Total
121 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-28851 | 1 Golang | 1 Go | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) | |||||
CVE-2020-28362 | 3 Fedoraproject, Golang, Netapp | 4 Fedora, Go, Cloud Insights Telegraf Agent and 1 more | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. | |||||
CVE-2020-28366 | 3 Fedoraproject, Golang, Netapp | 4 Fedora, Go, Cloud Insights Telegraf Agent and 1 more | 2023-12-10 | 5.1 MEDIUM | 7.5 HIGH |
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file. | |||||
CVE-2021-3114 | 4 Debian, Fedoraproject, Golang and 1 more | 5 Debian Linux, Fedora, Go and 2 more | 2023-12-10 | 6.4 MEDIUM | 6.5 MEDIUM |
In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field. | |||||
CVE-2021-27919 | 2 Fedoraproject, Golang | 2 Fedora, Go | 2023-12-10 | 4.3 MEDIUM | 5.5 MEDIUM |
archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename. | |||||
CVE-2020-29510 | 2 Golang, Netapp | 2 Go, Trident | 2023-12-10 | 6.8 MEDIUM | 5.6 MEDIUM |
The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. | |||||
CVE-2020-29511 | 2 Golang, Netapp | 2 Go, Trident | 2023-12-10 | 6.8 MEDIUM | 5.6 MEDIUM |
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. | |||||
CVE-2020-29509 | 2 Golang, Netapp | 2 Go, Trident | 2023-12-10 | 6.8 MEDIUM | 5.6 MEDIUM |
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. | |||||
CVE-2021-3115 | 4 Fedoraproject, Golang, Microsoft and 1 more | 5 Fedora, Go, Windows and 2 more | 2023-12-10 | 5.1 MEDIUM | 7.5 HIGH |
Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download). | |||||
CVE-2020-28367 | 1 Golang | 1 Go | 2023-12-10 | 5.1 MEDIUM | 7.5 HIGH |
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive. | |||||
CVE-2020-7919 | 4 Debian, Fedoraproject, Golang and 1 more | 4 Debian Linux, Fedora, Go and 1 more | 2023-12-10 | 7.8 HIGH | 7.5 HIGH |
Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate. | |||||
CVE-2020-24553 | 4 Fedoraproject, Golang, Opensuse and 1 more | 4 Fedora, Go, Leap and 1 more | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header. | |||||
CVE-2020-14039 | 2 Golang, Opensuse | 2 Go, Leap | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete. | |||||
CVE-2020-15586 | 5 Cloudfoundry, Debian, Fedoraproject and 2 more | 6 Cf-deployment, Routing-release, Debian Linux and 3 more | 2023-12-10 | 4.3 MEDIUM | 5.9 MEDIUM |
Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time. | |||||
CVE-2020-16845 | 4 Debian, Fedoraproject, Golang and 1 more | 4 Debian Linux, Fedora, Go and 1 more | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs. | |||||
CVE-2015-5741 | 2 Golang, Redhat | 3 Go, Enterprise Linux, Openstack | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields. | |||||
CVE-2019-16276 | 6 Debian, Fedoraproject, Golang and 3 more | 9 Debian Linux, Fedora, Go and 6 more | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling. | |||||
CVE-2020-0601 | 2 Golang, Microsoft | 5 Go, Windows, Windows 10 and 2 more | 2023-12-10 | 5.8 MEDIUM | 8.1 HIGH |
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'. | |||||
CVE-2019-17596 | 6 Arista, Debian, Fedoraproject and 3 more | 11 Cloudvision Portal, Eos, Mos and 8 more | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates. | |||||
CVE-2019-9741 | 4 Debian, Fedoraproject, Golang and 1 more | 5 Debian Linux, Fedora, Go and 2 more | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command. |