ioana-nicolae / 789 Goto Github PK

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (2)

/canner/goroot/src/crypto/tls/key_agreement.go
/canner/goroot/src/crypto/tls/key_agreement.go

Vulnerability Details

The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.

Publish Date: 2021-07-15

URL: CVE-2021-34558

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://security.archlinux.org/CVE-2021-34558

Release Date: 2021-07-15

Fix Resolution: go1.16.6

Vulnerable Library - cryptography2.8

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.

Library home page: https://github.com/pyca/cryptography.git

Found in base branch: master

Vulnerable Source Files (2)

/canner/.poetry/lib/poetry/_vendor/py2.7/cryptography/hazmat/backends/openssl/ciphers.py
/canner/.poetry/lib/poetry/_vendor/py2.7/cryptography/hazmat/backends/openssl/ciphers.py

Vulnerability Details

In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.

Publish Date: 2021-02-07

URL: CVE-2020-36242

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-02-07

Fix Resolution: cryptography - 3.3.2

Vulnerable Library - cryptography2.8

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.

Library home page: https://github.com/pyca/cryptography.git

Found in base branch: master

Vulnerable Source Files (2)

/canner/.poetry/lib/poetry/_vendor/py3.6/cryptography/hazmat/backends/openssl/rsa.py
/canner/.poetry/lib/poetry/_vendor/py3.6/cryptography/hazmat/backends/openssl/rsa.py

Vulnerability Details

python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.

Publish Date: 2021-01-11

URL: CVE-2020-25659

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-hggm-jpg3-v476

Release Date: 2021-01-11

Fix Resolution: 3.2

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (1)

/canner/goroot/src/math/big/ratconv.go

Vulnerability Details

In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.

Publish Date: 2021-08-02

URL: CVE-2021-33198

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://security.archlinux.org/CVE-2021-33198

Release Date: 2021-08-02

Fix Resolution: go1.15.13, go1.16.5

Vulnerability Details

Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).

Publish Date: 2021-01-26

URL: CVE-2021-3115

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2021-3115

Release Date: 2021-01-26

Fix Resolution: go1.14.14,go1.15.7

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerability Details

Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.

Publish Date: 2022-08-10

URL: CVE-2022-30633

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-30633

Release Date: 2022-05-13

Fix Resolution: go1.17.12,go1.18.4

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (3)

/canner/goroot/src/encoding/binary/varint.go
/canner/goroot/src/encoding/binary/varint.go
/canner/goroot/src/encoding/binary/varint.go

Vulnerability Details

Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.

Publish Date: 2020-08-06

URL: CVE-2020-16845

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-q6gq-997w-f55g

Release Date: 2020-08-06

Fix Resolution: go1.13.15,go1.14.7,github.com/ulikunitz/xz - v0.5.8

Vulnerable Library - gogo1.12beta2

The Go programming language

Library home page: https://github.com/go-notes/go.git

Found in base branch: master

Vulnerability Details

Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.

Publish Date: 2022-08-10

URL: CVE-2022-30580

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-08-10

Fix Resolution: go1.17.11,go1.18.3

Vulnerable Library - gogo1.12.6

The Go programming language

Library home page: https://github.com/golang/go.git

Found in base branch: master

Vulnerable Source Files (1)

/canner/goroot/src/cmd/go/internal/work/security.go

Vulnerability Details

Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection.

Publish Date: 2020-11-18

URL: CVE-2020-28366

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM

Release Date: 2020-11-18

Fix Resolution: 1.14.12, 1.15.5

Vulnerability Details

An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.

Publish Date: 2019-03-13

URL: CVE-2019-9741

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-9741

Release Date: 2019-03-13

Fix Resolution: 1.12.1

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (1)

/canner/goroot/src/crypto/tls/handshake_server_tls13.go

Vulnerability Details

Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

Publish Date: 2022-08-10

URL: CVE-2022-30629

CVSS 3 Score Details (3.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-30629

Release Date: 2022-08-10

Fix Resolution: go1.17.11,go1.18.3

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (3)

/canner/goroot/src/compress/gzip/gunzip.go
/canner/goroot/src/compress/gzip/gunzip.go
/canner/goroot/src/compress/gzip/gunzip.go

Vulnerability Details

Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files.

Publish Date: 2022-08-10

URL: CVE-2022-30631

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-30631

Release Date: 2022-05-13

Fix Resolution: go1.17.12,go1.18.4

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerability Details

Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.

Publish Date: 2022-08-10

URL: CVE-2022-32148

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-32148

Release Date: 2022-06-01

Fix Resolution: go1.17.12,go1.18.4

Vulnerable Libraries - pip-19.1.1-py2.py3-none-any.whl, pip-19.3.1-py2.py3-none-any.whl

Found in base branch: master

Vulnerability Details

A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.

