Vulnerabilities (CVE)

Filtered by vendor Golang Subscribe
Total 80 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-27191 2 Fedoraproject, Golang 2 Fedora, Ssh 2022-05-14 4.3 MEDIUM 7.5 HIGH
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
CVE-2022-24921 3 Debian, Golang, Netapp 3 Debian Linux, Go, Astra Trident 2022-05-10 5.0 MEDIUM 7.5 HIGH
regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.
CVE-2022-23806 3 Debian, Golang, Netapp 6 Debian Linux, Go, Beegfs Csi Driver and 3 more 2022-05-10 6.4 MEDIUM 9.1 CRITICAL
Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.
CVE-2022-23772 3 Debian, Golang, Netapp 6 Debian Linux, Go, Beegfs Csi Driver and 3 more 2022-05-10 7.8 HIGH 7.5 HIGH
Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.
CVE-2021-3115 4 Fedoraproject, Golang, Microsoft and 1 more 5 Fedora, Go, Windows and 2 more 2022-05-03 5.1 MEDIUM 7.5 HIGH
Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).
CVE-2019-11841 2 Debian, Golang 2 Debian Linux, Crypto 2022-05-03 4.3 MEDIUM 5.9 MEDIUM
A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message can contain one or more optional "Hash" Armor Headers. The "Hash" Armor Header specifies the message digest algorithm(s) used for the signature. However, the Go clearsign package ignores the value of this header, which allows an attacker to spoof it. Consequently, an attacker can lead a victim to believe the signature was generated using a different message digest algorithm than what was actually used. Moreover, since the library skips Armor Header parsing in general, an attacker can not only embed arbitrary Armor Headers, but also prepend arbitrary text to cleartext messages without invalidating the signatures.
CVE-2022-24675 1 Golang 1 Go 2022-05-03 5.0 MEDIUM 7.5 HIGH
encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.
CVE-2022-28327 1 Golang 1 Go 2022-04-29 5.0 MEDIUM 7.5 HIGH
The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.
CVE-2022-27536 2 Apple, Golang 2 Macos, Go 2022-04-29 5.0 MEDIUM 7.5 HIGH
Certificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1 can be caused to panic on macOS when presented with certain malformed certificates. This allows a remote TLS server to cause a TLS client to panic.
CVE-2021-29923 3 Fedoraproject, Golang, Oracle 3 Fedora, Go, Timesten In-memory Database 2022-04-22 5.0 MEDIUM 7.5 HIGH
Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.
CVE-2021-31525 2 Fedoraproject, Golang 2 Fedora, Go 2022-04-19 2.6 LOW 5.9 MEDIUM
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
CVE-2021-38297 2 Fedoraproject, Golang 2 Fedora, Go 2022-04-01 7.5 HIGH 9.8 CRITICAL
Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.
CVE-2020-29652 1 Golang 1 Go 2022-04-01 5.0 MEDIUM 7.5 HIGH
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.
CVE-2021-3121 2 Golang, Hashicorp 2 Protobuf, Consul 2022-04-01 7.5 HIGH 8.6 HIGH
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
CVE-2021-27919 2 Fedoraproject, Golang 2 Fedora, Go 2022-03-30 4.3 MEDIUM 5.5 MEDIUM
archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename.
CVE-2022-23773 2 Golang, Netapp 5 Go, Beegfs Csi Driver, Cloud Insights Telegraf Agent and 2 more 2022-03-29 5.0 MEDIUM 7.5 HIGH
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
CVE-2021-33194 1 Golang 1 Go 2022-03-26 5.0 MEDIUM 7.5 HIGH
golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
CVE-2021-39293 2 Golang, Netapp 2 Go, Cloud Insights Telegraf 2022-03-04 5.0 MEDIUM 7.5 HIGH
In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196.
CVE-2021-34558 4 Fedoraproject, Golang, Netapp and 1 more 6 Fedora, Go, Cloud Insights Telegraf and 3 more 2022-03-01 2.6 LOW 6.5 MEDIUM
The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.
CVE-2021-41771 3 Debian, Fedoraproject, Golang 3 Debian Linux, Fedora, Go 2022-02-10 5.0 MEDIUM 7.5 HIGH
ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.