to connect to the container registry authorization service explicitly disables TLS verification, allowing an attacker that is able to MITM the connection to steal credentials.
GO-2021-0079
- CVE-2018-18206, GHSA-vc3x-gx6c-g99f
- Affects: github.com/bytom/bytom
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
A malformed query can cause an out-of-bounds panic due to improper validation of arguments. If processing queries from untrusted parties, this may be used as a vector for denial of service attacks.
GO-2021-0078
- CVE-2018-17075, GHSA-5p4h-3377-7w67
- Affects: golang.org/x/net
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
The HTML parser does not properly handle "in frameset" insertion mode, and can be made to panic when operating on malformed HTML that contains <template> tags. If operating on user input, this may be a vector for a denial of service attack.
GO-2021-0077
- CVE-2018-16886, GHSA-h6xx-pmxh-3wgp
- Affects: go.etcd.io/etcd
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
A user can use a valid client certificate that contains a CommonName that matches a valid RBAC username to authenticate themselves as that user, despite lacking the required credentials. This may allow authentication bypass, but requires a certificate that is issued by a CA trusted by the server.
GO-2021-0076
- CVE-2018-14632, GHSA-gxhv-3hwf-wjp9
- Affects: github.com/evanphx/json-patch
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
A malicious JSON patch can cause a panic due to an out-of-bounds write attempt. This can be used as a denial of service vector if exposed to arbitrary user input.
GO-2021-0075
- CVE-2018-12018, GHSA-p5gc-957x-gfw9
- Affects: github.com/ethereum/go-ethereum
- Published: Apr 14, 2021
- Modified: Dec 14, 2023
Due to improper argument validation in RPC messages, a maliciously crafted message can cause a panic, leading to denial of service.
GO-2021-0073
- CVE-2017-17831, GHSA-w4xh-w33p-4v29
- Affects: github.com/git-lfs/git-lfs
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Arbitrary command execution can be triggered by improperly sanitized SSH URLs in LFS configuration files. This can be triggered by cloning a malicious repository.
GO-2021-0072
- CVE-2017-11468, GHSA-h62f-wm92-2cmw
- Affects: github.com/docker/distribution
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Various storage methods do not impose limits on how much content is accepted from user requests, allowing a malicious user to force the caller to allocate an arbitrary amount of memory.
GO-2021-0071
- CVE-2015-1340, GHSA-8mpq-fmr3-6jxv
- Affects: github.com/lxc/lxd
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
A race between chown and chmod operations during a container filesystem shift may allow a user who can modify the filesystem to chmod an arbitrary path of their choice, rather than the expected path.
GO-2021-0070
- CVE-2016-3697, GHSA-q3j5-32m5-58c2
- Affects: github.com/opencontainers/runc
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will improperly interpret numeric UIDs as usernames. If the method is used without verifying that usernames are formatted as expected, it may allow a user to gain unexpected privileges.
GO-2021-0069
- CVE-2020-28362
- Affects: math/big
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
A number of math/big.Int methods can panic when provided large inputs due to a flawed division method.
GO-2021-0068
- CVE-2021-3115
- Affects: cmd/go
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
The go command may execute arbitrary code at build time when using cgo on Windows. This can be triggered by running go get on a malicious module, or any other time the code is built.
GO-2021-0067
- CVE-2021-27919
- Affects: archive/zip
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Using Reader.Open on an archive containing a file with a path prefixed by "../" will cause a panic due to a stack overflow. If parsing user supplied archives, this may be used as a denial of service vector.
GO-2021-0066
- CVE-2020-8564, GHSA-8mjg-8c8g-6h85
- Affects: k8s.io/kubernetes
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Attempting to read a malformed .dockercfg may cause secrets to be inappropriately logged.
GO-2021-0065
- CVE-2019-11250, GHSA-jmrx-5g74-6v2f
- Affects: k8s.io/client-go, k8s.io/kubernetes
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Authorization tokens may be inappropriately logged if the verbosity level is set to a debug level.
GO-2021-0064
- CVE-2020-8565, GHSA-8cfg-vx93-jvxw
- Affects: k8s.io/client-go, k8s.io/kubernetes
- Published: Apr 14, 2021
- Modified: Dec 14, 2023
Authorization tokens may be inappropriately logged if the verbosity level is set to a debug level. This is due to an incomplete fix for CVE-2019-11250.
GO-2021-0063
- CVE-2020-26264, GHSA-r33q-22hv-j29q
- Affects: github.com/ethereum/go-ethereum
- Published: Apr 14, 2021
- Modified: Dec 14, 2023
Due to a nil pointer dereference, a maliciously crafted RPC message can cause a panic. If handling RPC messages from untrusted clients, this may be used as a denial of service vector.
