Golang: >> Go >> 1.16.14 Security Vulnerabilities
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
CVSS Score
6.5
EPSS Score
0.0
Published
2022-08-10
Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes.
CVSS Score
7.5
EPSS Score
0.0
Published
2022-07-15
Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.
CVSS Score
5.3
EPSS Score
0.001
Published
2022-06-23
The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.
CVSS Score
7.5
EPSS Score
0.001
Published
2022-04-20
encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.
CVSS Score
7.5
EPSS Score
0.002
Published
2022-04-20
regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.
CVSS Score
7.5
EPSS Score
0.0
Published
2022-03-05
Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.
CVSS Score
7.5
EPSS Score
0.001
Published
2021-08-07
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
CVSS Score
9.8
EPSS Score
0.003
Published
2020-12-14
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
CVSS Score
9.8
EPSS Score
0.003
Published
2020-12-14
Page 6