Skip to content

Instantly share code, notes, and snippets.

@erikpaasonen

erikpaasonen/security_export.json

Created July 3, 2024 15:27
Show Gist options
  • Save erikpaasonen/7bf7c24b4ad361eeef872eaea017d91e to your computer and use it in GitHub Desktop.
Save erikpaasonen/7bf7c24b4ad361eeef872eaea017d91e to your computer and use it in GitHub Desktop.
Download ZIP
Jfrog Xray scan results for github.com/gabriel-vasile/[email protected]
Raw
security_export.json
{
"total_count": 77,
"data": [
{
"id": "XRAY-521542",
"severity": "Critical",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "The go command may execute arbitrary code at build time when using cgo. This may occur when running \"go get\" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a \"#cgo LDFLAGS\" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.19.10",
"1.20.0-0 ≤ Version < 1.20.5"
],
"fixed_versions": [
"1.19.10",
"1.20.5"
],
"more_details": {
"cves": [
{
"cve": "CVE-2023-29404",
"cwe": [
"CWE-94"
],
"cvss_v3": "9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"description": "The go command may execute arbitrary code at build time when using cgo. This may occur when running \"go get\" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a \"#cgo LDFLAGS\" directive.The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819261995982849,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-521542",
"VulnerabilityTitle": "",
"ShortDescription": "Insufficient validation in Go's linker leads to build-time code execution when compiling untrusted source code.",
"FullDescription": "Go supports compiling \"cgo\" binaries, which allow Go code to call C code.\r\nAs part of \"cgo\" support, Go source code files can supply flags to the GCC compiler and linker by using the `#cgo CFLAGS` and `#cgo LDFLAGS` directives, respectively.\r\nSince some GCC flags can directly lead to unwanted code execution in build time (for example the `-wrapper` flag) the Go compiler maintains a whitelist of allowed GCC flags.\r\n\r\nIt was discovered that arbitrary GCC flags can be smuggled to the build process, through the `#cgo LDFLAGS` directive.\r\nFor example, building the following code will smuggle the `-bad-flag` flag into the build process -\r\n```go\r\npackage main\r\n// #cgo LDFLAGS: -L \"-Wl,-O -Wl,-R,-bad-flag\"\r\nimport \"C\"\r\nfunc main() {}\r\n```\r\n\r\nAttackers can exploit this issue by making victims compile untrusted Go code (ex. with `go build` or `go get`). Arbitrary code execution will happen as soon as the untrusted Go code is built.",
"Impact": 6,
"VulnerabilityType": "Remote code execution",
"Resolution": "##### Development mitigations\n\nDisable \"cgo\" support by running the `go` tool with `CGO_ENABLED=0` -\r\n```bash\r\nCGO_ENABLED=0 go build .\r\n```",
"ExtendedImpactReasons": [
{
"Id": 1792819262016954394,
"PublicVulnsExtendedTblId": 1792819261995982849,
"Name": "The issue results in a severe impact (such as remote code execution)",
"Description": "Code execution",
"IsPositive": 0,
"InsertOrder": 1
},
{
"Id": 1792819262016954395,
"PublicVulnsExtendedTblId": 1792819261995982849,
"Name": "The issue has an exploit published",
"Description": "Published exploit demonstrates arbitrary flag injection",
"IsPositive": 0,
"InsertOrder": 2
},
{
"Id": 1792819262016954396,
"PublicVulnsExtendedTblId": 1792819261995982849,
"Name": "Exploiting the issue requires the user to interact with the vulnerable software",
"Description": "A user must compile untrusted Go code in order to trigger the vulnerability",
"IsPositive": 1,
"InsertOrder": 3
}
],
"ExtendedReferences": [
{
"Id": 1792819262016954397,
"PublicVulnsExtendedTblId": 1792819261995982849,
"RefType": "Exploit",
"Title": "Test PoC demonstrates flag injection",
"Url": "https://go-review.googlesource.com/c/go/+/501225/2/src/cmd/go/internal/work/security_test.go#237",
"InsertOrder": 1
},
{
"Id": 1792819262016954398,
"PublicVulnsExtendedTblId": 1792819261995982849,
"RefType": "Patch",
"Title": "Fix commit",
"Url": "https://go-review.googlesource.com/c/go/+/501225",
"InsertOrder": 2
},
{
"Id": 1792819262016954399,
"PublicVulnsExtendedTblId": 1792819261995982849,
"RefType": "Advisory",
"Title": "Original issue",
"Url": "https://github.com/golang/go/issues/60305",
"InsertOrder": 3
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-520141",
"severity": "Critical",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set \"\\t\\n\\f\\r\\u0020\\u2028\\u2029\" in JavaScript contexts that also contain actions may not be properly sanitized during execution.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.19.9",
"1.20.0-0 ≤ Version < 1.20.4"
],
"fixed_versions": [
"1.19.9",
"1.20.4"
],
"more_details": {
"cves": [
{
"cve": "CVE-2023-24540",
"cwe": [
"NVD-CWE-noinfo"
],
"cvss_v3": "9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"description": "Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set \"\\t\\n\\f\\r\\u0020\\u2028\\u2029\" in JavaScript contexts that also contain actions may not be properly sanitized during execution.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819261375225856,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-520141",
"VulnerabilityTitle": "",
"ShortDescription": "Insufficient filtering in Go's `html/template` leads to XSS when executing crafted templates.",
"FullDescription": "",
"Impact": 5,
"VulnerabilityType": "Script code injection",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819261404585985,
"PublicVulnsExtendedTblId": 1792819261375225856,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819261404585986,
"PublicVulnsExtendedTblId": 1792819261375225856,
"Name": "The prerequisites for exploiting the issue are extremely unlikely",
"Description": "The attackers must find a remote input that propagates into a Go template that is subsequently rendered with `Template.Execute` or `Template.ExecuteTemplate`. This is highly unlikely and is considered a bad practice regardless of this vulnerability.",
"IsPositive": 1,
"InsertOrder": 2
}
],
"ExtendedReferences": [
{
"Id": 1792819261404585987,
"PublicVulnsExtendedTblId": 1792819261375225856,
"RefType": "Patch",
"Title": "Official Fix Commit",
"Url": "https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797",
"InsertOrder": 1
},
{
"Id": 1792819261404585988,
"PublicVulnsExtendedTblId": 1792819261375225856,
"RefType": "Advisory",
"Title": "Golang Advisory",
"Url": "https://pkg.go.dev/vuln/GO-2023-1752",
"InsertOrder": 2
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-82071",
"severity": "Critical",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"≤ 1.11.11",
"1.12 ≤ Version ≤ 1.12.5"
],
"fixed_versions": [
"1.12.6",
"1.13beta1"
],
"more_details": {
"cves": [
{
"cve": "CVE-2019-11888",
"cwe": [
"CWE-269"
],
"cvss_v2": "7.5/CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"description": "Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges.",
"provider": "JFrog"
}
},
"edited": "2024-03-09T01:38:41-06:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1766368004735692886,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-82071",
"VulnerabilityTitle": "",
"ShortDescription": "Unsafe environment passing in Go on Windows could lead to local privilege escalation or data leakage when creating a child process with modified privileges.",
"FullDescription": "Go-based applications that are built and run for Windows OS (only) and that create new processes using the `os.startProcess` API without providing an environment but while providing a token (both are given in the `attr *ProcAttr` argument, `attr.Env` and `attr.Sys.Token`) could be vulnerable to privilege escalation or information leak. This vulnerability is very specific to the application and would only be relevant if the parent process should have different privileges than the process it creates. When a developer does not specify an environment, `os.startProcess` would use the existing environment and not use the environment from the token that the child process is created with. If the parent environment is less privileged than the intended one for the child, it could allow the parent to attack the privileged child by changing it in ways that could affect its execution (such as the PATH environment variables) which would lead to privilege escalation. If the parent environment is more privileged, it might allow the child process to access information and lead to a data leak.",
"Impact": 5,
"VulnerabilityType": "Local privilege escalation",
"Resolution": "##### Deployment mitigations\n\nWhen calling `os.startProcess` don't pass a `nil` environment in `attr *ProcAttr` when using a non-nil token.",
"ExtendedImpactReasons": [
{
"Id": 1766368004769247258,
"PublicVulnsExtendedTblId": 1766368004735692886,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "The passed environment might not allow for code injection or information leak, and must be researched by the attacker",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1766368004769247259,
"PublicVulnsExtendedTblId": 1766368004735692886,
"Name": "The issue cannot result in a severe impact (such as remote code execution)",
"Description": "Non-kernel local privilege escalation or contextual information leak",
"IsPositive": 1,
"InsertOrder": 2
},
{
"Id": 1766368004769247260,
"PublicVulnsExtendedTblId": 1766368004735692886,
"Name": "The issue can be exploited by attackers over the network",
"Description": "",
"IsPositive": 0,
"InsertOrder": 3
}
],
"ExtendedReferences": [
{
"Id": 1766368004769247261,
"PublicVulnsExtendedTblId": 1766368004735692886,
"RefType": "Advisory",
"Title": "Go GitHub issue #32000",
"Url": "https://github.com/golang/go/issues/32000",
"InsertOrder": 1
},
{
"Id": 1766368004769247262,
"PublicVulnsExtendedTblId": 1766368004735692886,
"RefType": "Advisory",
"Title": "go-review #176619",
"Url": "https://go-review.googlesource.com/c/go/+/176619",
"InsertOrder": 2
},
{
"Id": 1766368004769247263,
"PublicVulnsExtendedTblId": 1766368004735692886,
"RefType": "Advisory",
"Title": "Golang mailing list announcement",
"Url": "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM/m/fLguyiM2CAAJ",
"InsertOrder": 3
},
{
"Id": 1766368004769247264,
"PublicVulnsExtendedTblId": 1766368004735692886,
"RefType": "Exploit",
"Title": "https://go-review.googlesource.com/c/go/+/277959/3/src/math/big/nat_test.go#813",
"Url": "https://go-review.googlesource.com/c/go/+/277959/3/src/math/big/nat_test.go#813",
"InsertOrder": 4
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-521544",
"severity": "Critical",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via \"go get\", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.19.10",
"1.20.0-0 ≤ Version < 1.20.5"
],
"fixed_versions": [
"1.19.10",
"1.20.5"
],
"more_details": {
"cves": [
{
"cve": "CVE-2023-29402",
"cwe": [
"CWE-94"
],
"cvss_v3": "9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"description": "The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo.This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via \"go get\", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819261761101825,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-521544",
"VulnerabilityTitle": "",
"ShortDescription": "Compiling Go source code that uses cgo may lead to code injection when the working path contains a newline.",
"FullDescription": "",
"Impact": 4,
"VulnerabilityType": "Script code injection",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819261786267649,
"PublicVulnsExtendedTblId": 1792819261761101825,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "The code injection requires that -\r\n1. The Go source code uses \"cgo\" (code contains `import \"C\"`)\r\n2. The directory name from which the package is built, contains a newline character\r\nNote that malicious code execution will only happen when running the built module (the vulnerability does not trigger code execution on build time)",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819261786267650,
"PublicVulnsExtendedTblId": 1792819261761101825,
"Name": "The prerequisites for exploiting the issue are extremely unlikely",
"Description": "The issue is very unlikely to be exploited maliciously, and can only be used to somewhat hide malicious code, since the attack requires the user to build Go source code from a directory that has a crafted name. Since the malicious code will only be executed when running the built module (and not at build time), successful attacks will require the victim to build an untrusted package and execute it, which is an extremely bad practice regardless of this vulnerability.",
"IsPositive": 1,
"InsertOrder": 2
},
{
"Id": 1792819261786267651,
"PublicVulnsExtendedTblId": 1792819261761101825,
"Name": "The issue has an exploit published",
"Description": "PoC from test code demonstrates code injection",
"IsPositive": 0,
"InsertOrder": 3
}
],
"ExtendedReferences": [
{
"Id": 1792819261786267652,
"PublicVulnsExtendedTblId": 1792819261761101825,
"RefType": "Advisory",
"Title": "Original advisory",
"Url": "https://pkg.go.dev/vuln/GO-2023-1839",
"InsertOrder": 1
},
{
"Id": 1792819261786267653,
"PublicVulnsExtendedTblId": 1792819261761101825,
"RefType": "Exploit",
"Title": "Test PoC demonstrates code injection",
"Url": "https://go-review.googlesource.com/c/go/+/501226/2/src/cmd/go/testdata/script/build_cwd_newline.txt#7",
"InsertOrder": 2
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-198036",
"severity": "Critical",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.16.14",
"1.17.0-0 ≤ Version < 1.17.7"
],
"fixed_versions": [
"1.16.14",
"1.17.7"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-23806",
"cwe": [
"CWE-252"
],
"cvss_v2": "6.4/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:P",
"cvss_v3": "9.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"
}
],
"description": "Some big.Int values that are not valid field elements (negative or overflowing) might cause Curve.IsOnCurve to incorrectly return true. Operating on those values may cause a panic or an invalid curve operation. Note that Unmarshal will never return such values.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819243138392064,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-198036",
"VulnerabilityTitle": "",
"ShortDescription": "Improper argument validation in the `IsOnCurve()` function of Go's `crypto/elliptic` package can cause it to return wrong results.",
"FullDescription": "The [crypto/elliptic](https://pkg.go.dev/crypto/elliptic) is a library that provides cryptographic operations for elliptic curve cryptography in the Go programming language. It is a standard package included in the Go standard library and is widely used in the development of secure applications that rely on elliptic curve cryptography.\r\n`Curve.IsOnCurve()` is a method provided by the `crypto/elliptic` Go package, which is used to verify that a given point is on a specific elliptic curve. This method plays a critical role in ensuring the accuracy of points used in various cryptographic operations, including digital signatures and key exchange.\r\n\r\nThe `crypto/elliptic` library implements elliptic curves on finite fields with prime orders. In this context, the coordinates used are elements of a field that consists of integers ranging from zero to P-1, where P is a prime number. It's important to note that coordinates below zero (negative) or equal to or greater than P (overflowing) are not valid coordinates.\r\n\r\nWhen invalid integer inputs, such as negative or overflowing big integers are passed to `Curve.IsOnCurve()`, it may incorrectly return `true` instead of `false`. To avoid passing invalid inputs, it is a standard practice to validate field elements using `Curve.IsOnCurve()` before using them in other functions. This is because the `Curve.IsOnCurve()` function's false return value is critical for the correct execution of the `ScalarMult()` and `Marshal()` functions.\r\n\r\nFailing to validate the field elements may cause these functions to panic due to inaccurate results.",