GO-2021-0061
- CVE-2021-4235, GHSA-r88r-gmrh-7j83
- Affects: gopkg.in/yaml.v2, github.com/go-yaml/yaml
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.
GO-2021-0060
- CVE-2020-29509, GHSA-xhqq-x44f-9fgg
- Affects: github.com/russellhaering/gosaml2
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to the behavior of encoding/xml, a crafted XML document may cause XML Digital Signature validation to be entirely bypassed, causing an unsigned document to appear signed.
GO-2021-0059
- CVE-2020-35380, GHSA-w942-gw6m-p62c
- Affects: github.com/tidwall/gjson
- Published: Apr 14, 2021
- Modified: Dec 14, 2023
Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.
GO-2021-0058
- CVE-2020-27846, GHSA-4hq8-gmxx-h6w9
- Affects: github.com/crewjam/saml
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to the behavior of encoding/xml, a crafted XML document may cause XML Digital Signature validation to be entirely bypassed, causing an unsigned document to appear signed.
GO-2021-0057
- CVE-2020-35381, GHSA-8vrw-m3j9-j27c
- Affects: github.com/buger/jsonparser
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.
GO-2021-0054
- CVE-2020-36067, GHSA-p64j-r5f4-pwwx
- Affects: github.com/tidwall/gjson
- Published: Apr 14, 2021
- Modified: Dec 14, 2023
Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.
GO-2021-0053
- CVE-2021-3121, GHSA-c3h9-896r-86jm
- Affects: github.com/gogo/protobuf
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.
GO-2021-0052
- CVE-2020-28483, GHSA-h395-qcrw-5vmq
- Affects: github.com/gin-gonic/gin
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to improper HTTP header sanitization, a malicious user can spoof their source IP address by setting the X-Forwarded-For header. This may allow a user to bypass IP based restrictions, or obfuscate their true source.
GO-2021-0051
- CVE-2020-36565, GHSA-j453-hm5x-c46w
- Affects: github.com/labstack/echo/v4
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.
GO-2020-0050
- CVE-2020-15216, GHSA-q547-gmf8-8jr7
- Affects: github.com/russellhaering/goxmldsig
- Published: Apr 14, 2021
- Modified: Nov 10, 2023
Due to the behavior of encoding/xml, a crafted XML document may cause XML Digital Signature validation to be entirely bypassed, causing an unsigned document to appear signed.
GO-2020-0049
- CVE-2020-36564, GHSA-5x84-q523-vvwr
- Affects: github.com/justinas/nosurf
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to improper validation of caller input, validation is silently disabled if the provided expected token is malformed, causing any user supplied token to be considered valid.
GO-2020-0048
- CVE-2020-25614, GHSA-93m7-c69f-5cfj
- Affects: github.com/antchfx/xmlquery
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
LoadURL does not check the Content-Type of loaded resources, which can cause a panic due to nil pointer deference if the loaded resource is not XML. If user supplied URLs are loaded, this may be used as a denial of service vector.
GO-2020-0047
- CVE-2020-36563, GHSA-5rhg-xhgr-5hfj
- Affects: github.com/RobotsAndPencils/go-saml
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
XML Digital Signatures generated and validated using this package use SHA-1, which may allow an attacker to craft inputs which cause hash collisions depending on their control over the input.
GO-2020-0046
- CVE-2020-7711, CVE-2020-7731, and 3 more
- Affects: github.com/russellhaering/goxmldsig, github.com/russellhaering/gosaml2
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to a nil pointer dereference, a malformed XML Digital Signature can cause a panic during validation. If user supplied signatures are being validated, this may be used as a denial of service vector.
GO-2020-0045
- CVE-2016-15005, GHSA-q9qr-jwpw-3qvv
- Affects: github.com/dinever/golf
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
CSRF tokens are generated using math/rand, which is not a cryptographically secure random number generator, allowing an attacker to predict values and bypass CSRF protections with relatively few requests.
GO-2020-0043
- CVE-2018-21246, GHSA-gr7w-x2jp-3xgw
- Affects: github.com/mholt/caddy
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to improper TLS verification when serving traffic for multiple SNIs, an attacker may bypass TLS client authentication by indicating an SNI during the TLS handshake that is different from the name in the HTTP Host header.
GO-2020-0042
- CVE-2020-7667, GHSA-9423-6c93-gpp8
- Affects: github.com/sassoftware/go-rpmutils
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to improper path sanitization, RPMs containing relative file paths can cause files to be written (or overwritten) outside of the target directory.
GO-2020-0041
- CVE-2020-7668, GHSA-88jf-7rch-32qc
- Affects: github.com/unknwon/cae
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.
GO-2020-0040
- CVE-2020-36562, GHSA-p6fg-723f-hgpw
- Affects: github.com/shiyanhui/dht
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to unchecked type assertions, maliciously crafted messages can cause panics, which may be used as a denial of service vector.
