CVE-2021-29923
- EPSS 3.78%
- Veröffentlicht 07.08.2021 17:15:07
- Zuletzt bearbeitet 21.11.2024 06:01:59
Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretati...
CVE-2021-33195
- EPSS 3.23%
- Veröffentlicht 02.08.2021 19:15:08
- Zuletzt bearbeitet 21.11.2024 06:08:29
Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.
CVE-2021-33196
- EPSS 3.46%
- Veröffentlicht 02.08.2021 19:15:08
- Zuletzt bearbeitet 21.11.2024 06:08:29
In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic.
CVE-2021-33197
- EPSS 2.28%
- Veröffentlicht 02.08.2021 19:15:08
- Zuletzt bearbeitet 21.11.2024 06:08:29
In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
CVE-2021-33198
- EPSS 3.4%
- Veröffentlicht 02.08.2021 19:15:08
- Zuletzt bearbeitet 21.11.2024 06:08:30
In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.
CVE-2021-34558
- EPSS 6.98%
- Veröffentlicht 15.07.2021 14:15:19
- Zuletzt bearbeitet 21.11.2024 06:10:40
The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.
CVE-2012-2666
- EPSS 1.94%
- Veröffentlicht 09.07.2021 11:15:07
- Zuletzt bearbeitet 21.11.2024 01:39:24
golang/go in 1.0.2 fixes all.bash on shared machines. dotest() in src/pkg/debug/gosym/pclntab_test.go creates a temporary file with predicable name and executes it as shell script.
CVE-2021-31525
- EPSS 3.69%
- Veröffentlicht 27.05.2021 13:15:08
- Zuletzt bearbeitet 21.11.2024 06:05:51
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
CVE-2021-33194
- EPSS 7.29%
- Veröffentlicht 26.05.2021 15:15:08
- Zuletzt bearbeitet 21.11.2024 06:08:29
golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
CVE-2021-27918
- EPSS 2.54%
- Veröffentlicht 11.03.2021 00:15:12
- Zuletzt bearbeitet 21.11.2024 05:58:48
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.