Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Go
(Golang)Repositories | https://github.com/golang/go |
#Vulnerabilities | 119 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2022-12-07 | CVE-2022-41720 | On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously... | Go | 7.5 | ||
2022-02-11 | CVE-2022-23772 | Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. | Debian_linux, Go, Beegfs_csi_driver, Cloud_insights_telegraf_agent, Kubernetes_monitoring_operator, Storagegrid | 7.5 | ||
2021-08-02 | CVE-2021-33195 | Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format. | Go, Cloud_insights_telegraf_agent | 7.3 | ||
2021-08-02 | CVE-2021-33197 | In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers. | Go | 5.3 | ||
2021-08-02 | CVE-2021-33198 | In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method. | Go | 7.5 | ||
2018-02-16 | CVE-2018-7187 | The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site. | Debian_linux, Go | 8.8 | ||
2019-03-08 | CVE-2019-9634 | Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection. | Go | 7.8 | ||
2020-01-14 | CVE-2020-0601 | A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'. | Go, Windows_10, Windows_server_2016, Windows_server_2019 | 8.1 | ||
2021-07-09 | CVE-2012-2666 | golang/go in 1.0.2 fixes all.bash on shared machines. dotest() in src/pkg/debug/gosym/pclntab_test.go creates a temporary file with predicable name and executes it as shell script. | Go | 9.8 | ||
2020-02-08 | CVE-2015-5741 | The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields. | Go, Enterprise_linux, Openstack | 9.8 |