ioana-nicolae / 789 Goto Github PK
View Code? Open in Web Editor NEW789
789
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
/canner/goroot/src/crypto/tls/key_agreement.go
/canner/goroot/src/crypto/tls/key_agreement.go
The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.
Publish Date: 2021-07-15
URL: CVE-2021-34558
Base Score Metrics:
Type: Upgrade version
Origin: https://security.archlinux.org/CVE-2021-34558
Release Date: 2021-07-15
Fix Resolution: go1.16.6
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.
Library home page: https://github.com/pyca/cryptography.git
Found in base branch: master
/canner/.poetry/lib/poetry/_vendor/py2.7/cryptography/hazmat/backends/openssl/ciphers.py
/canner/.poetry/lib/poetry/_vendor/py2.7/cryptography/hazmat/backends/openssl/ciphers.py
In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.
Publish Date: 2021-02-07
URL: CVE-2020-36242
Base Score Metrics:
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.
Library home page: https://github.com/pyca/cryptography.git
Found in base branch: master
/canner/.poetry/lib/poetry/_vendor/py3.6/cryptography/hazmat/backends/openssl/rsa.py
/canner/.poetry/lib/poetry/_vendor/py3.6/cryptography/hazmat/backends/openssl/rsa.py
python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.
Publish Date: 2021-01-11
URL: CVE-2020-25659
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-hggm-jpg3-v476
Release Date: 2021-01-11
Fix Resolution: 3.2
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.
Publish Date: 2021-08-02
URL: CVE-2021-33198
Base Score Metrics:
Type: Upgrade version
Origin: https://security.archlinux.org/CVE-2021-33198
Release Date: 2021-08-02
Fix Resolution: go1.15.13, go1.16.5
Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).
Publish Date: 2021-01-26
URL: CVE-2021-3115
Base Score Metrics:
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2021-3115
Release Date: 2021-01-26
Fix Resolution: go1.14.14,go1.15.7
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.
Publish Date: 2022-08-10
URL: CVE-2022-30633
Base Score Metrics:
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2022-30633
Release Date: 2022-05-13
Fix Resolution: go1.17.12,go1.18.4
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
/canner/goroot/src/encoding/binary/varint.go
/canner/goroot/src/encoding/binary/varint.go
/canner/goroot/src/encoding/binary/varint.go
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
Publish Date: 2020-08-06
URL: CVE-2020-16845
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q6gq-997w-f55g
Release Date: 2020-08-06
Fix Resolution: go1.13.15,go1.14.7,github.com/ulikunitz/xz - v0.5.8
The Go programming language
Library home page: https://github.com/go-notes/go.git
Found in base branch: master
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.
Publish Date: 2022-08-10
URL: CVE-2022-30580
Base Score Metrics:
The Go programming language
Library home page: https://github.com/golang/go.git
Found in base branch: master
Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection.
Publish Date: 2020-11-18
URL: CVE-2020-28366
Base Score Metrics:
Type: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM
Release Date: 2020-11-18
Fix Resolution: 1.14.12, 1.15.5
An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.
Publish Date: 2019-03-13
URL: CVE-2019-9741
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-9741
Release Date: 2019-03-13
Fix Resolution: 1.12.1
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
Publish Date: 2022-08-10
URL: CVE-2022-30629
Base Score Metrics:
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2022-30629
Release Date: 2022-08-10
Fix Resolution: go1.17.11,go1.18.3
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
/canner/goroot/src/compress/gzip/gunzip.go
/canner/goroot/src/compress/gzip/gunzip.go
/canner/goroot/src/compress/gzip/gunzip.go
Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files.
Publish Date: 2022-08-10
URL: CVE-2022-30631
Base Score Metrics:
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2022-30631
Release Date: 2022-05-13
Fix Resolution: go1.17.12,go1.18.4
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.
Publish Date: 2022-08-10
URL: CVE-2022-32148
Base Score Metrics:
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2022-32148
Release Date: 2022-06-01
Fix Resolution: go1.17.12,go1.18.4
The PyPA recommended tool for installing Python packages.
Library home page: https://files.pythonhosted.org/packages/5c/e0/be401c003291b56efc55aeba6a80ab790d3d4cece2778288d65323009420/pip-19.1.1-py2.py3-none-any.whl
Path to vulnerable library: /canner/.poetry/lib/poetry/_vendor/py2.7/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl
Dependency Hierarchy:
The PyPA recommended tool for installing Python packages.