"Impact": 5,
"VulnerabilityType": "Unspecified",
"Resolution": "##### Development mitigations\n\nFor the manual call to `Curve.IsOnCurve()`, add the following check before the call to the function:\r\n```\r\nif x.Sign() < 0 || x.Cmp(curve.P) >= 0 ||\r\n y.Sign() < 0 || y.Cmp(curve.P) >= 0 {\r\n return nil, fmt.Errorf(\"Point is not on the curve\")\r\n}\r\n```",
"ExtendedImpactReasons": [
{
"Id": 1792819243163557889,
"PublicVulnsExtendedTblId": 1792819243138392064,
"Name": "The issue has an exploit published",
"Description": "A PoC shows that the function `IsOnCurve()` produces a true result instead of the intended false result, then later causes a panic in the `scalarMult()` function.",
"IsPositive": 0,
"InsertOrder": 1
},
{
"Id": 1792819243163557890,
"PublicVulnsExtendedTblId": 1792819243138392064,
"Name": "The prerequisites for exploiting the issue are either extremely common or nonexistent (always exploitable)",
"Description": "Since it typically serves as the parameter-checking function, the arguments passed to it are usually forwarded directly to the vulnerable function.",
"IsPositive": 0,
"InsertOrder": 2
},
{
"Id": 1792819243163557891,
"PublicVulnsExtendedTblId": 1792819243138392064,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "The attackers should find a remote input that propagates into the `Curve.IsOnCurve()` function, then later is used to call the `ScalarMult()` or `Marshal()` functions.",
"IsPositive": 1,
"InsertOrder": 3
},
{
"Id": 1792819243163557892,
"PublicVulnsExtendedTblId": 1792819243138392064,
"Name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.",
"Description": "The vulnerable function `Curve.IsOnCurve()` is used internally but can also be used externally. \r\nIf there is a subsequent function call to either the `ScalarMult()` or `Marshal()` functions, the application could panic, resulting in a denial of service.",
"IsPositive": 1,
"InsertOrder": 4
}
],
"ExtendedReferences": [
{
"Id": 1792819243163557893,
"PublicVulnsExtendedTblId": 1792819243138392064,
"RefType": "Exploit",
"Title": "PoC returning true when it should have returned false",
"Url": "https://go.dev/play/p/GBMkROJLtDX",
"InsertOrder": 1
},
{
"Id": 1792819243163557894,
"PublicVulnsExtendedTblId": 1792819243138392064,
"RefType": "Advisory",
"Title": "Issue discussion with technical details",
"Url": "https://github.com/golang/go/issues/50974",
"InsertOrder": 2
},
{
"Id": 1792819243163557895,
"PublicVulnsExtendedTblId": 1792819243138392064,
"RefType": "Patch",
"Title": "Patch",
"Url": "https://go-review.googlesource.com/c/go/+/382455",
"InsertOrder": 3
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-521541",
"severity": "Critical",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "The go command may execute arbitrary code at build time when using cgo. This may occur when running \"go get\" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a \"#cgo LDFLAGS\" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.19.10",
"1.20.0-0 ≤ Version < 1.20.5"
],
"fixed_versions": [
"1.19.10",
"1.20.5"
],
"more_details": {
"cves": [
{
"cve": "CVE-2023-29405",
"cwe": [
"CWE-74"
],
"cvss_v3": "9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"description": "The go command may execute arbitrary code at build time when using cgo. This may occur when running \"go get\" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a \"#cgo LDFLAGS\" directive.Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819262121811968,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-521541",
"VulnerabilityTitle": "",
"ShortDescription": "Insufficient validation in Go's linker leads to build-time code execution when compiling untrusted source code.",
"FullDescription": "Go supports compiling \"cgo\" binaries, which allow Go code to call C code.\r\nAs part of \"cgo\" support, Go source code files can supply flags to the GCC compiler and linker by using the `#cgo CFLAGS` and `#cgo LDFLAGS` directives, respectively.\r\nSince some GCC flags can directly lead to unwanted code execution in build time (for example the `-wrapper` flag) the Go compiler maintains a whitelist of allowed GCC flags.\r\n\r\nIt was discovered that arbitrary GCC flags can be smuggled to the build process, through the `#cgo LDFLAGS` directive.\r\nFor example, building the following code will smuggle the `--nosuchoption` flag into the build process -\r\n```go\r\npackage main\r\n// #cgo LDFLAGS: -L \"./ -Wl,--nosuchoption\"\r\nimport \"C\"\r\nfunc main() {}\r\n```\r\n\r\nAttackers can exploit this issue by making victims compile untrusted Go code (ex. with `go build` or `go get`). Arbitrary code execution will happen as soon as the untrusted Go code is built.",
"Impact": 6,
"VulnerabilityType": "Remote code execution",
"Resolution": "##### Deployment mitigations\n\nDisable \"cgo\" support by running the `go` tool with `CGO_ENABLED=0` -\r\n```bash\r\nCGO_ENABLED=0 go build .\r\n```",
"ExtendedImpactReasons": [
{
"Id": 1792819262146977793,
"PublicVulnsExtendedTblId": 1792819262121811968,
"Name": "The issue results in a severe impact (such as remote code execution)",
"Description": "Code execution",
"IsPositive": 0,
"InsertOrder": 1
},
{
"Id": 1792819262146977794,
"PublicVulnsExtendedTblId": 1792819262121811968,
"Name": "The issue has an exploit published",
"Description": "Published exploit demonstrates arbitrary flag injection",
"IsPositive": 0,
"InsertOrder": 2
},
{
"Id": 1792819262146977795,
"PublicVulnsExtendedTblId": 1792819262121811968,
"Name": "Exploiting the issue requires the user to interact with the vulnerable software",
"Description": "A user must compile untrusted Go code in order to trigger the vulnerability",
"IsPositive": 1,
"InsertOrder": 3
}
],
"ExtendedReferences": [
{
"Id": 1792819262146977796,
"PublicVulnsExtendedTblId": 1792819262121811968,
"RefType": "Exploit",
"Title": "Test PoC demonstrates flag injection",
"Url": "https://go-review.googlesource.com/c/go/+/501224/3/src/cmd/go/testdata/script/gccgo_link_ldflags.txt#18",
"InsertOrder": 1
},
{
"Id": 1792819262146977797,
"PublicVulnsExtendedTblId": 1792819262121811968,
"RefType": "Patch",
"Title": "Fix commit",
"Url": "https://go-review.googlesource.com/c/go/+/501224",
"InsertOrder": 2
},
{
"Id": 1792819262146977798,
"PublicVulnsExtendedTblId": 1792819262121811968,
"RefType": "Advisory",
"Title": "Original issue",
"Url": "https://github.com/golang/go/issues/60306",
"InsertOrder": 3
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-85927",
"severity": "Critical",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.11.13",
"1.12.0-0 ≤ Version < 1.12.8"
],
"fixed_versions": [
"1.11.13",
"1.12.8"
],
"more_details": {
"cves": [
{
"cve": "CVE-2019-14809",
"cwe": [
"NVD-CWE-noinfo"
],
"cvss_v2": "7.5/CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"description": "The url.Parse function accepts URLs with malformed hosts, such that the Host field can have arbitrary suffixes that appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819239250272256,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-85927",
"VulnerabilityTitle": "",
"ShortDescription": "Insufficient validation in Golang's net/url may lead to authentication bypass in specific scenarios.",
"FullDescription": "Go, also known as Golang, is an open-source, compiled, and statically typed programming language designed by Google. It is built to be simple, high-performing, readable, and efficient.\r\n\r\nGolang net/url mishandles malformed URLs, which may result in authentication bypass in specific scenarios.\r\n\r\nGolang `net/url` can parse the hostname and port of malformed URLs, such as `javascript://%250aalert(1)+'[email protected]/a'a`, and interpret them as valid hostname/ports (ex. referring to `google.com` in the previous example). Relying on this library to validate an attacker-controlled URL may have a security impact, as potentially dangerous elements are ignored.",
"Impact": 4,
"VulnerabilityType": "Authentication bypass",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819239283826689,
"PublicVulnsExtendedTblId": 1792819239250272256,
"Name": "The issue has a detailed technical explanation published, that can aid in exploit development",
"Description": "",
"IsPositive": 0,
"InsertOrder": 1
},
{
"Id": 1792819239283826690,
"PublicVulnsExtendedTblId": 1792819239250272256,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "The attacker must find a remote input that propagates into a `url.Hostname` or `url.Port` API call",
"IsPositive": 1,
"InsertOrder": 2
},
{
"Id": 1792819239283826691,
"PublicVulnsExtendedTblId": 1792819239250272256,
"Name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.",
"Description": "The behavior is only relevant for very specific and unlikely use cases of the API, in which a user supplied URL is considered validated after it is parsed by `net/url`. The impact of the authentication bypass depends on the 1st-party code that handles the parsed URL.",
"IsPositive": 1,
"InsertOrder": 3
}
],
"ExtendedReferences": [
{
"Id": 1792819239283826692,
"PublicVulnsExtendedTblId": 1792819239250272256,
"RefType": "Patch",
"Title": "Patch",
"Url": "https://go-review.googlesource.com/c/go/+/189258",
"InsertOrder": 1
},
{
"Id": 1792819239283826693,
"PublicVulnsExtendedTblId": 1792819239250272256,
"RefType": "Advisory",
"Title": "Technical writeup",
"Url": "https://github.com/golang/go/commit/61bb56ad63992a3199acc55b2537c8355ef887b6",
"InsertOrder": 2
},
{
"Id": 1792819239283826694,
"PublicVulnsExtendedTblId": 1792819239250272256,
"RefType": "Exploit",
"Title": "Exploit",
"Url": "https://github.com/golang/go/issues/29098",
"InsertOrder": 3
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-513412",
"severity": "Critical",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. \"var a = {{.}}\"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.19.8",
"1.20.0-0 ≤ Version < 1.20.3"
],
"fixed_versions": [
"1.19.8",
"1.20.3"
],
"more_details": {
"cves": [
{
"cve": "CVE-2023-24538",
"cwe": [
"CWE-94"
],
"cvss_v3": "9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"description": "Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected.Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template.As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. \"var a = {{.}}\"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml.With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21.Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819260972572672,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-513412",
"VulnerabilityTitle": "",
"ShortDescription": "Missing delimiter escaping in Go html/template leads to JavaScript code injection when using Go template actions inside JavaScript template literals.",
"FullDescription": "Go's [html/template](https://pkg.go.dev/html/template) package implements data-driven templates for generating HTML output safe against code injection.\r\nIt was discovered that the template package does not properly consider backticks as JavaString string delimiters, and do not escape them as expected.\r\nTherefore, if a Go template contains a Go template action (for example `{{.}}`) within a JavaScript template literal (any literal delimited by a backtick \\` character) and an attacker can control the output of the Go template action, then the attacker can output the backtick character from the action which will escape the JavaScript template literal and allow arbitrary JavaScript code injection\r\n\r\nVulnerable template example -\r\n```html\r\n<!DOCTYPE html>\r\n<html>\r\n<head>\r\n <title>Unsafe Template Example</title>\r\n</head>\r\n<body>\r\n <!-- \r\n Vulnerable Implementation\r\n Go template action within a JavaScript template literal\r\n Assume payload: `;alert(1);//\r\n -->\r\n <script>\r\n let data = `{{.}}`;\r\n </script>\r\n</body>\r\n</html>\r\n```\r\n\r\nViewing the above rendered template in a browser (assuming the attacker payload was \"\\`;alert(1);//\") will cause an `alert` popup.",
"Impact": 5,
"VulnerabilityType": "Script code injection",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819260997738499,
"PublicVulnsExtendedTblId": 1792819260972572672,
"Name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact",
"Description": "The CVSS critical score (9.8) does not take into account the per-target research that must be done to exploit this vulnerability and the fact that the vulnerability is most likely to cause an XSS (JavaScript running in a browser) and not unsandboxed code execution",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819260997738500,
"PublicVulnsExtendedTblId": 1792819260972572672,
"Name": "The issue is trivial to exploit and does not require a published writeup or PoC",
"Description": "An attacker can inject arbitrary JavaScript code simply by inserting a backtick character to escape the JavaScript template literal",
"IsPositive": 0,
"InsertOrder": 2
},
{
"Id": 1792819260997738501,
"PublicVulnsExtendedTblId": 1792819260972572672,
"Name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.",
"Description": "Most likely, the rendered template will be used in a webpage that is viewed in a browser. In this case, exploitation will result in XSS (JavaScript code injection in the browser) which is less severe than unsandboxed RCE. In cases where the rendered template is directly used in a Node.js application or Electron application, exploitation may lead to unsandboxed RCE.",
"IsPositive": 1,
"InsertOrder": 3
},
{
"Id": 1792819260997738502,
"PublicVulnsExtendedTblId": 1792819260972572672,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "A vulnerable Go template must be rendered using `Template.Execute` or `Template.ExecuteTemplate`",
"IsPositive": 1,
"InsertOrder": 4
},
{
"Id": 1792819260997738503,
"PublicVulnsExtendedTblId": 1792819260972572672,
"Name": "The prerequisites for exploiting the issue are extremely unlikely",
"Description": "The attacker must be able to control the output of a Go template action which is wrapped with backticks (meaning - it is treated as a JavaScript template literal)",
"IsPositive": 1,
"InsertOrder": 5
}
],
"ExtendedReferences": [
{
"Id": 1792819260997738504,
"PublicVulnsExtendedTblId": 1792819260972572672,
"RefType": "Advisory",
"Title": "Original advisory",
"Url": "https://pkg.go.dev/vuln/GO-2023-1703",
"InsertOrder": 1
},
{
"Id": 1792819260997738505,
"PublicVulnsExtendedTblId": 1792819260972572672,
"RefType": "Patch",
"Title": "Fix commit",
"Url": "https://go-review.googlesource.com/c/go/+/482079",
"InsertOrder": 2
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-187759",