Publish Date: 2021-11-10

URL: CVE-2021-3572

CVSS 3 Score Details (5.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://security.archlinux.org/CVE-2021-3572

Release Date: 2021-11-10

Fix Resolution: pip - 21.1

Vulnerable Library - gogo1.12.2

The Go programming language

Library home page: https://github.com/go-notes/go.git

Found in base branch: master

Vulnerability Details

regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.

Publish Date: 2022-03-05

URL: CVE-2022-24921

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24921

Release Date: 2022-03-05

Fix Resolution: v1.16.15,v1.17.8

Vulnerable Libraries - pip-19.1.1-py2.py3-none-any.whl, pip-19.3.1-py2.py3-none-any.whl

Found in base branch: master

Vulnerability Details

** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.

Publish Date: 2020-05-08

URL: CVE-2018-20225

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-20225

Release Date: 2020-05-08

Fix Resolution: pip - 20.1.1

Vulnerable Library - urllib31dd69c5c5982fae7c87a620d487c2ebf7a6b436b

Python HTTP library with thread-safe connection pooling, file post support, user friendly, and more.

Library home page: https://github.com/urllib3/urllib3.git

Found in base branch: master

Vulnerable Source Files (1)

/canner/.poetry/lib/poetry/_vendor/py3.7/urllib3/util/url.py

Vulnerability Details

An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Publish Date: 2021-06-29

URL: CVE-2021-33503

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-q2q7-5pp4-w6pg

Release Date: 2021-06-29

Fix Resolution: urllib3 - 1.26.5

Vulnerable Library - gogo1.12.6

The Go programming language

Library home page: https://github.com/golang/go.git

Found in base branch: master

Vulnerable Source Files (1)

/canner/goroot/src/cmd/go/internal/work/security.go

Vulnerability Details

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.

Publish Date: 2020-11-18

URL: CVE-2020-28367

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM

Release Date: 2020-11-18

Fix Resolution: 1.14.12, 1.15.5

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (2)

/canner/goroot/src/net/http/httputil/reverseproxy.go
/canner/goroot/src/net/http/httputil/reverseproxy.go

Vulnerability Details

In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.

Publish Date: 2021-08-02

URL: CVE-2021-33197

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://security.archlinux.org/CVE-2021-33197

Release Date: 2021-08-02

Fix Resolution: go1.15.13, go1.16.5

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerability Details

Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.

Publish Date: 2022-08-10

URL: CVE-2022-30635

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-30635

Release Date: 2022-05-13

Fix Resolution: go1.17.12,go1.18.4

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (4)

/canner/goroot/src/crypto/x509/verify.go
/canner/goroot/src/crypto/x509/verify.go
/canner/goroot/src/crypto/x509/root_windows.go
/canner/goroot/src/crypto/x509/root_windows.go

Vulnerability Details

In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete.

Publish Date: 2020-07-17

URL: CVE-2020-14039

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14039

Release Date: 2020-07-17

Fix Resolution: 1.13.13,1.14.5

Vulnerable Library - gopm0.7.3

Go Package Manager (gopm) is a package manager and build tool for Go.

Library home page: https://github.com/giter/gopm.git

Found in base branch: master

Vulnerable Source Files (2)

/canner/gopath/src/github.com/gpmgo/gopm/modules/cae/cae.go
/canner/gopath/src/github.com/gpmgo/gopm/modules/cae/cae.go

Vulnerability Details

In all versions of the package github.com/unknwon/cae/tz, the ExtractTo function doesn't securely escape file paths in zip archives which include leading or non-leading "..". This allows an attacker to add or replace files system-wide.

Publish Date: 2020-06-23

URL: CVE-2020-7668

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-7668

Release Date: 2020-07-07

Fix Resolution: v1.0.1

Vulnerable Library - https://source.codeaurora.org/quic/lc/external/github.com/python/cpython/v3.7.10

Library home page: https://source.codeaurora.org/quic/lc/external/github.com/python/cpython/

Found in base branch: master

Vulnerable Source Files (2)

/canner/.poetry/lib/poetry/_vendor/py3.8/urllib3/connection.py
/canner/.poetry/lib/poetry/_vendor/py3.8/urllib3/connection.py

Vulnerability Details

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Publish Date: 2020-09-30

URL: CVE-2020-26137

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137

Release Date: 2020-09-30

Fix Resolution: 1.25.9

Vulnerable Library - gogo1.12.7

The Go programming language

Library home page: https://github.com/golang/go.git

Found in base branch: master

Vulnerability Details

Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.