Library home page: https://files.pythonhosted.org/packages/00/b6/9cfa56b4081ad13874b0c6f96af8ce16cfbc1cb06bedf8e9164ce5551ec1/pip-19.3.1-py2.py3-none-any.whl
Path to vulnerable library: /canner/.poetry/lib/poetry/_vendor/py2.7/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl
Dependency Hierarchy:
Found in base branch: master
A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.
Publish Date: 2021-11-10
URL: CVE-2021-3572
Base Score Metrics:
Type: Upgrade version
Origin: https://security.archlinux.org/CVE-2021-3572
Release Date: 2021-11-10
Fix Resolution: pip - 21.1
The Go programming language
Library home page: https://github.com/go-notes/go.git
Found in base branch: master
regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.
Publish Date: 2022-03-05
URL: CVE-2022-24921
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24921
Release Date: 2022-03-05
Fix Resolution: v1.16.15,v1.17.8
The PyPA recommended tool for installing Python packages.
Library home page: https://files.pythonhosted.org/packages/5c/e0/be401c003291b56efc55aeba6a80ab790d3d4cece2778288d65323009420/pip-19.1.1-py2.py3-none-any.whl
Path to vulnerable library: /canner/.poetry/lib/poetry/_vendor/py2.7/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl
Dependency Hierarchy:
The PyPA recommended tool for installing Python packages.
Library home page: https://files.pythonhosted.org/packages/00/b6/9cfa56b4081ad13874b0c6f96af8ce16cfbc1cb06bedf8e9164ce5551ec1/pip-19.3.1-py2.py3-none-any.whl
Path to vulnerable library: /canner/.poetry/lib/poetry/_vendor/py2.7/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl
Dependency Hierarchy:
Found in base branch: master
** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.
Publish Date: 2020-05-08
URL: CVE-2018-20225
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-20225
Release Date: 2020-05-08
Fix Resolution: pip - 20.1.1
Python HTTP library with thread-safe connection pooling, file post support, user friendly, and more.
Library home page: https://github.com/urllib3/urllib3.git
Found in base branch: master
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
Publish Date: 2021-06-29
URL: CVE-2021-33503
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q2q7-5pp4-w6pg
Release Date: 2021-06-29
Fix Resolution: urllib3 - 1.26.5
The Go programming language
Library home page: https://github.com/golang/go.git
Found in base branch: master
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.
Publish Date: 2020-11-18
URL: CVE-2020-28367
Base Score Metrics:
Type: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM
Release Date: 2020-11-18
Fix Resolution: 1.14.12, 1.15.5
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
/canner/goroot/src/net/http/httputil/reverseproxy.go
/canner/goroot/src/net/http/httputil/reverseproxy.go
In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
Publish Date: 2021-08-02
URL: CVE-2021-33197
Base Score Metrics:
Type: Upgrade version
Origin: https://security.archlinux.org/CVE-2021-33197
Release Date: 2021-08-02
Fix Resolution: go1.15.13, go1.16.5
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
Publish Date: 2022-08-10
URL: CVE-2022-30635
Base Score Metrics:
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2022-30635
Release Date: 2022-05-13
Fix Resolution: go1.17.12,go1.18.4
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
/canner/goroot/src/crypto/x509/verify.go
/canner/goroot/src/crypto/x509/verify.go
/canner/goroot/src/crypto/x509/root_windows.go
/canner/goroot/src/crypto/x509/root_windows.go
In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete.
Publish Date: 2020-07-17
URL: CVE-2020-14039
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14039
Release Date: 2020-07-17
Fix Resolution: 1.13.13,1.14.5
Go Package Manager (gopm) is a package manager and build tool for Go.
Library home page: https://github.com/giter/gopm.git
Found in base branch: master
/canner/gopath/src/github.com/gpmgo/gopm/modules/cae/cae.go
/canner/gopath/src/github.com/gpmgo/gopm/modules/cae/cae.go
In all versions of the package github.com/unknwon/cae/tz, the ExtractTo function doesn't securely escape file paths in zip archives which include leading or non-leading "..". This allows an attacker to add or replace files system-wide.