"severity": "Critical",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.16.9",
"1.17.0-0 ≤ Version < 1.17.2"
],
"fixed_versions": [
"1.16.9",
"1.17.2"
],
"more_details": {
"cves": [
{
"cve": "CVE-2021-38297",
"cwe": [
"CWE-120"
],
"cvss_v2": "7.5/CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"description": "When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments due to a buffer overflow error.If using wasm_exec.js to execute WASM modules, users will need to replace their copy (as described in https://golang.org/wiki/WebAssembly#getting-started) after rebuilding any modules.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819242173702144,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-187759",
"VulnerabilityTitle": "",
"ShortDescription": "A buffer overflow in Go's Wasm module could lead to sandboxed remote code execution when parsing malicious command line arguments.",
"FullDescription": "[Go](https://golang.org/) is an open source programming language developed by Google with the same syntax of C language but with memory safety, garbage collection, structural typing, and CSP-style concurrency.\r\n\r\nA bug was found in the way Go handles function invocation from Wasm module. In case the user builds a Wasm module in Go - \r\n```\r\nGOOS=js GOARCH=wasm go build -o main.wasm \r\n```\r\n\r\nAnd subsequently loads the Wasm module in the browser, **while passing arguments to it** -\r\n```js\r\n<script>\r\n const params = new URLSearchParams(window.location.search)\r\n const go = new Go();\r\n WebAssembly.instantiateStreaming(fetch(\"main.wasm\"), go.importObject).then((result) => {\r\n go.argv = ['js', 'foo', params.get('external_argument')];\r\n go.run(result.instance);\r\n });\r\n</script>\r\n```\r\nIf an attacker can control one of the parameters passed to `go.argv` and subsequently cause the entire command line (`argv`) to exceed 4096 characters, then an attacker-controlled buffer overflow will occur. The attacker can use this buffer overflow to replace the entire contents if the compiled Wasm module and achieve arbitrary code execution in the browser's JavaScript (Wasm) sandbox.\r\n\r\nIn the example above, since `external_argument` comes from a query parameter, this would be achieved by surfing to a URL such as -\r\n`https://test.com/?external_argument=AAAAAA...{repeat 4096 times}...`\r\n\r\nCurrently, no public exploit or technical writeup were published for this issue.\r\n\r\nThe impact of exploiting the issue is not severe, since the attacker's code will run in the browser's JavaScript (Wasm) sandbox. This means the impact is the same as loading an attacker-controlled Wasm module, or alternatively the same impact as an XSS attack on the vulnerable web page. For example - page cookies can be stolen, but arbitrary code execution cannot be directly achieved.",
"Impact": 5,
"VulnerabilityType": "Script code injection",
"Resolution": "##### Development mitigations\n\nWhen running the Wasm binary - check that the total length of `go.argv` is smaller than 4k -\r\n\r\n```js\r\nconst maxSize = 4096;\r\nfunction checkWasmCmd(arr) {\r\n var len = arr.reduce(\r\n (cur, elem) => {\r\n //pad each element to 8 bytes\r\n return cur + elem.length + (8 - (elem.length % 8))\r\n }, 0\r\n );\r\n \r\n if (len <= maxSize) {\r\n return true;\r\n }\r\n return false;\r\n}\r\n\r\nfunction runWasm(wasmPath, args) {\r\n var go = new Go();\r\n WebAssembly.instantiateStreaming(fetch(wasmPath), go.importObject).then((result) => {\r\n go.argv = go.argv.concat(args);\r\n if (checkWasmCmd(go.argv)) {\r\n go.run(result.instance);\r\n } else {\r\n console.log('Failed to run Wasm binary: command line is too long');\r\n }\r\n });\r\n}\r\n```",
"ExtendedImpactReasons": [
{
"Id": 1792819242211450882,
"PublicVulnsExtendedTblId": 1792819242173702144,
"Name": "The issue is trivial to exploit and does not require a published writeup or PoC",
"Description": "An attacker can use the buffer overflow to overwrite the entire Wasm module with an attacker-supplied Wasm module",
"IsPositive": 0,
"InsertOrder": 1
},
{
"Id": 1792819242211450883,
"PublicVulnsExtendedTblId": 1792819242173702144,
"Name": "The issue cannot result in a severe impact (such as remote code execution)",
"Description": "Even if RCE is achieved, the impact is similar to an XSS attack, since the attacker's code runs inside the browser's JavaScript sandbox",
"IsPositive": 1,
"InsertOrder": 2
},
{
"Id": 1792819242211450884,
"PublicVulnsExtendedTblId": 1792819242173702144,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "The vulnerable web page must load a Go Wasm module (`go.run(result.instance)`), and use an attacker-controlled parameter as one of the arguments in `go.argv`",
"IsPositive": 1,
"InsertOrder": 3
}
],
"ExtendedReferences": [
{
"Id": 1792819242211450885,
"PublicVulnsExtendedTblId": 1792819242173702144,
"RefType": "Advisory",
"Title": "Original advisory",
"Url": "https://github.com/advisories/GHSA-xv38-944c-p763",
"InsertOrder": 1
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-180703",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.15.13",
"1.16.0-0 ≤ Version < 1.16.5"
],
"fixed_versions": [
"1.15.13",
"1.16.5"
],
"more_details": {
"cves": [
{
"cve": "CVE-2021-33195",
"cwe": [
"CWE-74"
],
"cvss_v2": "7.5/CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "7.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
}
],
"description": "The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions and their respective methods on the Resolver type may return arbitrary values retrieved from DNS which do not follow the established RFC 1035 rules for domain names. If these names are used without further sanitization, for instance unsafely included in HTML, they may allow for injection of unexpected content. Note that LookupTXT may still return arbitrary values that could require sanitization before further use.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-521543",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.19.10",
"1.20.0-0 ≤ Version < 1.20.5"
],
"fixed_versions": [
"1.19.10",
"1.20.5"
],
"more_details": {
"cves": [
{
"cve": "CVE-2023-29403",
"cwe": [
"CWE-668"
],
"cvss_v3": "7.8/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
}
],
"description": "On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors.If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819261874348032,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-521543",
"VulnerabilityTitle": "",
"ShortDescription": "Incorrect error handling in the Go runtime allows local attackers to cause data leakage when SUID Go binaries are executed.",
"FullDescription": "",
"Impact": 4,
"VulnerabilityType": "Data leakage",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819261899513896,
"PublicVulnsExtendedTblId": 1792819261874348032,
"Name": "The issue is trivial to exploit and does not require a published writeup or PoC",
"Description": "Attackers must cause a setuid/setgid Go executable to crash",
"IsPositive": 0,
"InsertOrder": 1
},
{
"Id": 1792819261899513897,
"PublicVulnsExtendedTblId": 1792819261874348032,
"Name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.",
"Description": "The impact depends on the Go application being run.\r\nIf the standard file descriptors are closed while running the Go application, an attacker can exploit the issue to read/write arbitrary files.\r\nIn the case of a crash of the Go application, a memory dump of the crash could result in data leakage.",
"IsPositive": 1,
"InsertOrder": 2
},
{
"Id": 1792819261899513898,
"PublicVulnsExtendedTblId": 1792819261874348032,
"Name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact",
"Description": "The CVSS does not take into account the high attack complexity and per-target research needed to exploit this issue.",
"IsPositive": 1,
"InsertOrder": 3
},
{
"Id": 1792819261899513899,
"PublicVulnsExtendedTblId": 1792819261874348032,
"Name": "The prerequisites for exploiting the issue are extremely unlikely",
"Description": "Exploitation relies on the Go application binary having the `setuid`/`setgid` bits set. Moreover, the only scenarios found exploitable are when the standard file descriptors (`stdin`/`stdout`/`stderr`) are closed or when a memory dump occurs, which are highly unlikely.",
"IsPositive": 1,
"InsertOrder": 4
},
{
"Id": 1792819261899513900,
"PublicVulnsExtendedTblId": 1792819261874348032,
"Name": "The issue can only be exploited by an attacker that can execute code on the vulnerable machine (excluding exceedingly rare circumstances)",
"Description": "The data leakage caused by crashing a setuid/setgid Go executable is very likely to be visible to local attackers exclusively",
"IsPositive": 1,
"InsertOrder": 5
}
],
"ExtendedReferences": [
{
"Id": 1792819261899513901,
"PublicVulnsExtendedTblId": 1792819261874348032,
"RefType": "Patch",
"Title": "Published vulnerability patch",
"Url": "https://go-review.googlesource.com/c/go/+/501223",
"InsertOrder": 1
},
{
"Id": 1792819261899513902,
"PublicVulnsExtendedTblId": 1792819261874348032,
"RefType": "Advisory",
"Title": "Original Advisory",
"Url": "https://pkg.go.dev/vuln/GO-2023-1840",
"InsertOrder": 2
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-248631",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.17.12",
"1.18.0-0 ≤ Version < 1.18.4"
],
"fixed_versions": [
"1.17.12",
"1.18.4"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-30632",
"cwe": [
"CWE-674"
],
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819244589621248,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-248631",
"VulnerabilityTitle": "",
"ShortDescription": "Uncontrolled recursion in Golang path/filepath.Glob leads to denial of service when processing attacker-supplied Glob patterns.",
"FullDescription": "The `Glob` command allows listing files with \"Glob\" patterns - path strings which may contain wildcard characters such as `*` and `?` which match any character.\r\n\r\nIt was discovered that calling `Glob` on a path which contains a large number of path separators can cause panic due to stack exhaustion, which will crash the calling Go process.\r\nExample code snippet that triggers the issue -\r\n```go\r\n_, err := Glob(\"/*\" + strings.Repeat(\"/\", 10001))\r\n```\r\nNote that it is unlikely that remote attackers will be able to control glob patterns",
"Impact": 5,
"VulnerabilityType": "Denial of service",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819244623175681,
"PublicVulnsExtendedTblId": 1792819244589621248,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "The attacker must find remote input that propagates into a `Glob` API call (first argument)",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819244623175682,
"PublicVulnsExtendedTblId": 1792819244589621248,
"Name": "The issue has an exploit published",
"Description": "Published PoC in test code demonstrates denial of service",
"IsPositive": 0,
"InsertOrder": 2
},
{
"Id": 1792819244623175683,
"PublicVulnsExtendedTblId": 1792819244589621248,
"Name": "The prerequisites for exploiting the issue are extremely unlikely",
"Description": "It is unlikely that remote attackers will be able to control a Glob pattern. The severity of this issue being exploited by a local attacker is limited.",
"IsPositive": 1,
"InsertOrder": 3
}
],
"ExtendedReferences": [
{
"Id": 1792819244623175684,
"PublicVulnsExtendedTblId": 1792819244589621248,
"RefType": "Advisory",
"Title": "GitHub advisory",
"Url": "https://github.com/advisories/GHSA-hc24-7m29-5vj7",
"InsertOrder": 1
},
{
"Id": 1792819244623175685,
"PublicVulnsExtendedTblId": 1792819244589621248,
"RefType": "Exploit",
"Title": "Exploit in PoC test code",
"Url": "https://go.googlesource.com/go/+/ac68c6c683409f98250d34ad282b9e1b0c9095ef%5E%21/#F1",
"InsertOrder": 2
},
{
"Id": 1792819244623175686,
"PublicVulnsExtendedTblId": 1792819244589621248,
"RefType": "Patch",
"Title": "Patch",
"Url": "https://go.googlesource.com/go/+/ac68c6c683409f98250d34ad282b9e1b0c9095ef%5E%21/#F1",
"InsertOrder": 3
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-260471",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string \"A=B\\x00C=D\" sets the variables \"A=B\" and \"C=D\".",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.18.8",
"1.19.0-0 ≤ Version < 1.19.3"
],
"fixed_versions": [
"1.18.8",
"1.19.3"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-41716",
"cwe": [
"NVD-CWE-Other"
],
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
}
],
"description": "Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows.In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string \"A=B\\x00C=D\" sets the variables \"A=B\" and \"C=D\".",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819257042509824,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-260471",
"VulnerabilityTitle": "",
"ShortDescription": "Insufficient input validation in Golang allows attackers to set arbitrary environment variables.",
"FullDescription": "[Golang](https://go.dev/) is a statically typed, compiled programming language.\r\n\r\nIt was discovered that due to insufficient checks in `syscall.StartProcess` and `os/exec.Cmd`, an attacker can overwrite arbitrary environment variables.\r\n\r\nThe vulnerability only applies to Windows systems, as an attacker needs to make use of the `NUL` value.\r\n\r\nAn example:\r\nThe environment variable string `A=B\\x00C=D` will set the environment variables `A=B` and `C=D`.",
"Impact": 4,
"VulnerabilityType": "Unspecified",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819257071869953,
"PublicVulnsExtendedTblId": 1792819257042509824,
"Name": "The issue can be exploited by attackers over the network",
"Description": "When a remote attacker has access to set environment variables through a network endpoint that takes user input- this vulnerability will also be remotely exploitable.",
"IsPositive": 0,
"InsertOrder": 1
},
{
"Id": 1792819257071869954,
"PublicVulnsExtendedTblId": 1792819257042509824,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "The code needs to use user input as an environment variable to trigger this vulnerability.",
"IsPositive": 1,
"InsertOrder": 2
},
{
"Id": 1792819257071869955,
"PublicVulnsExtendedTblId": 1792819257042509824,
"Name": "The prerequisites for exploiting the issue are extremely unlikely",
"Description": "This only applies to Windows systems.",
"IsPositive": 1,
"InsertOrder": 3
}
],
"ExtendedReferences": [
{
"Id": 1792819257071869956,
"PublicVulnsExtendedTblId": 1792819257042509824,
"RefType": "Advisory",
"Title": "Official Go GitHub Issue",
"Url": "https://github.com/golang/go/issues/56284",
"InsertOrder": 1
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-180702",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.15.13",
"1.16.0-0 ≤ Version < 1.16.5"
],
"fixed_versions": [
"1.15.13",
"1.16.5"
],
"more_details": {
"cves": [
{
"cve": "CVE-2021-33196",
"cwe": [
"CWE-20"
],
"cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "NewReader and OpenReader can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-248632",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.17.11",
"1.18.0-0 ≤ Version < 1.18.3"
],
"fixed_versions": [
"1.17.11",
"1.18.3"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-29804",
"cwe": [
"CWE-22"
],
