7.5

CVE-2022-41715

EPSS 0.01%
Published 14.10.2022 15:16:20
Last modified 21.11.2024 07:23:43
Source security@golang.org
Teams watchlist Login
Open Login

Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.

Affected products Warnungen 0 Metrics 2 CWE 0 References 8

Data is provided by the National Vulnerability Database (NVD)

Golang ≫ Go Version < 1.18.7

Golang ≫ Go Version >= 1.19.0 < 1.19.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.01%	0.018

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

https://groups.google.com/g/golang-announce/c/xtuG5faxtaU

Mailing List

Release Notes

https://security.gentoo.org/glsa/202311-09

https://go.dev/cl/439356

Patch

https://go.dev/issue/55949

Third Party Advisory

Issue Tracking

https://pkg.go.dev/vuln/GO-2022-1039

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-41715

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-41715

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-41715

EUVD