Publish Date: 2020-07-17

URL: CVE-2020-15586

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15586

Release Date: 2020-07-17

Fix Resolution: 1.13.13,1.14.5

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (2)

/canner/goroot/src/crypto/x509/root_darwin.go
/canner/goroot/src/crypto/x509/root_darwin.go

Vulnerability Details

Certificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1 can be caused to panic on macOS when presented with certain malformed certificates. This allows a remote TLS server to cause a TLS client to panic.

Publish Date: 2022-04-20

URL: CVE-2022-27536

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27536

Release Date: 2022-04-20

Fix Resolution: go1.18.1

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerability Details

In Decoder.Skip in encoding/xml in Go before 1.17.12 and 1.18.x before 1.18.4, stack exhaustion and a panic can occur via a deeply nested XML document.

Publish Date: 2022-08-10

URL: CVE-2022-28131

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-28131

Release Date: 2022-03-29

Fix Resolution: go1.17.12,go1.18.4

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (2)

/canner/goroot/src/net/http/fcgi/child.go
/canner/goroot/src/net/http/fcgi/child.go

Vulnerability Details

Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.

Publish Date: 2020-09-02

URL: CVE-2020-24553

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-announce/c/8wqlSbkLdPs

Release Date: 2020-09-02

Fix Resolution: 1.15.1,1.14.8

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (2)

/canner/goroot/src/crypto/dsa/dsa.go
/canner/goroot/src/crypto/dsa/dsa.go

Vulnerability Details

Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.

Publish Date: 2019-10-24

URL: CVE-2019-17596

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17596

Release Date: 2019-10-24

Fix Resolution: Go-1.12.11,1.13.2

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerability Details

ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.

Publish Date: 2021-11-08

URL: CVE-2021-41771

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41771

Release Date: 2021-11-08

Fix Resolution: go1.16.10,go1.17.3

Vulnerable Library - gogo1.12.7

The Go programming language

Library home page: https://github.com/golang/go.git

Found in base branch: master

Vulnerable Source Files (2)

/canner/goroot/src/net/http/h2_bundle.go
/canner/goroot/src/net/http/h2_bundle.go

Vulnerability Details

Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Publish Date: 2019-08-13

URL: CVE-2019-9512

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512

Release Date: 2019-08-13

Fix Resolution: io.netty:netty-codec-http2:4.1.39.Final

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerability Details

In filepath.Clean in path/filepath in Go before 1.17.11 and 1.18.x before 1.18.3 on Windows, invalid paths such as .\c: could be converted to valid paths (such as c: in this example).

Publish Date: 2022-08-10

URL: CVE-2022-29804

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2022-08-10

Fix Resolution: go1.18.3,go1.17.11

Vulnerable Library - gopkg.in/yaml.v2-v2.0.0

YAML support for the Go language.

Dependency Hierarchy:

• ❌ gopkg.in/yaml.v2-v2.0.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.

Publish Date: 2020-04-01

URL: CVE-2019-11254

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-10-02

Fix Resolution: v2.2.8

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (1)

/canner/goroot/src/encoding/xml/xml.go

Vulnerability Details

encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.

Publish Date: 2021-03-11

URL: CVE-2021-27918

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw

Release Date: 2021-03-11

Fix Resolution: 1.15.9, 1.16.1

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (2)

/canner/goroot/src/math/big/nat.go
/canner/goroot/src/math/big/nat.go

Vulnerability Details

Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.

Publish Date: 2020-11-18

URL: CVE-2020-28362

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-nuts/c/c-ssaaS7RMI

Release Date: 2020-11-18

Fix Resolution: 1.14.12, 1.15.5

Vulnerable Library - gopm0.7.3

Go Package Manager (gopm) is a package manager and build tool for Go.

Library home page: https://github.com/giter/gopm.git

Found in base branch: master

Vulnerable Source Files (3)

/canner/gopath/src/github.com/gpmgo/gopm/modules/cae/zip/read.go
/canner/gopath/src/github.com/gpmgo/gopm/modules/cae/cae.go
/canner/gopath/src/github.com/gpmgo/gopm/modules/cae/cae.go

Vulnerability Details

In all versions of the package github.com/unknwon/cae/zip, the ExtractTo function doesn't securely escape file paths in zip archives which include leading or non-leading "..". This allows an attacker to add or replace files system-wide.

Publish Date: 2020-06-23

URL: CVE-2020-7664

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-7664

Release Date: 2020-07-07

Fix Resolution: v1.0.1

Vulnerability Details

Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes.

Publish Date: 2022-07-15

URL: CVE-2022-30634

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-30634

Release Date: 2022-07-15

Fix Resolution: go1.17.11,go1.18.3

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerability Details

archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename.