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"description": "On Windows, the filepath.Clean function can convert certain invalid paths to valid, absolute paths, potentially allowing a directory traversal attack.For example, Clean(\".\\c:\") returns \"c:\".",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819245965352960,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-248632",
"VulnerabilityTitle": "",
"ShortDescription": "Invalid input validation in Golang filepath.Clean may lead to filter bypass when cleaning crafted filepaths on Windows.",
"FullDescription": "Golang's [filepath.Clean](https://pkg.go.dev/path/filepath#Clean) method returns the shortest path name **equivalent** to the input path by purely lexical processing.\r\n\r\nIt was discovered that on Windows, the method transformed some invalid filepaths into valid unexpected filepaths, specifically - \r\n```go\r\nfilepath.Clean(`.\\c:`) // `c:` Input is an invalid path; Output points to drive C\r\nfilepath.Clean(`.\\c:\\foo`) // `c:\\foo` Input is an invalid path; Output is an absolute path\r\nfilepath.Clean(`.\\c:foo`) // `c:foo` Input points to ADS `foo` of file `.\\c`; Output points to `foo` on drive C\r\n```\r\n\r\nThe original advisory contained a severe implication of this issue, where starting an HTTP server based on the \"net/http\" module, which is supposed to be restricted to the current directory, would actually serve files from any absolute path - \r\n```go\r\npackage main\r\n\r\nimport \"net/http\"\r\n\r\nfunc main() {\r\n\thttp.ListenAndServe(\":8080\", http.FileServer(http.Dir(\".\")))\r\n}\r\n```\r\nRequesting `http://localhost:8080/c:/Users/` lists the directory contents of `C:\\Users\\`.",
"Impact": 5,
"VulnerabilityType": "Filter Bypass",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819245994713091,
"PublicVulnsExtendedTblId": 1792819245965352960,
"Name": "The issue is trivial to exploit and does not require a published writeup or PoC",
"Description": "An attacker simply needs to supply a string prefixed with `.\\c:` to `filepath.Clean`",
"IsPositive": 0,
"InsertOrder": 1
},
{
"Id": 1792819245994713092,
"PublicVulnsExtendedTblId": 1792819245965352960,
"Name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.",
"Description": "The impact highly depends on how the attacker-controlled path is used after it's been cleaned. An attacker can supply an invalid path which would be transformed into either a drive letter, an absolute path or an ADS (alternate data stream)",
"IsPositive": 1,
"InsertOrder": 2
},
{
"Id": 1792819245994713093,
"PublicVulnsExtendedTblId": 1792819245965352960,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "The attacker must find remote input that propagates into the `filepath.Clean` method",
"IsPositive": 1,
"InsertOrder": 3
}
],
"ExtendedReferences": [
{
"Id": 1792819245994713094,
"PublicVulnsExtendedTblId": 1792819245965352960,
"RefType": "Patch",
"Title": "Patch",
"Url": "https://go-review.googlesource.com/c/go/+/401595/",
"InsertOrder": 1
},
{
"Id": 1792819245994713095,
"PublicVulnsExtendedTblId": 1792819245965352960,
"RefType": "Advisory",
"Title": "Original advisory",
"Url": "https://github.com/golang/go/issues/52476",
"InsertOrder": 2
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-520142",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.19.9",
"1.20.0-0 ≤ Version < 1.20.4"
],
"fixed_versions": [
"1.19.9",
"1.20.4"
],
"more_details": {
"cves": [
{
"cve": "CVE-2023-24539",
"cwe": [
"CWE-74"
],
"cvss_v3": "7.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
}
],
"description": "Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819261253591040,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-520142",
"VulnerabilityTitle": "",
"ShortDescription": "Insufficient filtering in Go's `html/template` leads to XSS when executing crafted templates.",
"FullDescription": "",
"Impact": 5,
"VulnerabilityType": "Script code injection",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819261274562563,
"PublicVulnsExtendedTblId": 1792819261253591040,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "",
"IsPositive": 1,
"InsertOrder": 2
},
{
"Id": 1792819261274562564,
"PublicVulnsExtendedTblId": 1792819261253591040,
"Name": "The prerequisites for exploiting the issue are extremely unlikely",
"Description": "The attackers must find a remote input that propagates into a Go template that is subsequently rendered with `Template.Execute` or `Template.ExecuteTemplate`. This is highly unlikely and is considered a bad practice regardless of this vulnerability.",
"IsPositive": 1,
"InsertOrder": 3
},
{
"Id": 1792819261274562562,
"PublicVulnsExtendedTblId": 1792819261253591040,
"Name": "The issue has an exploit published",
"Description": "Test code contains PoC that demonstrates code injection.",
"IsPositive": 0,
"InsertOrder": 1
}
],
"ExtendedReferences": [
{
"Id": 1792819261274562565,
"PublicVulnsExtendedTblId": 1792819261253591040,
"RefType": "Patch",
"Title": "Official Fix Commit",
"Url": "https://github.com/tailscale/go/commit/10da5ba9ffbfd2496a293422fa97557bed735698",
"InsertOrder": 1
},
{
"Id": 1792819261274562566,
"PublicVulnsExtendedTblId": 1792819261253591040,
"RefType": "Advisory",
"Title": "Golang Advisory",
"Url": "https://pkg.go.dev/vuln/GO-2023-1751",
"InsertOrder": 2
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-426750",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as \"a/../c:/b\" into the valid path \"c:\\b\". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path \".\\c:\\b\".",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.19.6",
"1.20.0-0 ≤ Version < 1.20.1"
],
"fixed_versions": [
"1.19.6",
"1.20.1"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-41722",
"cwe": [
"CWE-22"
],
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"description": "A path traversal vulnerability exists in filepath.Clean on Windows.On Windows, the filepath.Clean function could transform an invalid path such as \"a/../c:/b\" into the valid path \"c:\\b\". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack.After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path \".\\c:\\b\".",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819259642978304,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-426750",
"VulnerabilityTitle": "",
"ShortDescription": "Improper error handling in Go leads to unexpected results from the Clean function.",
"FullDescription": "The `Clean()` function in the [`path/filepath`](https://pkg.go.dev/path/filepath) package of the Go programming language is used to clean up a given path and return a shorter, cleaned version of the path. This function takes into consideration the operating system and is capable of transforming a Unix path to a Windows path if needed.\r\n\r\nIt was discovered that when running Go applications on Windows (only), if the input path to `Clean` contains the `:` operator, the function can form a valid Windows path from this operator alone. For example, calling `Clean(\"a/../c:/b\")` will erroneously transform the input path into `c:\\b`. Due to these unexpected results, in certain cases, the use of this function can lead to path traversal or filter bypass issues.",
"Impact": 5,
"VulnerabilityType": "Unspecified",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819259676532738,
"PublicVulnsExtendedTblId": 1792819259642978304,
"Name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.",
"Description": "The specific security impact of this issue depends on the way that the input for `Clean` is checked AND used after the call to `Clean`. For example, if the input is validated to not point to `C:\\` before calling `Clean`, then an attacker can bypass this validation by calling `Clean(\"a/../c:/b\")` which doesn't start with `C:\\` but will result in the output path `c:\\b` after cleaning",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819259676532739,
"PublicVulnsExtendedTblId": 1792819259642978304,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "The attacker must find an input that propagates to the `Clean()` function",
"IsPositive": 1,
"InsertOrder": 2
},
{
"Id": 1792819259676532740,
"PublicVulnsExtendedTblId": 1792819259642978304,
"Name": "The issue is trivial to exploit and does not require a published writeup or PoC",
"Description": "It is easy to craft an invalid path for `Clean` that will result in a valid, unexpected output path",
"IsPositive": 0,
"InsertOrder": 3
}
],
"ExtendedReferences": [
{
"Id": 1792819259676532741,
"PublicVulnsExtendedTblId": 1792819259642978304,
"RefType": "Advisory",
"Title": "Go Advisory",
"Url": "https://pkg.go.dev/vuln/GO-2023-1568",
"InsertOrder": 1
},
{
"Id": 1792819259676532742,
"PublicVulnsExtendedTblId": 1792819259642978304,
"RefType": "Patch",
"Title": "Patch",
"Url": "https://go-review.googlesource.com/c/go/+/468123",
"InsertOrder": 2
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-513413",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.19.8",
"1.20.0-0 ≤ Version < 1.20.3"
],
"fixed_versions": [
"1.19.8",
"1.20.3"
],
"more_details": {
"cves": [
{
"cve": "CVE-2023-24537",
"cwe": [
"CWE-190"
],
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819260842549249,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-513413",
"VulnerabilityTitle": "",
"ShortDescription": "An infinite loop in Go's parser package leads to denial of service when parsing crafted Go source code.",
"FullDescription": "Go's [parser](https://pkg.go.dev/go/parser) package implements a parser for Go source files. Input may be provided in a variety of forms (see the various Parse* functions); the output is an abstract syntax tree (AST) representing the Go source. The parser is invoked through one of the Parse* functions.\r\n\r\nIt was discovered that a `//line` directive (used normally [for debugging purposes](https://www.lemoda.net/go/line-directives/index.html)) with a very large line number, can cause an integer overflow in the parser which results in an infinite loop denial of service.\r\n\r\nNote that the vulnerability can be triggered indirectly, for example via Go's [scanner](https://pkg.go.dev/go/scanner) package, or even by calling `go build` on untrusted source code.\r\n\r\nThat said, the vulnerability is less likely to affect runtime services, since Go source code parsing is mostly done at compile-time.\r\n\r\nMalicious source code example - \r\n```go\r\npackage p\r\n//line :9223372036854775806\r\n\r\n//\r\n```",
"Impact": 5,
"VulnerabilityType": "Denial of service",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819260867715075,
"PublicVulnsExtendedTblId": 1792819260842549249,
"Name": "The issue cannot result in a severe impact (such as remote code execution)",
"Description": "The DoS vulnerability is less likely to affect runtime services, since Go source code parsing is mostly done at compile-time. In the more likely case of the vulnerability affecting a command-line utility, the impact is less severe since it will lead to DoS of a forked non-server utility.",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819260867715076,
"PublicVulnsExtendedTblId": 1792819260842549249,
"Name": "The issue has an exploit published",
"Description": "A PoC that demonstrates DoS can be found in the fixing commit.",
"IsPositive": 0,
"InsertOrder": 2
},
{
"Id": 1792819260867715077,
"PublicVulnsExtendedTblId": 1792819260842549249,
"Name": "The prerequisites for exploiting the issue are extremely unlikely",
"Description": "The attacker would need to cause crafted Go source code to be parsed directly by the `parser` package or indirectly by the `scanner` package (or by any command-line utility that calls either of the above packages, such as `go build`).",
"IsPositive": 1,
"InsertOrder": 3
}
],
"ExtendedReferences": [
{
"Id": 1792819260867715078,
"PublicVulnsExtendedTblId": 1792819260842549249,
"RefType": "Advisory",
"Title": "Original issue",
"Url": "https://github.com/golang/go/issues/59180",
"InsertOrder": 1
},
{
"Id": 1792819260867715079,
"PublicVulnsExtendedTblId": 1792819260842549249,
"RefType": "Exploit",
"Title": "Crashing PoC from test files",
"Url": "https://go-review.googlesource.com/c/go/+/482078/2/src/go/parser/parser_test.go#771",
"InsertOrder": 2
},
{
"Id": 1792819260867715080,
"PublicVulnsExtendedTblId": 1792819260842549249,
"RefType": "Patch",
"Title": "Fix commit",
"Url": "https://go-review.googlesource.com/c/go/+/482078",
"InsertOrder": 3
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-197973",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.16.14",
"1.17.0-0 ≤ Version < 1.17.7"
],
"fixed_versions": [
"1.16.14",
"1.17.7"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-23772",
"cwe": [
"CWE-190"
],
"cvss_v2": "7.8/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C",
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "Rat.SetString had an overflow issue that can lead to uncontrolled memory consumption.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819243427799040,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-197973",
"VulnerabilityTitle": "",
"ShortDescription": "Unhandled overflow in Go's `math/big` package can lead to memory exhaustion when unmarshalling a string into a `Rat` with a crafted string using a base 10 exponent.",
"FullDescription": "The [math/big](https://pkg.go.dev/math/big) Go package provides arbitrary-precision arithmetic for integers, rational numbers, and floating-point numbers.\r\nWhen using the `Rat.SetString()` method in the `math/big` Go package to convert a `string` into a `Rat` object representing rational numbers, a crafted decimal floating-point number in the input string can cause memory exhaustion. \r\n\r\nFor example, the string `13e-9223372036854775808` contains a base 10 exponent value that is the minimum possible value for a 64-bit signed integer (-2^63). In this case, the `SetString` method does not filter or limit the overflow of the exponent value when the exponent is negative. Consequently, it is converted to an unsigned integer, which can trigger a sizeable exponential operation during the conversion process.\r\n\r\nExample of vulnerable code:\r\n```go\r\nfunc ParseFloatStringToRat(floatStr string) (*big.Rat, error) {\r\n\tr := big.NewRat(1, 1)\r\n\tif _, ok := r.SetString(floatStr); !ok {\r\n\t\treturn nil, fmt.Errorf(\"failed to parse the string!\")\r\n\t}\r\n\r\n\treturn r, nil\r\n}\r\n```",
"Impact": 5,
"VulnerabilityType": "Denial of service",
"Resolution": "##### Development mitigations\n\nSanitize user input by enforcing a minimum integer before calling `Rat.SetString()` :\r\n```\r\nfunc containsBadMinInt64(s string) bool {\r\n\tconst minInt64 = \"-9223372036854775808\"\r\n\treturn strings.Contains(s, minInt64)\r\n}\r\n```\r\nThis function returns `True` if the input string contains the minimal signed integer number that can cause the memory exhaustion.",
"ExtendedImpactReasons": [
{
"Id": 1792819243457159169,
"PublicVulnsExtendedTblId": 1792819243427799040,
"Name": "The prerequisites for exploiting the issue are extremely unlikely",
"Description": "It is unlikely that unsanitized user input will be supplied to the `Rat.SetString()` function.",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819243457159170,
"PublicVulnsExtendedTblId": 1792819243427799040,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "The attackers must find a remote input that propagates to the `Rat.SetString()` method of the Go's math/big package.",