Publish Date: 2020-06-23
URL: CVE-2020-7668
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-7668
Release Date: 2020-07-07
Fix Resolution: v1.0.1
Library home page: https://source.codeaurora.org/quic/lc/external/github.com/python/cpython/
Found in base branch: master
/canner/.poetry/lib/poetry/_vendor/py3.8/urllib3/connection.py
/canner/.poetry/lib/poetry/_vendor/py3.8/urllib3/connection.py
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Publish Date: 2020-09-30
URL: CVE-2020-26137
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137
Release Date: 2020-09-30
Fix Resolution: 1.25.9
The Go programming language
Library home page: https://github.com/golang/go.git
Found in base branch: master
Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.
Publish Date: 2020-07-17
URL: CVE-2020-15586
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15586
Release Date: 2020-07-17
Fix Resolution: 1.13.13,1.14.5
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
/canner/goroot/src/crypto/x509/root_darwin.go
/canner/goroot/src/crypto/x509/root_darwin.go
Certificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1 can be caused to panic on macOS when presented with certain malformed certificates. This allows a remote TLS server to cause a TLS client to panic.
Publish Date: 2022-04-20
URL: CVE-2022-27536
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27536
Release Date: 2022-04-20
Fix Resolution: go1.18.1
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
In Decoder.Skip in encoding/xml in Go before 1.17.12 and 1.18.x before 1.18.4, stack exhaustion and a panic can occur via a deeply nested XML document.
Publish Date: 2022-08-10
URL: CVE-2022-28131
Base Score Metrics:
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2022-28131
Release Date: 2022-03-29
Fix Resolution: go1.17.12,go1.18.4
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
/canner/goroot/src/net/http/fcgi/child.go
/canner/goroot/src/net/http/fcgi/child.go
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
Publish Date: 2020-09-02
URL: CVE-2020-24553
Base Score Metrics:
Type: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/8wqlSbkLdPs
Release Date: 2020-09-02
Fix Resolution: 1.15.1,1.14.8
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
/canner/goroot/src/crypto/dsa/dsa.go
/canner/goroot/src/crypto/dsa/dsa.go
Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.
Publish Date: 2019-10-24
URL: CVE-2019-17596
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17596
Release Date: 2019-10-24
Fix Resolution: Go-1.12.11,1.13.2
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.
Publish Date: 2021-11-08
URL: CVE-2021-41771
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41771
Release Date: 2021-11-08
Fix Resolution: go1.16.10,go1.17.3
The Go programming language
Library home page: https://github.com/golang/go.git
Found in base branch: master
/canner/goroot/src/net/http/h2_bundle.go
/canner/goroot/src/net/http/h2_bundle.go
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
Publish Date: 2019-08-13
URL: CVE-2019-9512
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512
Release Date: 2019-08-13
Fix Resolution: io.netty:netty-codec-http2:4.1.39.Final
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
In filepath.Clean in path/filepath in Go before 1.17.11 and 1.18.x before 1.18.3 on Windows, invalid paths such as .\c: could be converted to valid paths (such as c: in this example).
Publish Date: 2022-08-10
URL: CVE-2022-29804
Base Score Metrics:
YAML support for the Go language.
Dependency Hierarchy:
Found in base branch: master
The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.
Publish Date: 2020-04-01
URL: CVE-2019-11254
Base Score Metrics:
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.
Publish Date: 2021-03-11
URL: CVE-2021-27918
Base Score Metrics:
Type: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw
Release Date: 2021-03-11
Fix Resolution: 1.15.9, 1.16.1
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.
Publish Date: 2020-11-18
URL: CVE-2020-28362
Base Score Metrics:
Type: Upgrade version
Origin: https://groups.google.com/g/golang-nuts/c/c-ssaaS7RMI
Release Date: 2020-11-18
Fix Resolution: 1.14.12, 1.15.5
Go Package Manager (gopm) is a package manager and build tool for Go.
Library home page: https://github.com/giter/gopm.git
Found in base branch: master
/canner/gopath/src/github.com/gpmgo/gopm/modules/cae/zip/read.go
/canner/gopath/src/github.com/gpmgo/gopm/modules/cae/cae.go
/canner/gopath/src/github.com/gpmgo/gopm/modules/cae/cae.go
In all versions of the package github.com/unknwon/cae/zip, the ExtractTo function doesn't securely escape file paths in zip archives which include leading or non-leading "..". This allows an attacker to add or replace files system-wide.
