Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
CVSS Score
6.1
EPSS Score
0.036
Published
2020-09-02
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
CVSS Score
7.5
EPSS Score
0.047
Published
2020-08-06
In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete.
CVSS Score
5.3
EPSS Score
0.018
Published
2020-07-17
Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.
CVSS Score
5.9
EPSS Score
0.029
Published
2020-07-17
Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.
CVSS Score
7.5
EPSS Score
0.026
Published
2020-03-16
The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.
CVSS Score
9.8
EPSS Score
0.027
Published
2020-02-08
CVE-2020-0601
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'.
Known exploited
CVSS Score
8.1
EPSS Score
0.894
Published
2020-01-14
Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.
CVSS Score
7.5
EPSS Score
0.047
Published
2019-10-24
Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.
CVSS Score
7.5
EPSS Score
0.052
Published
2019-09-30
net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.
CVSS Score
9.8
EPSS Score
0.084
Published
2019-08-13