GO-2020-0039
- CVE-2020-12666, GHSA-733f-44f3-3frw
- Affects: gopkg.in/macaron.v1
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to improper request sanitization, a specifically crafted URL can cause the static file handler to redirect to an attacker chosen URL, allowing for open redirect attacks.
GO-2020-0038
- CVE-2019-20786, GHSA-7gfg-6934-mqq2
- Affects: github.com/pion/dtls
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to improper verification of packets, unencrypted packets containing application data are accepted after the initial handshake. This allows an attacker to inject arbitrary data which the client/server believes was encrypted, despite not knowing the session key.
GO-2020-0037
- CVE-2019-25072, GHSA-3fm3-m23v-5r46
- Affects: github.com/tendermint/tendermint
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to support of Gzip compression in request bodies, as well as a lack of limiting response body sizes, a malicious server can cause a client to consume a significant amount of system resources, which may be used as a denial of service vector.
GO-2020-0036
- CVE-2019-11254, GHSA-wxc4-f4m6-wwqv
- Affects: gopkg.in/yaml.v2, github.com/go-yaml/yaml
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to unbounded aliasing, a crafted YAML file can cause consumption of significant system resources. If parsing user supplied input, this may be used as a denial of service vector.
GO-2020-0035
- CVE-2020-36561, GHSA-f5c5-hmw9-v8hx
- Affects: github.com/yi-ge/unzip
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.
GO-2020-0034
- CVE-2020-36560, GHSA-rmj9-q58g-9qgg
- Affects: github.com/artdarek/go-unzip
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.
GO-2020-0033
- CVE-2020-36559, GHSA-vp56-r7qv-783v
- Affects: aahframe.work
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to improper sanitization of user input, HTTPEngine.Handle allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.
GO-2020-0032
- CVE-2019-25073, GHSA-fjgq-224f-fq37
- Affects: github.com/goadesign/goa, goa.design/goa, and 1 more
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to improper sanitization of user input, Controller.FileHandler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.
GO-2020-0028
- CVE-2018-17419, GHSA-9jcx-pr2f-qvq5
- Affects: github.com/miekg/dns
- Published: Apr 14, 2021
- Modified: Dec 14, 2023
Due to a nil pointer dereference, parsing a malformed zone file containing TA records may cause a panic. If parsing user supplied input, this may be used as a denial of service vector.
GO-2020-0027
- CVE-2018-6558, GHSA-qj26-7grj-whg3
- Affects: github.com/google/fscrypt
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
After dropping and then elevating process privileges euid, guid, and groups are not properly restored to their original values, allowing an unprivileged user to gain membership in the root group.
GO-2020-0026
- CVE-2018-1103, GHSA-w55j-f7vx-6q37
- Affects: github.com/openshift/source-to-image
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.
GO-2020-0025
- CVE-2018-25046, GHSA-32qh-8vg6-9g43
- Affects: code.cloudfoundry.org/archiver
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.
GO-2020-0024
- CVE-2013-10005, GHSA-gxgj-xjcw-fv9p
- Affects: github.com/btcsuite/go-socks, github.com/btcsuitereleases/go-socks
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
The RemoteAddr and LocalAddr methods on the returned net.Conn may call themselves, leading to an infinite loop which will crash the program due to a stack overflow.
GO-2020-0023
- CVE-2015-10004, GHSA-5vw4-v588-pgv8
- Affects: github.com/robbert229/jwt
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Token validation methods are susceptible to a timing side-channel during HMAC comparison. With a large enough number of requests over a low latency connection, an attacker may use this to determine the expected HMAC.
GO-2020-0022
- CVE-2014-125026, GHSA-4wp2-8rm2-jgmh
- Affects: github.com/cloudflare/golz4
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
LZ4 bindings use a deprecated C API that is vulnerable to memory corruption, which could lead to arbitrary code execution if called with untrusted user input.
GO-2020-0021
- CVE-2014-8681, GHSA-mr6h-chqp-p9g2
- Affects: github.com/gogits/gogs
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to improper sanitization of user input, a number of methods are vulnerable to SQL injection if used with user input that has not been sanitized by the caller.
GO-2020-0020
- CVE-2017-20146, GHSA-jcr6-mmjj-pchw
- Affects: github.com/gorilla/handlers
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Usage of the CORS handler may apply improper CORS headers, allowing the requester to explicitly control the value of the Access-Control-Allow-Origin header, which bypasses the expected behavior of the Same Origin Policy.
GO-2020-0019
- CVE-2020-27813, GHSA-3xh2-74w9-5vxm
- Affects: github.com/gorilla/websocket
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
An attacker can craft malicious WebSocket frames that cause an integer overflow in a variable which tracks the number of bytes remaining. This may cause the server or client to get stuck attempting to read frames in a loop, which can be used as a denial of service vector.