Publish Date: 2020-06-23
URL: CVE-2020-7664
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-7664
Release Date: 2020-07-07
Fix Resolution: v1.0.1
Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes.
Publish Date: 2022-07-15
URL: CVE-2022-30634
Base Score Metrics:
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2022-30634
Release Date: 2022-07-15
Fix Resolution: go1.17.11,go1.18.3
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename.
Publish Date: 2021-03-11
URL: CVE-2021-27919
Base Score Metrics:
Type: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw?pli=1
Release Date: 2021-03-11
Fix Resolution: 1.16.1
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.
Publish Date: 2021-08-02
URL: CVE-2021-33195
Base Score Metrics:
Type: Upgrade version
Origin: https://security.archlinux.org/CVE-2021-33195
Release Date: 2021-08-02
Fix Resolution: go1.15.13, go1.16.5
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.
Publish Date: 2021-08-07
URL: CVE-2021-29923
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29923
Release Date: 2021-08-07
Fix Resolution: go1.17
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
/canner/goroot/src/crypto/elliptic/elliptic.go
/canner/goroot/src/crypto/elliptic/p224.go
Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.
Publish Date: 2022-02-11
URL: CVE-2022-23806
Base Score Metrics:
Type: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
Release Date: 2022-02-11
Fix Resolution: go1.16.14,go1.17.7
VCS Repo management through a common interface in Go
Dependency Hierarchy:
VCS Repo management through a common interface in Go
Dependency Hierarchy:
Found in base branch: master
The package github.com/masterminds/vcs before 1.13.3 are vulnerable to Command Injection via argument injection. When hg is executed, argument strings are passed to hg in a way that additional flags can be set. The additional flags can be used to perform a command injection.
Publish Date: 2022-04-01
URL: CVE-2022-21235
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21235
Release Date: 2022-04-01
Fix Resolution: v1.13.2
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.
Publish Date: 2022-02-11
URL: CVE-2022-23772
Base Score Metrics:
Type: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
Release Date: 2022-02-11
Fix Resolution: go1.16.14,go1.17.7
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field.
Publish Date: 2021-01-26
URL: CVE-2021-3114
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1918750
Release Date: 2021-01-26
Fix Resolution: go1.14.14, go1.15.7
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic.
Publish Date: 2021-08-02
URL: CVE-2021-33196
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-33196
Release Date: 2021-08-02
Fix Resolution: golang-1.7 - 1.7.4-2+deb9u4;golang-1.8 - 1.8.1-1+deb9u4;golang-1.15 - 1.15.9-4
The PyPA recommended tool for installing Python packages.
Library home page: https://files.pythonhosted.org/packages/5c/e0/be401c003291b56efc55aeba6a80ab790d3d4cece2778288d65323009420/pip-19.1.1-py2.py3-none-any.whl
Path to vulnerable library: /canner/.poetry/lib/poetry/_vendor/py2.7/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl
Dependency Hierarchy:
Found in base branch: master
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.
Publish Date: 2020-09-04
URL: CVE-2019-20916
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20916
Release Date: 2020-09-04
Fix Resolution: 19.2
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
Publish Date: 2022-02-11
URL: CVE-2022-23773
Base Score Metrics:
Type: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ?pli=1
Release Date: 2022-02-11
Fix Resolution: go1.16.14,go1.17.7
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
Publish Date: 2022-08-10
URL: CVE-2022-1705
Base Score Metrics:
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2022-1705
Release Date: 2022-05-13
Fix Resolution: go1.17.12,go1.18.4
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.
Publish Date: 2022-08-10
URL: CVE-2022-1962
Base Score Metrics:
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2022-1962
Release Date: 2022-06-01
Fix Resolution: go1.17.12,go1.18.4
The Go programming language
Library home page: https://github.com/golang/go.git
Found in base branch: master
/canner/goroot/src/net/http/h2_bundle.go
/canner/goroot/src/net/http/h2_bundle.go
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
Publish Date: 2019-08-13
URL: CVE-2019-9514
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514
Release Date: 2019-08-13
Fix Resolution: 7.1.7,8.0.4
Gnu Distributions
Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc
Found in base branch: master
Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.
Publish Date: 2019-09-30
URL: CVE-2019-16276
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16276
Release Date: 2019-09-30
Fix Resolution: 1.12.10;1.13.1
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.