Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Go
(Golang)| Repositories | https://github.com/golang/go |
| #Vulnerabilities | 119 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-02-28 | CVE-2022-41722 | A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".\c:\b". | Go | 7.5 | ||
| 2023-03-08 | CVE-2023-24532 | The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh. | Go | 5.3 | ||
| 2023-05-11 | CVE-2023-24539 | Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input. | Go | 7.3 | ||
| 2023-05-11 | CVE-2023-24540 | Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution. | Go | 9.8 | ||
| 2023-05-11 | CVE-2023-29400 | Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags. | Go | 7.3 | ||
| 2022-01-01 | CVE-2021-44717 | Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion. | Debian_linux, Go | 4.8 | ||
| 2022-02-11 | CVE-2022-23773 | cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags. | Go, Beegfs_csi_driver, Cloud_insights_telegraf_agent, Kubernetes_monitoring_operator, Storagegrid | 7.5 | ||
| 2022-03-05 | CVE-2022-24921 | regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression. | Debian_linux, Go, Astra_trident | 7.5 | ||
| 2020-12-14 | CVE-2020-29509 | The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. | Go, Trident | 5.6 | ||
| 2020-12-14 | CVE-2020-29511 | The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. | Go, Trident | 5.6 |