"IsPositive": 1,
"InsertOrder": 2
},
{
"Id": 1792819243457159171,
"PublicVulnsExtendedTblId": 1792819243427799040,
"Name": "The issue is trivial to exploit and does not require a published writeup or PoC",
"Description": "An example of a decimal floating point in a string is given in the unit-test: `13e-9223372036854775808`.",
"IsPositive": 0,
"InsertOrder": 3
}
],
"ExtendedReferences": [
{
"Id": 1792819243457159172,
"PublicVulnsExtendedTblId": 1792819243427799040,
"RefType": "Patch",
"Title": "Patch",
"Url": "https://go-review.googlesource.com/c/go/+/379537",
"InsertOrder": 1
},
{
"Id": 1792819243457159173,
"PublicVulnsExtendedTblId": 1792819243427799040,
"RefType": "Advisory",
"Title": "Advisory",
"Url": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ",
"InsertOrder": 2
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-540244",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.20.0"
],
"fixed_versions": [
"1.20.0"
],
"more_details": {
"cves": [
{
"cve": "CVE-2023-45287",
"cwe": [
"CWE-203"
],
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"description": "Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits.In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819264613228544,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-540244",
"VulnerabilityTitle": "",
"ShortDescription": "A design problem in Golang crypto/tls may lead to data leakage when performing RSA-based TLS key exchange.",
"FullDescription": "",
"Impact": 5,
"VulnerabilityType": "Data leakage",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819264634200065,
"PublicVulnsExtendedTblId": 1792819264613228544,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "An attacker needs to find the use of sensitive data within a vulnerable function utilizing the crypto/tls library for cryptographic calculations.",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819264634200066,
"PublicVulnsExtendedTblId": 1792819264613228544,
"Name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven",
"Description": "To exploit this vulnerability an attacker would need an in-depth understanding of how to perform a side-channel timing attack, as well as be familiar with the Golang's crypto package's inner workings.",
"IsPositive": 1,
"InsertOrder": 2
},
{
"Id": 1792819264634200067,
"PublicVulnsExtendedTblId": 1792819264613228544,
"Name": "The issue results in a severe impact (such as remote code execution)",
"Description": "Data leakage.",
"IsPositive": 0,
"InsertOrder": 3
},
{
"Id": 1792819264634200068,
"PublicVulnsExtendedTblId": 1792819264613228544,
"Name": "The prerequisites for exploiting the issue are extremely unlikely",
"Description": "Exploiting this vulnerability is highly challenging, requiring a timing side channel and a complex cryptographic attack.",
"IsPositive": 1,
"InsertOrder": 4
},
{
"Id": 1792819264634200069,
"PublicVulnsExtendedTblId": 1792819264613228544,
"Name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.",
"Description": "Exploiting the vulnerability may lead to leakage, including recovery of session key bits. However, execution of the attack may not always produce valuable data and is very context-dependent.",
"IsPositive": 1,
"InsertOrder": 5
}
],
"ExtendedReferences": [
{
"Id": 1792819264634200070,
"PublicVulnsExtendedTblId": 1792819264613228544,
"RefType": "Technical Writeup",
"Title": "Vulnerability discussion git issue",
"Url": "https://github.com/golang/go/issues/20654",
"InsertOrder": 1
},
{
"Id": 1792819264634200071,
"PublicVulnsExtendedTblId": 1792819264613228544,
"RefType": "Patch",
"Title": "Fix commit",
"Url": "https://github.com/microsoft/go-crypto-openssl/pull/25/commits/8f28bf79145a77e7afcfc3a7ebefa8fdf5978279",
"InsertOrder": 2
},
{
"Id": 1792819264634200072,
"PublicVulnsExtendedTblId": 1792819264613228544,
"RefType": "Advisory",
"Title": "Advisory",
"Url": "https://pkg.go.dev/vuln/GO-2023-2375",
"InsertOrder": 3
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-145876",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.15.9",
"1.16.0-0 ≤ Version < 1.16.1"
],
"fixed_versions": [
"1.15.9",
"1.16.1"
],
"more_details": {
"cves": [
{
"cve": "CVE-2021-27918",
"cwe": [
"CWE-835"
],
"cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by xml.NewTokenDecoder may enter an infinite loop when operating on a custom xml.TokenReader which returns an EOF in the middle of an open XML element.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-248645",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.17.13",
"1.18.0-0 ≤ Version < 1.18.5"
],
"fixed_versions": [
"1.17.13",
"1.18.5"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-32189",
"cwe": [
"NVD-CWE-noinfo"
],
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "Decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service.",
"provider": "JFrog"
}
},
"edited": "2024-03-09T01:29:25-06:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1766365695108640770,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-248645",
"VulnerabilityTitle": "",
"ShortDescription": "An out-of-bounds read in Go's math/big module leads to denial of service.",
"FullDescription": "Go has a special module for big numbers: `math/big`. The `big` package implements arbitrary-precision arithmetic for signed integers, rational numbers and floating-point numbers.\r\n\r\nA crafted input can cause the `GobDecode` function to panic which leads to a denial of service.\r\n\r\nThe exploitation is trivial and a PoC has been published. The attacker must find a remote input that propagates into `Float.GobDecode()` or `Rat.GobDecode()` functions.",
"Impact": 5,
"VulnerabilityType": "Denial of service",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1766365695146389507,
"PublicVulnsExtendedTblId": 1766365695108640770,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "The attacker must find a remote input that propagates into the `Float.GobDecode()` or `Rat.GobDecode()` functions",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1766365695146389508,
"PublicVulnsExtendedTblId": 1766365695108640770,
"Name": "The issue is trivial to exploit and does not require a published writeup or PoC",
"Description": "The following code is enough to cause a denial of service: \r\n```\r\nFloat0 := big.NewFloat(0.0)\r\nFloat0.GobDecode([]byte{0x1, 0x0, 0x0, 0x0})\r\n```\r\nIt can be tested [here](https://go.dev/play/p/-iOX1cXown9).",
"IsPositive": 0,
"InsertOrder": 2
}
],
"ExtendedReferences": [
{
"Id": 1766365695146389509,
"PublicVulnsExtendedTblId": 1766365695108640770,
"RefType": "Advisory",
"Title": "GitHub issue discussion",
"Url": "https://github.com/golang/go/issues/53871",
"InsertOrder": 1
},
{
"Id": 1766365695146389510,
"PublicVulnsExtendedTblId": 1766365695108640770,
"RefType": "Exploit",
"Title": "PoC",
"Url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49120",
"InsertOrder": 2
},
{
"Id": 1766365695146389511,
"PublicVulnsExtendedTblId": 1766365695108640770,
"RefType": "Advisory",
"Title": "Advisory",
"Url": "https://github.com/golang/vulndb/issues/537",
"InsertOrder": 3
},
{
"Id": 1766365695146389512,
"PublicVulnsExtendedTblId": 1766365695108640770,
"RefType": "Patch",
"Title": "Patch",
"Url": "https://go.googlesource.com/go/+/055113ef364337607e3e72ed7d48df67fde6fc66",
"InsertOrder": 4
},
{
"Id": 1766365695146389513,
"PublicVulnsExtendedTblId": 1766365695108640770,
"RefType": "Exploit",
"Title": "PoC in Go online compiler.",
"Url": "https://go.dev/play/p/-iOX1cXown9",
"InsertOrder": 5
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-257703",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.18.7",
"1.19.0-0 ≤ Version < 1.19.2"
],
"fixed_versions": [
"1.18.7",
"1.19.2"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-41715",
"cwe": [
"NVD-CWE-Other"
],
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service.The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory.After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819248360300544,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-257703",
"VulnerabilityTitle": "",
"ShortDescription": "Unbounded resource consumption in Golang regexp/syntax enables attackers to perform denial of service when compiling or parsing crafted regular expressions.",
"FullDescription": "Golang's [regexp/syntax](https://pkg.go.dev/regexp/syntax) package enables parsing of regular expressions into parse (syntax) trees and compiling parse trees into programs.\r\n\r\nIt was discovered that the parsed regexp representation had an unbounded memory footprint, and in some cases relatively small regexps can consume much larger amounts of memory. The issue was fixed by rejecting parse trees which consume more than 256MB of memory.\r\n\r\nWhile the `regexp/syntax` package by itself is not that popular, however, the vulnerable function `syntax.Parse` is used by multiple functions from the much more popular `regexp` package.\r\n\r\nAttackers can trigger the vulnerability by giving a large or complicated regexp to one of the following API functions:\r\n\r\nFrom `regexp/syntax`:\r\n\r\n1. `Parse`\r\n\r\nFrom `regexp`:\r\n\r\n1. `Match`\r\n2. `MatchReader`\r\n3. `MatchString`\r\n4. `Regexp.Compile`\r\n5. `Regexp.CompilePOSIX`\r\n6. `Regexp.MustCompile`\r\n7. `Regexp.MustCompilePOSIX`",
"Impact": 5,
"VulnerabilityType": "Denial of service",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819248385466369,
"PublicVulnsExtendedTblId": 1792819248360300544,
"Name": "The prerequisites for exploiting the issue are extremely unlikely",
"Description": "The attacker must find remote input that propagates into the `Parse` API, either directly or through a vulnerable function in the more popular `regexp` package. This is very unlikely since regular expressions are usually not compiled from untrusted sources.",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819248385466370,
"PublicVulnsExtendedTblId": 1792819248360300544,
"Name": "The issue cannot result in a severe impact (such as remote code execution)",
"Description": "Linear complexity memory consumption (albeit the linear constant can be 40KB per 1 regex character)",
"IsPositive": 1,
"InsertOrder": 2
},
{
"Id": 1792819248385466371,
"PublicVulnsExtendedTblId": 1792819248360300544,
"Name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact",
"Description": "CVSS doesn't take into account the high attack complexity of this attack, since the researcher must find a remote input for regular expressions to be compiled",
"IsPositive": 1,
"InsertOrder": 3
},
{
"Id": 1792819248385466372,
"PublicVulnsExtendedTblId": 1792819248360300544,
"Name": "The issue has an exploit published",
"Description": "PoC from test code demonstrates DoS",
"IsPositive": 0,
"InsertOrder": 4
}
],
"ExtendedReferences": [
{
"Id": 1792819248385466373,
"PublicVulnsExtendedTblId": 1792819248360300544,
"RefType": "Exploit",
"Title": "Crashing PoC from test code",
"Url": "https://go-review.googlesource.com/c/go/+/439356/2/src/regexp/syntax/parse_test.go#488",
"InsertOrder": 1
},
{
"Id": 1792819248385466374,
"PublicVulnsExtendedTblId": 1792819248360300544,
"RefType": "Patch",
"Title": "The official Golang patch",
"Url": "https://go-review.googlesource.com/c/go/+/439356",
"InsertOrder": 2
},
{
"Id": 1792819248385466375,
"PublicVulnsExtendedTblId": 1792819248360300544,
"RefType": "Advisory",
"Title": "The official Golang advisory",
"Url": "https://pkg.go.dev/vuln/GO-2022-1039",
"InsertOrder": 3
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-199345",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.16.15",
"1.17.0-0 ≤ Version < 1.17.8"
],
"fixed_versions": [
"1.16.15",
"1.17.8"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-24921",
"cwe": [
"CWE-674"
],
"cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "On 64-bit platforms, an extremely deeply nested expression can cause regexp.Compile to cause goroutine stack exhaustion, forcing the program to exit. Note this applies to very large expressions, on the order of 2MB.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-89115",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.12.10",
"1.13.0-0 ≤ Version < 1.13.1"
],
"fixed_versions": [
"1.12.10",
"1.13.1"
],
"more_details": {
"cves": [
{
"cve": "CVE-2019-16276",
"cwe": [
"CWE-444"
],
"cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N",
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
}
],
"description": "net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230.If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same upstream connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-248649",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.17.12",
"1.18.0-0 ≤ Version < 1.18.4"
],
"fixed_versions": [
"1.17.12",
"1.18.4"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-30630",
"cwe": [
"CWE-674"
],
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819245243932672,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-248649",
"VulnerabilityTitle": "",
"ShortDescription": "Uncontrolled recursion in Golang io/fs.Glob leads to denial of service when processing attacker-supplied Glob patterns.",
"FullDescription": "The `Glob` command allows listing files with \"Glob\" patterns - path strings which may contain wildcard characters such as `*` and `?` which match any character.\r\n\r\nIt was discovered that calling `Glob` on a path which contains a large number of path separators can cause panic due to stack exhaustion, which will crash the calling Go process.\r\nExample code snippet that triggers the issue -\r\n```go\r\n_, err := Glob(fs, \"/*\" + strings.Repeat(\"/\", 10001))\r\n```\r\nNote that it is unlikely that remote attackers will be able to control glob patterns",
"Impact": 5,
"VulnerabilityType": "Denial of service",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819245281681409,
"PublicVulnsExtendedTblId": 1792819245243932672,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "The attacker must find remote input that propagates into a `Glob` API call (first argument)",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819245281681410,
"PublicVulnsExtendedTblId": 1792819245243932672,
"Name": "The issue has an exploit published",
"Description": "Published PoC in test code demonstrates denial of service",
"IsPositive": 0,
"InsertOrder": 2
},
{
"Id": 1792819245281681411,
"PublicVulnsExtendedTblId": 1792819245243932672,
"Name": "The prerequisites for exploiting the issue are extremely unlikely",
"Description": "It is unlikely that remote attackers will be able to control a Glob pattern. The severity of this issue being exploited by a local attacker is limited.",
"IsPositive": 1,
"InsertOrder": 3
}
],
"ExtendedReferences": [
{
"Id": 1792819245281681412,
"PublicVulnsExtendedTblId": 1792819245243932672,
"RefType": "Advisory",
"Title": "GitHub advisory",
"Url": "https://github.com/advisories/GHSA-vjj7-39vr-35r3",
"InsertOrder": 1
},
{
"Id": 1792819245281681413,
"PublicVulnsExtendedTblId": 1792819245243932672,
"RefType": "Exploit",
"Title": "Exploit in PoC test code",
"Url": "https://go.googlesource.com/go/+/fa2d41d0ca736f3ad6b200b2a4e134364e9acc59%5E%21/#F1",
"InsertOrder": 2
},
{
"Id": 1792819245281681414,
"PublicVulnsExtendedTblId": 1792819245243932672,
"RefType": "Patch",