Publish Date: 2021-03-11

URL: CVE-2021-27919

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw?pli=1

Release Date: 2021-03-11

Fix Resolution: 1.16.1

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerability Details

Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.

Publish Date: 2021-08-02

URL: CVE-2021-33195

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://security.archlinux.org/CVE-2021-33195

Release Date: 2021-08-02

Fix Resolution: go1.15.13, go1.16.5

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (2)

/canner/goroot/src/net/ip.go
/canner/goroot/src/net/ip.go

Vulnerability Details

Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.

Publish Date: 2021-08-07

URL: CVE-2021-29923

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29923

Release Date: 2021-08-07

Fix Resolution: go1.17

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (2)

/canner/goroot/src/crypto/elliptic/elliptic.go
/canner/goroot/src/crypto/elliptic/p224.go

Vulnerability Details

Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.

Publish Date: 2022-02-11

URL: CVE-2022-23806

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ

Release Date: 2022-02-11

Fix Resolution: go1.16.14,go1.17.7

Vulnerable Libraries - github.com/masterminds/vcs-v1.11.1, github.com/masterminds/vcs-v1.13.1

Found in base branch: master

Vulnerability Details

The package github.com/masterminds/vcs before 1.13.3 are vulnerable to Command Injection via argument injection. When hg is executed, argument strings are passed to hg in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Publish Date: 2022-04-01

URL: CVE-2022-21235

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21235

Release Date: 2022-04-01

Fix Resolution: v1.13.2

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (1)

/canner/goroot/src/math/big/ratconv.go

Vulnerability Details

Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.

Publish Date: 2022-02-11

URL: CVE-2022-23772

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ

Release Date: 2022-02-11

Fix Resolution: go1.16.14,go1.17.7

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (1)

/canner/goroot/src/crypto/elliptic/p224.go

Vulnerability Details

In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field.

Publish Date: 2021-01-26

URL: CVE-2021-3114

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1918750

Release Date: 2021-01-26

Fix Resolution: go1.14.14, go1.15.7

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerability Details

In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic.

Publish Date: 2021-08-02

URL: CVE-2021-33196

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-33196

Release Date: 2021-08-02

Fix Resolution: golang-1.7 - 1.7.4-2+deb9u4;golang-1.8 - 1.8.1-1+deb9u4;golang-1.15 - 1.15.9-4

Vulnerable Library - pip-19.1.1-py2.py3-none-any.whl

The PyPA recommended tool for installing Python packages.

Library home page: https://files.pythonhosted.org/packages/5c/e0/be401c003291b56efc55aeba6a80ab790d3d4cece2778288d65323009420/pip-19.1.1-py2.py3-none-any.whl

Path to vulnerable library: /canner/.poetry/lib/poetry/_vendor/py2.7/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl

Dependency Hierarchy:

• ❌ pip-19.1.1-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.

Publish Date: 2020-09-04

URL: CVE-2019-20916

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20916

Release Date: 2020-09-04

Fix Resolution: 19.2

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (1)

/canner/goroot/src/cmd/go/internal/modfetch/coderepo.go

Vulnerability Details

cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.

Publish Date: 2022-02-11

URL: CVE-2022-23773

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ?pli=1

Release Date: 2022-02-11

Fix Resolution: go1.16.14,go1.17.7

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerable Source Files (1)

/canner/goroot/src/net/http/transfer.go

Vulnerability Details

Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.

Publish Date: 2022-08-10

URL: CVE-2022-1705

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-1705

Release Date: 2022-05-13

Fix Resolution: go1.17.12,go1.18.4

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerability Details

Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.

Publish Date: 2022-08-10

URL: CVE-2022-1962

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-1962

Release Date: 2022-06-01

Fix Resolution: go1.17.12,go1.18.4

Vulnerable Library - gogo1.12.7

The Go programming language

Library home page: https://github.com/golang/go.git

Found in base branch: master

Vulnerable Source Files (2)

/canner/goroot/src/net/http/h2_bundle.go
/canner/goroot/src/net/http/h2_bundle.go

Vulnerability Details

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.

Publish Date: 2019-08-13

URL: CVE-2019-9514

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514

Release Date: 2019-08-13

Fix Resolution: 7.1.7,8.0.4

Vulnerable Library - gccgcc-10.2.0

Gnu Distributions

Library home page: https://ftp.gnu.org/gnu/gcc?wsslib=gcc

Found in base branch: master

Vulnerability Details

Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.

Publish Date: 2019-09-30

URL: CVE-2019-16276

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16276

Release Date: 2019-09-30

Fix Resolution: 1.12.10;1.13.1