GO-2020-0017
- CVE-2020-26160, GHSA-w73w-5m7g-f7qc
- Affects: github.com/dgrijalva/jwt-go, github.com/dgrijalva/jwt-go/v4
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
If a JWT contains an audience claim with an array of strings, rather than a single string, and MapClaims.VerifyAudience is called with req set to false, then audience verification will be bypassed, allowing an invalid set of audiences to be provided.
GO-2020-0016
- CVE-2021-29482, GHSA-25xm-hr59-7c27
- Affects: github.com/ulikunitz/xz
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
An attacker can construct a series of bytes such that calling Reader.Read on the bytes could cause an infinite loop. If parsing user supplied input, this may be used as a denial of service vector.
GO-2020-0015
- CVE-2020-14040, GHSA-5rcv-m4m3-hfh7
- Affects: golang.org/x/text
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.
GO-2020-0014
- CVE-2018-17846, GHSA-vfw5-hrgq-h5wf
- Affects: golang.org/x/net
- Published: Apr 14, 2021
- Modified: Oct 12, 2023
html.Parse does not properly handle "select" tags, which can lead to an infinite loop. If parsing user supplied input, this may be used as a denial of service vector.
GO-2020-0013
- CVE-2017-3204, GHSA-xhjq-w7xm-p8qj
- Affects: golang.org/x/crypto
- Published: Apr 14, 2021
- Modified: Apr 19, 2024
By default host key verification is disabled which allows for man-in-the-middle attacks against SSH clients if ClientConfig.HostKeyCallback is not set.
GO-2020-0012
- CVE-2020-9283, GHSA-ffhg-7mh4-33c4
- Affects: golang.org/x/crypto
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public key, such that the library will panic when trying to verify a signature with it. If verifying signatures using user supplied public keys, this may be used as a denial of service vector.
GO-2020-0010
- CVE-2016-9121, GHSA-86r9-39j9-99wp
- Affects: github.com/square/go-jose
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
When using ECDH-ES an attacker can mount an invalid curve attack during decryption as the supplied public key is not checked to be on the same curve as the receivers private key.
GO-2020-0009
- CVE-2016-9123, GHSA-3fx4-7f69-5mmg
- Affects: github.com/square/go-jose
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
On 32-bit platforms an attacker can manipulate a ciphertext encrypted with AES-CBC with HMAC such that they can control how large the input buffer is when computing the HMAC authentication tag. This can can allow a manipulated ciphertext to be verified as authentic, opening the door for padding oracle attacks.
GO-2020-0008
- CVE-2019-19794, GHSA-44r7-7p62-q3fr
- Affects: github.com/miekg/dns
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
DNS message transaction IDs are generated using math/rand which makes them relatively predictable. This reduces the complexity of response spoofing attacks against DNS clients.
GO-2020-0007
- CVE-2017-18367, GHSA-58v3-j75h-xr49
- Affects: github.com/seccomp/libseccomp-golang
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Filters containing rules with multiple syscall arguments are improperly constructed, such that all arguments are required to match rather than any of the arguments (AND is used rather than OR). These filters can be bypassed by only specifying a subset of the arguments due to this behavior.
GO-2020-0006
- CVE-2017-15133, GHSA-p55x-7x9v-q8m4
- Affects: github.com/miekg/dns
- Published: Apr 14, 2021
- Modified: Dec 14, 2023
An attacker may prevent TCP connections to a Server by opening a connection and leaving it idle, until the connection is closed by the server no other connections will be accepted.
GO-2020-0005
- CVE-2020-15106, CVE-2020-15112, and 2 more
- Affects: go.etcd.io/etcd
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Malformed WALs can be constructed such that WAL.ReadAll can cause attempted out of bounds reads, or creation of arbitrarily sized slices, which may be used as a DoS vector.
GO-2020-0004
- CVE-2020-36569, GHSA-hrm3-3xm6-x33h
- Affects: github.com/nanobox-io/golang-nanoauth
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
If any of the ListenAndServe functions are called with an empty token, token authentication is disabled globally for all listeners. Also, a minor timing side channel was present allowing attackers with very low latency and able to make many requests to potentially recover the token.
GO-2020-0003
- CVE-2020-36568, GHSA-hggr-p7v6-73p5
- Affects: github.com/revel/revel
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
An attacker can cause an application that accepts slice parameters (https://revel.github.io/manual/parameters.html#slices) to allocate large amounts of memory and crash through manipulating the request query sent to the application.
GO-2020-0001
- CVE-2020-36567, GHSA-6vm3-jj99-7229
- Affects: github.com/gin-gonic/gin
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
The default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path.
If you don't see an existing, public Go vulnerability in a publicly importable package in our database, please let us know.