"Title": "Patch",
"Url": "https://go.googlesource.com/go/+/fa2d41d0ca736f3ad6b200b2a4e134364e9acc59",
"InsertOrder": 3
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-540330",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Using go get to fetch a module with the \".git\" suffix may unexpectedly fallback to the insecure \"git://\" protocol if the module is unavailable via the secure \"https://\" and \"git+ssh://\" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.20.12",
"1.21.0-0 ≤ Version < 1.21.5"
],
"fixed_versions": [
"1.20.12",
"1.21.5"
],
"more_details": {
"cves": [
{
"cve": "CVE-2023-45285",
"cwe": [
"NVD-CWE-noinfo"
],
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"description": "Using go get to fetch a module with the \".git\" suffix may unexpectedly fallback to the insecure \"git://\" protocol if the module is unavailable via the secure \"https://\" and \"git+ssh://\" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819264747446287,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-540330",
"VulnerabilityTitle": "",
"ShortDescription": "A design problem in Go's `cmd/go` allows network attackers to perform man-in-the-middle attacks when a client fetches a module with the `.git` suffix and without an explicit URL scheme.",
"FullDescription": "[cmd/go](https://pkg.go.dev/cmd/go) is a command-line tool and part of the Go programming language's toolchain. It is primarily used for managing Go modules, which are collections of Go packages and their dependencies.\r\nThe logic in `(*vcs).vcs.repoRootFromVCSPaths` function, part of the `cmd/go` package, has a design problem when processing a module's `url` that ends with the `.git` suffix (`foo/bar.git`) and is unavailable via secure protocols (`https`, `ssh`). \r\n\r\nFor example, when fetching a module with a URL that has no scheme and ends with `.git` -\r\n`go get -x dgl.cx/foo.git`\r\nIf the module cannot be fetched with the `https://` or `git+ssh://` schemes, then Go will unexpectedly try to fetch the module using insecure schemes such as `http://` and `git://`, which allows for man-in-the-middle attacks that can lead to data leakages or even indirect remote code execution (by attackers tampering with the fetched source code).",
"Impact": 5,
"VulnerabilityType": "Data leakage",
"Resolution": "##### Deployment mitigations\n\nUse an explicit (secure) scheme when fetching Go modules.\r\nFor example instead of -\r\n```\r\ngo get -x dgl.cx/foo.git\r\n```\r\n\r\nUse - \r\n```\r\ngo get -x https://dgl.cx/foo.git\r\n```\r\n\r\nor alternatively -\r\n```\r\ngo get -x git+ssh://dgl.cx/foo.git\r\n```\r\n```\n\n##### Deployment mitigations\n\nDo not disable the module proxy.\r\nSpecifically, do not set the environment variable `GOPROXY=off`.",
"ExtendedImpactReasons": [
{
"Id": 1792819264772612097,
"PublicVulnsExtendedTblId": 1792819264747446287,
"Name": "The prerequisites for exploiting the issue are extremely unlikely",
"Description": "Attackers can mount MitM attacks on fetched Go modules, if the client fetches the module using a URL that satisfies the following conditions:\r\n1. The URL has to end with `.git`.\r\n2. The URL must not contain an explicit scheme\r\n3. The user is fetching modules directly (i.e. sets GOPROXY=off), which is not the default scenario.",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819264772612098,
"PublicVulnsExtendedTblId": 1792819264747446287,
"Name": "The issue has a detailed technical explanation published, that can aid in exploit development",
"Description": "The GitHub issue details the vulnerability and how to trigger it.",
"IsPositive": 0,
"InsertOrder": 2
},
{
"Id": 1792819264772612099,
"PublicVulnsExtendedTblId": 1792819264747446287,
"Name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact",
"Description": "The CVSS does not reflect the contextual prerequisites required to exploit the vulnerability.",
"IsPositive": 1,
"InsertOrder": 3
}
],
"ExtendedReferences": [
{
"Id": 1792819264772612100,
"PublicVulnsExtendedTblId": 1792819264747446287,
"RefType": "Patch",
"Title": "Official Fix Commit",
"Url": "https://go-review.googlesource.com/c/go/+/540257",
"InsertOrder": 1
},
{
"Id": 1792819264772612101,
"PublicVulnsExtendedTblId": 1792819264747446287,
"RefType": "Technical Writeup",
"Title": "Technical Write-up",
"Url": "https://github.com/golang/go/issues/63845",
"InsertOrder": 2
},
{
"Id": 1792819264772612102,
"PublicVulnsExtendedTblId": 1792819264747446287,
"RefType": "Advisory",
"Title": "Vulnerability Report: GO-2023-2383",
"Url": "https://pkg.go.dev/vuln/GO-2023-2383",
"InsertOrder": 3
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-128619",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.14.12",
"1.15.0-0 ≤ Version < 1.15.5"
],
"fixed_versions": [
"1.14.12",
"1.15.5"
],
"more_details": {
"cves": [
{
"cve": "CVE-2020-28366",
"cwe": [
"CWE-94"
],
"cvss_v2": "5.1/CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:P",
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"
}
],
"description": "The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code.This can be caused by malicious unquoted symbol name in a linked object file.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819240701501440,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-128619",
"VulnerabilityTitle": "",
"ShortDescription": "The go command line tool does not filter malicious symbols which could lead to arbitrary code injection on the development system.",
"FullDescription": "The go command line tool, when used to build untrusted code, such as by running `go get` on a malicious package, could run arbitrary malicious code on the system it is executed on. This vulnerability will most likely be relevant to developer machines, where new, potentially malicious packages could be downloaded and built by the developer. This issue is similar to [CVE-2020-28367](https://nvd.nist.gov/vuln/detail/CVE-2020-28367) which was fixed in the same Go versions.",
"Impact": 5,
"VulnerabilityType": "Script code injection",
"Resolution": "##### Deployment mitigations\n\nSet the environment variable CGO_ENABLED to 0 when building packages using `go build` or `go get`.",
"ExtendedImpactReasons": [
{
"Id": 1792819240730861569,
"PublicVulnsExtendedTblId": 1792819240701501440,
"Name": "The CVE has no published technical writeup",
"Description": "",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819240730861570,
"PublicVulnsExtendedTblId": 1792819240701501440,
"Name": "The issue can be exploited by attackers over the network",
"Description": "",
"IsPositive": 0,
"InsertOrder": 2
},
{
"Id": 1792819240730861571,
"PublicVulnsExtendedTblId": 1792819240701501440,
"Name": "The issue has no exploit published",
"Description": "",
"IsPositive": 1,
"InsertOrder": 3
},
{
"Id": 1792819240730861572,
"PublicVulnsExtendedTblId": 1792819240701501440,
"Name": "The prerequisites for exploiting the issue are extremely unlikely",
"Description": "",
"IsPositive": 1,
"InsertOrder": 4
},
{
"Id": 1792819240730861573,
"PublicVulnsExtendedTblId": 1792819240701501440,
"Name": "Exploiting the issue requires the user to interact with the vulnerable software",
"Description": "For running `go get` on a malicious package",
"IsPositive": 1,
"InsertOrder": 5
},
{
"Id": 1792819240730861574,
"PublicVulnsExtendedTblId": 1792819240701501440,
"Name": "The prerequisites for exploiting the issue are extremely unlikely",
"Description": "Unlikely that go get will be run with a malicious package name",
"IsPositive": 1,
"InsertOrder": 6
}
],
"ExtendedReferences": [
{
"Id": 1792819240730861575,
"PublicVulnsExtendedTblId": 1792819240701501440,
"RefType": "Advisory",
"Title": "Fix commit - 1.14.x",
"Url": "https://github.com/golang/go/commit/57ffa7b101296229328eaec6219a7c211a4ac49b",
"InsertOrder": 1
},
{
"Id": 1792819240730861576,
"PublicVulnsExtendedTblId": 1792819240701501440,
"RefType": "Advisory",
"Title": "Fix commit - 1.15.x",
"Url": "https://github.com/golang/go/commit/32159824698a82a174b60a6845e8494ae3243102",
"InsertOrder": 2
},
{
"Id": 1792819240730861577,
"PublicVulnsExtendedTblId": 1792819240701501440,
"RefType": "Advisory",
"Title": "Golang mailing list announcement",
"Url": "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM/m/fLguyiM2CAAJ",
"InsertOrder": 3
},
{
"Id": 1792819240730861578,
"PublicVulnsExtendedTblId": 1792819240701501440,
"RefType": "Advisory",
"Title": "Go GitHub issue #42559",
"Url": "https://github.com/golang/go/issues/42559",
"InsertOrder": 4
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-248648",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.17.12",
"1.18.0-0 ≤ Version < 1.18.4"
],
"fixed_versions": [
"1.17.12",
"1.18.4"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-30631",
"cwe": [
"CWE-674"
],
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819244899999880,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-248648",
"VulnerabilityTitle": "",
"ShortDescription": "Uncontrolled recursion in Golang compress/gzip.Reader.Read leads to denial of service when processing attacker-supplied gzip archives.",
"FullDescription": "Golang provides the [compress/gzip](https://pkg.go.dev/compress/gzip) package in order to compress and decompress GZIP archives.\r\n\r\nIt was discovered that calling `Reader.Read` on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion, which will crash the calling Go process.\r\n\r\nExample code snippet that is vulnerable to this issue -\r\n```go\r\nr := bytes.NewReader(attacker_input)\r\nz, err := NewReader(r)\r\n_, err = z.Read(make([]byte, 10)) // Specific arguments here are irrelevant\r\n```",
"Impact": 5,
"VulnerabilityType": "Denial of service",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819244929359873,
"PublicVulnsExtendedTblId": 1792819244899999880,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "The target program must decompress an attacker-supplied gzip archive. More specifically - the attacker must find remote input that propagates into a `compress/gzip.Reader.Read` API call.",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819244929359874,
"PublicVulnsExtendedTblId": 1792819244899999880,
"Name": "The issue has an exploit published",
"Description": "Published PoC in test code demonstrates denial of service",
"IsPositive": 0,
"InsertOrder": 2
}
],
"ExtendedReferences": [
{
"Id": 1792819244929359875,
"PublicVulnsExtendedTblId": 1792819244899999880,
"RefType": "Advisory",
"Title": "GitHub advisory",
"Url": "https://github.com/advisories/GHSA-r654-8j96-crqx",
"InsertOrder": 1
},
{
"Id": 1792819244929359876,
"PublicVulnsExtendedTblId": 1792819244899999880,
"RefType": "Exploit",
"Title": "Exploit in PoC test code",
"Url": "https://go.googlesource.com/go/+/b2b8872c876201eac2d0707276c6999ff3eb185e%5E%21/#F1",
"InsertOrder": 2
},
{
"Id": 1792819244929359877,
"PublicVulnsExtendedTblId": 1792819244899999880,
"RefType": "Patch",
"Title": "Patch",
"Url": "https://go.googlesource.com/go/+/b2b8872c876201eac2d0707276c6999ff3eb185e",
"InsertOrder": 3
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-231116",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.17.11",
"1.18.0-0 ≤ Version < 1.18.3"
],
"fixed_versions": [
"1.17.11",
"1.18.3"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-30634",
"cwe": [
"CWE-835"
],
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "On Windows, rand.Read will hang indefinitely if passed a buffer larger than 1 << 32 - 1 bytes.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-248647",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.17.12",
"1.18.0-0 ≤ Version < 1.18.4"
],
"fixed_versions": [
"1.17.12",
"1.18.4"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-30635",
"cwe": [
"CWE-674"
],
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819245067771904,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-248647",
"VulnerabilityTitle": "",
"ShortDescription": "Uncontrolled recursion in Golang encoding/gob.Decoder.Decode leads to denial of service when decoding attacker-supplied Gob streams.",
"FullDescription": "Golang supports an optimized encoder/decoder called \"gob\" for binary values exchanged between an Encoder (transmitter) and a Decoder (receiver). A typical use is transporting arguments and results of remote procedure calls (RPCs) such as those provided by package \"net/rpc\".\r\n\r\nIt was discovered that calling `Decoder.Decode` on a message which contains deeply nested structures can cause a panic due to stack exhaustion., which will crash the calling Go process.\r\n\r\nExample code snippet vulnerable to this issue-\r\n```go\r\ndec := NewDecoder(attacker_input)\r\ndec.Decode(&output)\r\n```",
"Impact": 5,
"VulnerabilityType": "Denial of service",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819245101326338,
"PublicVulnsExtendedTblId": 1792819245067771904,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "The attacker must find remote input that propagates into a `NewDecoder` API call (first argument). The built `Decoder` must then invoke the `Decode` call",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819245101326339,
"PublicVulnsExtendedTblId": 1792819245067771904,
"Name": "The issue has an exploit published",
"Description": "Published PoC in test code demonstrates denial of service",
"IsPositive": 0,
"InsertOrder": 2
}
],
"ExtendedReferences": [
{
"Id": 1792819245101326340,
"PublicVulnsExtendedTblId": 1792819245067771904,
"RefType": "Advisory",
"Title": "GitHub advisory",
"Url": "https://github.com/advisories/GHSA-5fhx-39r8-3jwh",
"InsertOrder": 1
},
{
"Id": 1792819245101326341,
"PublicVulnsExtendedTblId": 1792819245067771904,
"RefType": "Exploit",
"Title": "Exploit in PoC test code",
"Url": "https://go.googlesource.com/go/+/6fa37e98ea4382bf881428ee0c150ce591500eb7%5E%21/#F1",
"InsertOrder": 2
},
{
"Id": 1792819245101326342,
"PublicVulnsExtendedTblId": 1792819245067771904,
"RefType": "Patch",
"Title": "Patch",
"Url": "https://go.googlesource.com/go/+/6fa37e98ea4382bf881428ee0c150ce591500eb7",
"InsertOrder": 3
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-257609",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.18.7",
"1.19.0-0 ≤ Version < 1.19.2"
],
"fixed_versions": [
"1.18.7",
"1.19.2"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-2880",
"cwe": [
"CWE-444"
],
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
}
],
"description": "Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value.After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819248230277121,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-257609",
"VulnerabilityTitle": "",
"ShortDescription": "Insufficient input validation in Golang net/http/httputil and net/url may enable attackers to perform filter bypass & parameter smuggling.",
