Total
121 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-23806 | 3 Debian, Golang, Netapp | 6 Debian Linux, Go, Beegfs Csi Driver and 3 more | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element. | |||||
CVE-2022-28327 | 2 Fedoraproject, Golang | 3 Extra Packages For Enterprise Linux, Fedora, Go | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input. | |||||
CVE-2021-44717 | 3 Debian, Golang, Opengroup | 3 Debian Linux, Go, Unix | 2023-12-10 | 5.8 MEDIUM | 4.8 MEDIUM |
Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion. | |||||
CVE-2021-39293 | 2 Golang, Netapp | 2 Go, Cloud Insights Telegraf | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196. | |||||
CVE-2021-41772 | 3 Fedoraproject, Golang, Oracle | 3 Fedora, Go, Timesten In-memory Database | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field. | |||||
CVE-2021-23772 | 2 Golang, Iris-go | 2 Go, Iris | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder. | |||||
CVE-2021-41771 | 3 Debian, Fedoraproject, Golang | 3 Debian Linux, Fedora, Go | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation. | |||||
CVE-2021-44716 | 3 Debian, Golang, Netapp | 3 Debian Linux, Go, Cloud Insights Telegraf | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests. | |||||
CVE-2021-38297 | 2 Fedoraproject, Golang | 2 Fedora, Go | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used. | |||||
CVE-2021-33195 | 2 Golang, Netapp | 2 Go, Cloud Insights Telegraf Agent | 2023-12-10 | 7.5 HIGH | 7.3 HIGH |
Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format. | |||||
CVE-2021-34558 | 4 Fedoraproject, Golang, Netapp and 1 more | 6 Fedora, Go, Cloud Insights Telegraf and 3 more | 2023-12-10 | 2.6 LOW | 6.5 MEDIUM |
The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic. | |||||
CVE-2021-33194 | 2 Fedoraproject, Golang | 2 Fedora, Go | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input. | |||||
CVE-2021-33196 | 2 Debian, Golang | 2 Debian Linux, Go | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic. | |||||
CVE-2021-33197 | 1 Golang | 1 Go | 2023-12-10 | 4.3 MEDIUM | 5.3 MEDIUM |
In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers. | |||||
CVE-2012-2666 | 1 Golang | 1 Go | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
golang/go in 1.0.2 fixes all.bash on shared machines. dotest() in src/pkg/debug/gosym/pclntab_test.go creates a temporary file with predicable name and executes it as shell script. | |||||
CVE-2021-31525 | 2 Fedoraproject, Golang | 2 Fedora, Go | 2023-12-10 | 2.6 LOW | 5.9 MEDIUM |
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations. | |||||
CVE-2021-36221 | 5 Debian, Fedoraproject, Golang and 2 more | 6 Debian Linux, Fedora, Go and 3 more | 2023-12-10 | 4.3 MEDIUM | 5.9 MEDIUM |
Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort. | |||||
CVE-2021-29923 | 3 Fedoraproject, Golang, Oracle | 3 Fedora, Go, Timesten In-memory Database | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR. | |||||
CVE-2021-33198 | 1 Golang | 1 Go | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method. | |||||
CVE-2021-27918 | 1 Golang | 1 Go | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method. |