Filtered by vendor Golang
Subscriptions
Filtered by product Go
Subscriptions
Total
123 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-23806 | 3 Debian, Golang, Netapp | 6 Debian Linux, Go, Beegfs Csi Driver and 3 more | 2023-04-20 | 9.1 Critical |
| Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element. | ||||
| CVE-2021-44716 | 3 Debian, Golang, Netapp | 3 Debian Linux, Go, Cloud Insights Telegraf | 2023-04-20 | 7.5 High |
| net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests. | ||||
| CVE-2021-39293 | 2 Golang, Netapp | 2 Go, Cloud Insights Telegraf | 2023-04-20 | 7.5 High |
| In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196. | ||||
| CVE-2021-33196 | 2 Debian, Golang | 2 Debian Linux, Go | 2023-04-20 | 7.5 High |
| In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic. | ||||
| CVE-2022-27536 | 2 Apple, Golang | 2 Macos, Go | 2023-03-09 | 7.5 High |
| Certificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1 can be caused to panic on macOS when presented with certain malformed certificates. This allows a remote TLS server to cause a TLS client to panic. | ||||
| CVE-2021-27918 | 1 Golang | 1 Go | 2022-12-13 | 7.5 High |
| encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method. | ||||
| CVE-2022-23772 | 3 Debian, Golang, Netapp | 6 Debian Linux, Go, Beegfs Csi Driver and 3 more | 2022-11-09 | 7.5 High |
| Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. | ||||
| CVE-2021-33195 | 2 Golang, Netapp | 2 Go, Cloud Insights Telegraf Agent | 2022-09-14 | 7.3 High |
| Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format. | ||||
| CVE-2021-33198 | 1 Golang | 1 Go | 2022-09-14 | 7.5 High |
| In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method. | ||||
| CVE-2021-33197 | 1 Golang | 1 Go | 2022-09-14 | 5.3 Medium |
| In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers. | ||||
| CVE-2018-7187 | 2 Debian, Golang | 2 Debian Linux, Go | 2022-08-16 | 8.8 High |
| The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site. | ||||
| CVE-2019-9634 | 2 Golang, Microsoft | 2 Go, Windows | 2022-08-16 | 7.8 High |
| Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection. | ||||
| CVE-2020-0601 | 2 Golang, Microsoft | 5 Go, Windows, Windows 10 and 2 more | 2022-08-12 | 8.1 High |
| A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'. | ||||
| CVE-2021-23772 | 2 Golang, Iris-go | 2 Go, Iris | 2022-01-04 | 8.8 High |
| This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder. | ||||
| CVE-2012-2666 | 1 Golang | 1 Go | 2021-10-18 | 9.8 Critical |
| golang/go in 1.0.2 fixes all.bash on shared machines. dotest() in src/pkg/debug/gosym/pclntab_test.go creates a temporary file with predicable name and executes it as shell script. | ||||
| CVE-2015-5741 | 2 Golang, Redhat | 3 Go, Enterprise Linux, Openstack | 2021-08-04 | 9.8 Critical |
| The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields. | ||||
| CVE-2017-15041 | 3 Debian, Golang, Redhat | 7 Debian Linux, Go, Developer Tools and 4 more | 2021-03-19 | 9.8 Critical |
| Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get." | ||||
| CVE-2020-28851 | 1 Golang | 1 Go | 2021-02-22 | 7.5 High |
| In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) | ||||
| CVE-2020-29510 | 2 Golang, Netapp | 2 Go, Trident | 2021-01-30 | 5.6 Medium |
| The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. | ||||
| CVE-2019-11888 | 2 Golang, Microsoft | 2 Go, Windows | 2020-08-24 | N/A |
| Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges. | ||||