"FullDescription": "Golang's [net/http/httputil](https://pkg.go.dev/net/http/httputil) package provides HTTP utility functions, complementing the ones in Golang's net/http package.\r\n\r\nGolang's [net/http](https://pkg.go.dev/net/http) package provides HTTP client and server implementations in Golang.\r\n\r\nGolang's [net/url](https://pkg.go.dev/net/url) package is used for parsing URLs and query escaping.\r\n\r\nIn Go 1.17, URL parsing was changed to reject keys containing a semicolon. But despite the function `net/url.ParseQuery` being changed to raise an error when given a parameter with `;`, the function `net/url.URL.Query`, which calls the `net/url.ParseQuery`, ignores any error returned by it. Furthermore, the function `net/http/httputils.NewSingleHostReverseProxy` does not parse the query at all and sends the raw query to the backend.\r\n\r\nThis means that when there's a version discrepancy between the frontend and the backend - where the frontend uses a Go 1.17 or later, and the backend uses Go 1.16.x or earlier - it is possible for attackers to use parameter smuggling in order to bypass possible filters.\r\n\r\nTake for example the fictional website `https://mysite`, which uses Go 1.18 for its frontend and Go 1.16 for its backend. When going to `https://mysite/home`, the user's name is added as a parameter, e.g. `https://mysite/home?name=sam`. In addition to the `name` parameter, it is possible to add a `role` parameter, which can be set to either `user` or `admin`. When the parameter is set to `admin` the frontend checks whether the user's name is that of an admin or not before forwarding the query to the backend.\r\n\r\nHowever, when an attacker sends a request such as `https://mysite/home?role=admin;&name=regularuser`, and the frontend parses it using `net/url.URL.Query`, the function will only return the `name=regularuser` parameter and raise no error. Since the frontend deems the request valid, it will pass it to the backend using `net/http/httputils.NewSingleHostReverseProxy`, which will pass the raw query instead of the parsed query from `net/url.URL.Query` to the backend. When the backend parses the query, both `name=regularuser` and `role=admin` will be returned. Thus, the attacker bypassed the frontend's filter.\r\n\r\nThe vulnerability does not exist if the frontend and the backend both use Go before 1.17 or Go after 1.17.",
"Impact": 5,
"VulnerabilityType": "Filter Bypass",
"Resolution": "##### Development mitigations\n\nUse `net/url.ParseQuery` instead of `net/url.URL.Query`, and check for errors returned by it.",
"ExtendedImpactReasons": [
{
"Id": 1792819248255442945,
"PublicVulnsExtendedTblId": 1792819248230277121,
"Name": "The issue is trivial to exploit and does not require a published writeup or PoC",
"Description": "A simple addition of the `;` character to a vulnerable parameter can lead to successful exploitation.\r\nThere are several exploitation examples of this issue online and it is trivial to create a new one when a vulnerable application is found.",
"IsPositive": 0,
"InsertOrder": 1
},
{
"Id": 1792819248255442946,
"PublicVulnsExtendedTblId": 1792819248230277121,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "- The attacker has to know that the frontend/proxy and backend of the target both use Golang, and that the frontend/proxy use Go 1.17 or later, while the backend uses an earlier version of Go (before 1.17).\r\n- They also need to know that there isn't any additional sanitization on the URL before parsing the query or sending it to the backend through the proxy.\r\n- The attacker should find a vulnerable parameter that can be exploited with a meaningful applicative impact.",
"IsPositive": 1,
"InsertOrder": 2
},
{
"Id": 1792819248255442947,
"PublicVulnsExtendedTblId": 1792819248230277121,
"Name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.",
"Description": "The impact of the vulnerability depends on the parameters that can be given to the URL and their effects.",
"IsPositive": 1,
"InsertOrder": 3
},
{
"Id": 1792819248255442948,
"PublicVulnsExtendedTblId": 1792819248230277121,
"Name": "The issue has a detailed technical explanation published, that can aid in exploit development",
"Description": "",
"IsPositive": 0,
"InsertOrder": 4
}
],
"ExtendedReferences": [
{
"Id": 1792819248255442949,
"PublicVulnsExtendedTblId": 1792819248230277121,
"RefType": "Technical Writeup",
"Title": "Technical writeup with some PoC examples",
"Url": "https://www.oxeye.io/blog/golang-parameter-smuggling-attack",
"InsertOrder": 1
},
{
"Id": 1792819248255442950,
"PublicVulnsExtendedTblId": 1792819248230277121,
"RefType": "Exploit",
"Title": "Bypass PoC from test code",
"Url": "https://go-review.googlesource.com/c/go/+/432976/3/src/net/http/httputil/reverseproxy_test.go#1830",
"InsertOrder": 2
},
{
"Id": 1792819248255442951,
"PublicVulnsExtendedTblId": 1792819248230277121,
"RefType": "Patch",
"Title": "The official Golang patch",
"Url": "https://go-review.googlesource.com/c/go/+/432976",
"InsertOrder": 3
},
{
"Id": 1792819248255442952,
"PublicVulnsExtendedTblId": 1792819248230277121,
"RefType": "Advisory",
"Title": "The official Golang advisory",
"Url": "https://pkg.go.dev/vuln/GO-2022-1038",
"InsertOrder": 4
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-189375",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.16.10",
"1.17.0-0 ≤ Version < 1.17.3"
],
"fixed_versions": [
"1.16.10",
"1.17.3"
],
"more_details": {
"cves": [
{
"cve": "CVE-2021-41772",
"cwe": [
"CWE-20"
],
"cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "Previously, opening a zip with (*Reader).Open could result in a panic if the zip contained a file whose name was exclusively made up of slash characters or \"..\" path elements.Open could also panic if passed the empty string directly as an argument.Now, any files in the zip whose name could not be made valid for fs.FS.Open will be skipped, and no longer added to the fs.FS file list, although they are still accessible through (*Reader).File.Note that it was already the case that a file could be accessible from (*Reader).Open with a name different from the one in (*Reader).File, as the former is the cleaned name, while the latter is the original one.Finally, the actual panic site was made robust as a defense-in-depth measure.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819242345668608,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-189375",
"VulnerabilityTitle": "",
"ShortDescription": "Insufficient input validation in Go's archive/zip leads to denial of service when reading crafted ZIP archives.",
"FullDescription": "[Go](https://golang.org/) is an open source programming language developed by Google with the same syntax of C language but with memory safety, garbage collection, structural typing, and CSP-style concurrency.\r\n\r\nIt was discovered that the built-in archive/zip `Reader.Open` API doesn't properly validate the input ZIP file. Specifically, attackers can exploit this vulnerability by providing a crafted ZIP archive containing invalid or empty filenames, which will lead to a Panic and subsequently, a program crash.\r\n\r\nA public [exploit](https://play.golang.org/p/WWHxZRKu2gY) exists which demonstrates denial of service, making this vulnerability likely to be exploited in practice.",
"Impact": 6,
"VulnerabilityType": "Denial of service",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819242375028738,
"PublicVulnsExtendedTblId": 1792819242345668608,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "The attacker must find a way to upload a crafted ZIP archive which will get processed by the archive/zip `Reader.Open` API",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819242375028739,
"PublicVulnsExtendedTblId": 1792819242345668608,
"Name": "The issue has an exploit published",
"Description": "The published exploit demonstrates DoS by throwing a Panic",
"IsPositive": 0,
"InsertOrder": 2
},
{
"Id": 1792819242375028740,
"PublicVulnsExtendedTblId": 1792819242345668608,
"Name": "The prerequisites for exploiting the issue are either extremely common or nonexistent (always exploitable)",
"Description": "It is highly likely that the archive/zip `Reader.Open` API will be used to open untrusted ZIP archives",
"IsPositive": 0,
"InsertOrder": 3
}
],
"ExtendedReferences": [
{
"Id": 1792819242375028741,
"PublicVulnsExtendedTblId": 1792819242345668608,
"RefType": "Exploit",
"Title": "PoC exploit",
"Url": "https://play.golang.org/p/WWHxZRKu2gY",
"InsertOrder": 1
},
{
"Id": 1792819242375028742,
"PublicVulnsExtendedTblId": 1792819242345668608,
"RefType": "Advisory",
"Title": "Official advisory",
"Url": "https://github.com/golang/go/issues/48085",
"InsertOrder": 2
},
{
"Id": 1792819242375028743,
"PublicVulnsExtendedTblId": 1792819242345668608,
"RefType": "Patch",
"Title": "Fix commit",
"Url": "https://github.com/golang/go/commit/b212ba68296b503b395e7d1838ca72a19030a6bf",
"InsertOrder": 3
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-208920",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.17.9",
"1.18.0-0 ≤ Version < 1.18.1"
],
"fixed_versions": [
"1.17.9",
"1.18.1"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-28327",
"cwe": [
"NVD-CWE-noinfo"
],
"cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819243708817408,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-208920",
"VulnerabilityTitle": "",
"ShortDescription": "Insufficient input validation in Go's `crypto/elliptic` package may lead to a denial of service when processing a user-supplied scalar input.",
"FullDescription": "The [crypto/elliptic](https://pkg.go.dev/crypto/elliptic) is a library that provides cryptographic operations for elliptic curve cryptography in the Go programming language. It is a standard package included in the Go standard library and is widely used in the development of secure applications that rely on elliptic curve cryptography.\r\nThe P256 elliptic curve is utilized in cryptographic protocols, specifically in the widespread deployment of the ECDSA (Elliptic Curve Digital Signature Algorithm) signature scheme.\r\nIn elliptic curve cryptography, a scalar refers to a non-negative integer used for scalar multiplication with a point on the curve.\r\n\r\nA flaw discovered in this P256 elliptic curve can cause the application to panic and may lead to a denial of service.\r\nIf the input scalar is strictly longer than 32 bytes, the `P256().ScalarMult` or `P256().ScalarBaseMult` functions may perform an out-of-bound write, thus causing a Golang panic.\r\n\r\nNote: Indirect uses through `crypto/ecdsa` and `crypto/tls` are unaffected. `amd64`, `arm64`, `ppc64le` and `s390x` platforms are also unaffected.\r\n\r\nExample of vulnerable code:\r\n```\r\nfunc VulnExample(c elliptic.Curve, px *big.Int, py *big.Int) (int, error) {\r\n\th.ax, h.ay = c.ScalarBaseMult(h.s.Bytes())\r\n\ttx, ty := c.ScalarMult(px, py, h.s.Bytes())\r\n\th.bx, h.by = c.Add(tx, ty, c.Params().Gx, c.Params().Gy)\r\n\treturn DiscreteLog(h.bx, h,by, c, 1<<10)\r\n```",
"Impact": 4,
"VulnerabilityType": "Denial of service",
"Resolution": "##### Development mitigations\n\nCheck the length of the passed scalar as in the following example:\r\n```\r\nfunc NotVulnExample(c elliptic.Curve, px *big.Int, py *big.Int) (int, error) {\r\n // Check that the scalar value is less than 32 bytes long\r\n if len(h.s.Bytes()) > 32 {\r\n return 0, errors.New(\"scalar value too long\")\r\n }\r\n \r\n h.ax, h.ay = c.ScalarBaseMult(h.s.Bytes())\r\n tx, ty := c.ScalarMult(px, py, h.s.Bytes())\r\n h.bx, h.by = c.Add(tx, ty, c.Params().Gx, c.Params().Gy)\r\n\r\n return DiscreteLog(h.bx, h.by, h.ay, c, 1<<10)\r\n}\r\n\r\n```",
"ExtendedImpactReasons": [
{
"Id": 1792819243746566145,
"PublicVulnsExtendedTblId": 1792819243708817408,
"Name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact",
"Description": "The CVSS does not reflect the contextual prerequisites required to exploit the vulnerability.",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819243746566146,
"PublicVulnsExtendedTblId": 1792819243708817408,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "The attackers must find a remote input that propagates to the vulnerable functions `P256().ScalarMult()` or `P256().ScalarBaseMult()`.",
"IsPositive": 1,
"InsertOrder": 2
},
{
"Id": 1792819243746566147,
"PublicVulnsExtendedTblId": 1792819243708817408,
"Name": "The prerequisites for exploiting the issue are extremely unlikely",
"Description": "A specifically crafted input longer than 32 bytes could lead to a buffer overflow. However, this is unlikely to happen in most cases since the `crypto/elliptic` package is typically used indirectly through other packages, and the inputs to the vulnerable function are rarely under user control.",
"IsPositive": 1,
"InsertOrder": 3
}
],
"ExtendedReferences": [
{
"Id": 1792819243746566148,
"PublicVulnsExtendedTblId": 1792819243708817408,
"RefType": "Patch",
"Title": "Patch",
"Url": "https://go-review.googlesource.com/c/go/+/397135",
"InsertOrder": 1
},
{
"Id": 1792819243746566149,
"PublicVulnsExtendedTblId": 1792819243708817408,
"RefType": "Advisory",
"Title": "Advisory",
"Url": "https://groups.google.com/g/golang-announce/c/oecdBNLOml8",
"InsertOrder": 2
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-248630",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.17.12",
"1.18.0-0 ≤ Version < 1.18.4"
],
"fixed_versions": [
"1.17.12",
"1.18.4"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-30633",
"cwe": [
"CWE-674"
],
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "Unmarshaling an XML document into a Go struct which has a nested field that uses the 'any' field tag can panic due to stack exhaustion.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819244753199104,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-248630",
"VulnerabilityTitle": "",
"ShortDescription": "Uncontrolled recursion in Golang encoding/xml.Unmarshal leads to denial of service when processing attacker-supplied XML documents into structs with the \"any\" field tag.",
"FullDescription": "The `Unmarshal` method allows deserializing XML documents into Golang types.\r\n\r\nIt was discovered that Unmarshaling an XML document into a Go struct which has a nested field that uses the 'any' field tag can panic due to stack exhaustion, which will crash the calling Go process.\r\n\r\nExample code snippet vulnerable to this issue -\r\n```go\r\n// Need a struct that uses the \"any\" field tag\r\ntype nested struct {\r\n\tParent *nested `xml:\",any\"`\r\n}\r\n\r\nvar vulnerable_struct nested\r\nerr := Unmarshal(attacker_input, &vulnerable_struct)\r\n```",
"Impact": 5,
"VulnerabilityType": "Denial of service",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819244786753537,
"PublicVulnsExtendedTblId": 1792819244753199104,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "The attacker must find remote input that propagates into a `encoding/xml.Unmarshal` API call (first argument) while the `Unmarshal` 2nd argument points to a struct that has the `any` field tag",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819244786753538,
"PublicVulnsExtendedTblId": 1792819244753199104,
"Name": "The issue has an exploit published",
"Description": "Published PoC in test code demonstrates denial of service",
"IsPositive": 0,
"InsertOrder": 2
}
],
"ExtendedReferences": [
{
"Id": 1792819244786753539,
"PublicVulnsExtendedTblId": 1792819244753199104,
"RefType": "Advisory",
"Title": "GitHub advisory",
"Url": "https://github.com/advisories/GHSA-r9vw-mppf-3883",
"InsertOrder": 1
},
{
"Id": 1792819244786753540,
"PublicVulnsExtendedTblId": 1792819244753199104,
"RefType": "Exploit",
"Title": "Exploit in PoC test code",
"Url": "https://go.googlesource.com/go/+/c4c1993fd2a5b26fe45c09592af6d3388a3b2e08%5E%21/#F1",
"InsertOrder": 2
},
{
"Id": 1792819244786753541,
"PublicVulnsExtendedTblId": 1792819244753199104,
"RefType": "Patch",
"Title": "Patch",
"Url": "https://go.googlesource.com/go/+/c4c1993fd2a5b26fe45c09592af6d3388a3b2e08",
"InsertOrder": 3
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-513415",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.19.8",
"1.20.0-0 ≤ Version < 1.20.3"
],
"fixed_versions": [
"1.19.8",
"1.20.3"
],
"more_details": {
"cves": [
{
"cve": "CVE-2023-24534",
"cwe": [
"CWE-400"
],
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service.Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service.With fix, header parsing now correctly allocates only the memory required to hold parsed headers.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819260704137217,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-513415",
"VulnerabilityTitle": "",
"ShortDescription": "Improper MIME header parsing in Go's `net/textproto` package can lead to memory exhaustion and denial of service when processing a crafted header.",
"FullDescription": "`net/textproto` is a Go standard library package that offers functionality for parsing and serializing textual protocols used in network communications, such as HTTP, SMTP, NNTP, and FTP, by providing methods for reading and writing lines, headers, and MIME-style messages in a way that handles common protocol-specific quirks and variations.\r\nA vulnerability was identified in the `ReadMIMEHeader()` function within the `net/textproto` package, whereby certain input data patterns (large amounts of LF characters) can cause the function to allocate an excessive amount of memory. For instance, a header with a large number of newline characters may cause the function to over-allocate memory, resulting in memory exhaustion and a denial of service. Attackers could exploit this vulnerability by crafting small requests, making it a relatively easy target for malicious activity.\r\n\r\nThis issue is dangerous since even a very simple Go HTTP server is remotely vulnerable to DoS.\r\n\r\nVulnerable code example -\r\n```go\r\npackage main\r\n\r\nimport (\r\n \"fmt\"\r\n \"net/http\"\r\n)\r\n\r\nfunc hello(w http.ResponseWriter, req *http.Request) {\r\n fmt.Fprintf(w, \"hello\\n\")\r\n}\r\n\r\nfunc main() {\r\n http.HandleFunc(\"/hello\", hello)\r\n http.ListenAndServe(\":80\", nil)\r\n}\r\n```",
"Impact": 6,
"VulnerabilityType": "Denial of service",
"Resolution": "##### Deployment mitigations\n\nDefine a `systemd service` and limit the memory available to the application. It will prevent it from crashing the host system.\r\nTo do that, create a `.service` file in the `/etc/systemd/system/` directory and fill it in following the template given here:\r\n```\r\n[Unit]\r\nDescription = My HTTP server\r\nRequires = my_http_app.socket\r\nAfter = multi-user.target\r\n\r\n[Service]\r\nUser = www-user\r\nGroup = www-user\r\nWorkingDirectory = /var/my_http_server\r\nExecStart = /var/my_http_server/bin/my-server\r\nExecReload = /bin/kill -HUP $MAINPID\r\nRestart = always\r\nNotifyAccess = main\r\nKillMode = process\r\nNonBlocking = true\r\nMemoryMax = 20G\r\n```\r\nwith the according socket file (`my_http_app.socket`):\r\n```\r\n[Unit]\r\nDescription=My HTTP server socket\r\n\r\n[Socket]\r\nListenStream = 80\r\nBindIPv6Only = both\r\n```",
"ExtendedImpactReasons": [
{
"Id": 1792819260729303041,
"PublicVulnsExtendedTblId": 1792819260704137217,
"Name": "The prerequisites for exploiting the issue are either extremely common or nonexistent (always exploitable)",
"Description": "Go HTTP servers (with no special configurations) are vulnerable to this attack remotely",
"IsPositive": 0,
"InsertOrder": 1
},
{
"Id": 1792819260729303042,
"PublicVulnsExtendedTblId": 1792819260704137217,
"Name": "The issue is trivial to exploit and does not require a published writeup or PoC",
"Description": "An attacker can easily craft a request with a significant amount of newline characters in any MIME header in order to trigger the issue.",
"IsPositive": 0,
"InsertOrder": 2
},
{
"Id": 1792819260729303043,
"PublicVulnsExtendedTblId": 1792819260704137217,
"Name": "The issue results in a severe impact (such as remote code execution)",
"Description": "This issue leads to memory exhaustion and potential denial of service of the HTTP server",
"IsPositive": 0,
"InsertOrder": 3
}
],
"ExtendedReferences": [
{
"Id": 1792819260729303044,
"PublicVulnsExtendedTblId": 1792819260704137217,
"RefType": "Advisory",
"Title": "Go Advisory",
"Url": "https://pkg.go.dev/vuln/GO-2023-1704",
"InsertOrder": 1
},
{
"Id": 1792819260729303045,
"PublicVulnsExtendedTblId": 1792819260704137217,
"RefType": "Patch",
"Title": "Patch",
"Url": "https://go-review.googlesource.com/c/go/+/481994",
"InsertOrder": 2
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-139137",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the \"go get\" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.14.14",
"1.15.0-0 ≤ Version < 1.15.7"
],
"fixed_versions": [
"1.14.14",
"1.15.7"
],
"more_details": {
"cves": [
{
"cve": "CVE-2021-3115",
"cwe": [
"CWE-427"
],
"cvss_v2": "5.1/CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:P",
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"
}
],
"description": "The go command may execute arbitrary code at build time when using cgo on Windows. This can be triggered by running go get on a malicious module, or any other time the code is built.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-128578",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.14.12",
"1.15.0-0 ≤ Version < 1.15.5"
],
"fixed_versions": [
"1.14.12",
"1.15.5"
],
"more_details": {
"cves": [
{
"cve": "CVE-2020-28367",
"cwe": [
"CWE-94"
],
"cvss_v2": "5.1/CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:P",
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"
}
],
"description": "The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code.This can be caused by malicious gcc flags specified via a cgo directive.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819240848302080,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-128578",
"VulnerabilityTitle": "",
"ShortDescription": "The go command line tool improperly validates CGO flags which could lead to arbitrary code injection on the development system.",
"FullDescription": "The go command line tool, when used to build untrusted code, such as by running `go get` on a malicious package, could run arbitrary malicious code on the system it is executed on. This vulnerability will most likely be relevant to developer machines, where new, potentially malicious packages could be downloaded and built by the developer. This issue is similar to [CVE-202-28366](https://nvd.nist.gov/vuln/detail/CVE-2020-28366) which was fixed in the same Go versions.",
"Impact": 5,
"VulnerabilityType": "Script code injection",
"Resolution": "##### Deployment mitigations\n\nSet the environment variable CGO_ENABLED to 0 when building packages using `go build` or `go get`.",
"ExtendedImpactReasons": [
{
"Id": 1792819240873467905,
"PublicVulnsExtendedTblId": 1792819240848302080,
"Name": "The issue can be exploited by attackers over the network",
"Description": "",
"IsPositive": 0,
"InsertOrder": 1
},
{
"Id": 1792819240873467906,
"PublicVulnsExtendedTblId": 1792819240848302080,
"Name": "The prerequisites for exploiting the issue are extremely unlikely",
"Description": "Unlikely that go get will be run with a malicious package name",
"IsPositive": 1,
"InsertOrder": 2
},
{
"Id": 1792819240873467907,
"PublicVulnsExtendedTblId": 1792819240848302080,
"Name": "Exploiting the issue requires the user to interact with the vulnerable software",
"Description": "For running `go get` on a malicious package",
"IsPositive": 1,
"InsertOrder": 3
}
],
"ExtendedReferences": [
{
"Id": 1792819240873467908,
"PublicVulnsExtendedTblId": 1792819240848302080,
"RefType": "Advisory",
"Title": "Fix commit",
"Url": "https://github.com/golang/go/commit/da7aa86917811a571e6634b45a457f918b8e6561",
"InsertOrder": 1
},
{
"Id": 1792819240873467909,
"PublicVulnsExtendedTblId": 1792819240848302080,
"RefType": "Advisory",
"Title": "Go GitHub issue #42556",
"Url": "https://github.com/golang/go/issues/42556",
"InsertOrder": 2
},
{
"Id": 1792819240873467910,
"PublicVulnsExtendedTblId": 1792819240848302080,
"RefType": "Advisory",
"Title": "Golang mailing list announcement",
"Url": "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM/m/fLguyiM2CAAJ",
"InsertOrder": 3
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-513414",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.19.8",
"1.20.0-0 ≤ Version < 1.20.3"
],
"fixed_versions": [
"1.19.8",
"1.20.3"
],
"more_details": {
"cves": [
{
"cve": "CVE-2023-24536",
"cwe": [
"CWE-770"
],
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts.This stems from several causes:1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended.2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts.3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector.The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue.With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations.In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms:1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=.2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819261102596097,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-513414",
"VulnerabilityTitle": "",
"ShortDescription": "Improper part counting in Go's `mime/multipart` and `net/http` packages can lead to CPU and memory denial of service when processing form inputs with many parts.",
"FullDescription": "The `net/http` and `mime/multipart` packages in Go are used for handling HTTP requests and responses, and for parsing multipart/form-data requests, respectively.\r\nThe `mime/multipart.Reader.ReadForm` function can undercount the amount of memory consumed when parsing multipart form inputs, leading to larger inputs being accepted than intended. Additionally, the function can allocate a large number of short-lived buffers, which can further increase pressure on the garbage collector. These factors combined can allow an attacker to cause the program to consume large amounts of CPU and memory, potentially leading to a denial of service.\r\n\r\nNote that some `net/http` package functions such as `Request.FormFile`, `Request.FormValue`, `Request.ParseMultipartForm` and `Request.PostFormValue` are also vulnerable as they call the vulnerable function `mime/multipart.Reader.ReadForm`.\r\n\r\n```go\r\n// forms.go\r\npackage main\r\n\r\nimport (\r\n \"html/template\"\r\n \"net/http\"\r\n)\r\n\r\ntype ContactDetails struct {\r\n Email string\r\n Subject string\r\n Message string\r\n}\r\n\r\nfunc main() {\r\n tmpl := template.Must(template.ParseFiles(\"forms.html\"))\r\n\r\n http.HandleFunc(\"/\", func(w http.ResponseWriter, r *http.Request) {\r\n if r.Method != http.MethodPost {\r\n tmpl.Execute(w, nil)\r\n return\r\n }\r\n\r\n details := ContactDetails{\r\n Email: r.FormValue(\"email\"),\r\n Subject: r.FormValue(\"subject\"),\r\n Message: r.FormValue(\"message\"),\r\n }\r\n\r\n // do something with details\r\n _ = details\r\n\r\n tmpl.Execute(w, struct{ Success bool }{true})\r\n })\r\n\r\n http.ListenAndServe(\":8080\", nil)\r\n}\r\n```",
"Impact": 6,
"VulnerabilityType": "Denial of service",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819261140344833,
"PublicVulnsExtendedTblId": 1792819261102596097,
"Name": "The prerequisites for exploiting the issue are either extremely common or nonexistent (always exploitable)",
"Description": "It is highly likely that HTTP form data will be received from possibly untrusted sources",
"IsPositive": 0,
"InsertOrder": 1
},
{
"Id": 1792819261140344834,
"PublicVulnsExtendedTblId": 1792819261102596097,
"Name": "The issue results in a severe impact (such as remote code execution)",
"Description": "This issue leads to denial of service in server applications.",
"IsPositive": 0,
"InsertOrder": 2
},
{
"Id": 1792819261140344835,
"PublicVulnsExtendedTblId": 1792819261102596097,
"Name": "The issue is trivial to exploit and does not require a published writeup or PoC",
"Description": "A request containing multipart form data with many parts is enough to trigger the issue.",
"IsPositive": 0,
"InsertOrder": 3
},
{
"Id": 1792819261140344836,
"PublicVulnsExtendedTblId": 1792819261102596097,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "The attackers must find a remote input that propagates to the `mime/multipart.Reader.ReadForm` function.",
"IsPositive": 1,
"InsertOrder": 4
}
],
"ExtendedReferences": [
{
"Id": 1792819261140344837,
"PublicVulnsExtendedTblId": 1792819261102596097,
"RefType": "Patch",
"Title": "Patch 3/3",
"Url": "https://go-review.googlesource.com/c/go/+/482077",
"InsertOrder": 1
},
{
"Id": 1792819261140344838,
"PublicVulnsExtendedTblId": 1792819261102596097,
"RefType": "Patch",
"Title": "Patch 2/3",
"Url": "https://go-review.googlesource.com/c/go/+/482076",
"InsertOrder": 2
},
{
"Id": 1792819261140344839,
"PublicVulnsExtendedTblId": 1792819261102596097,
"RefType": "Patch",
"Title": "Patch 1/3",
"Url": "https://go-review.googlesource.com/c/go/+/482075",
"InsertOrder": 3
},
{
"Id": 1792819261140344840,
"PublicVulnsExtendedTblId": 1792819261102596097,
"RefType": "Advisory",
"Title": "Go advisory",
"Url": "https://pkg.go.dev/vuln/GO-2023-1705",
"InsertOrder": 4
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-248652",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.17.12",
"1.18.0-0 ≤ Version < 1.18.4"
],
"fixed_versions": [
"1.17.12",
"1.18.4"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-28131",
"cwe": [
"CWE-674"
],
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819244413460480,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-248652",
"VulnerabilityTitle": "",
"ShortDescription": "Uncontrolled recursion in Golang encoding/xml.Decoder.Skip leads to denial of service when processing attacker-supplied XML documents.",
"FullDescription": "Golang provides support for iterating over an XML document by using the `Decoder` object supplied by the [encoding/xml](https://pkg.go.dev/encoding/xml) package. The `Decoder` object also supports skipping over XML elements (including their nested children) by calling the `Skip` method recursively.\r\n\r\nIt was discovered that when given a deeply nested XML document, the `(*Decoder).Skip` method will recurse many times, which may lead to stack exhaustion. This could cause the calling Golang process to crash.\r\n\r\nThe issue was fixed by replacing the recursion portion of the function with a depth counter. The depth counter will increase for each new start token, and while the depth counter is not 0, will decrease for each new end token.\r\n\r\nWhile `(*Decoder).Skip` may not be used directly, it is called by the widely used `(*Decoder).Decode`, `(*Decoder).DecodeElement` and `Unmarshal` functions.\r\n\r\nExample code snippets that are vulnerable to this issue -\r\n```go\r\ndecoder := xml.NewDecoder(attacker_input)\r\nerr := decoder.Skip()\r\n```\r\n\r\n```go\r\nerr := xml.Unmarshal(attacker_input, result_object)\r\n```\r\n\r\nThe vulnerable behavior can be exploited by attackers to cause denial of service, by providing crafted, deeply nested XML documents to one of the following API functions (from `encoding/xml`):\r\n\r\n1. `(*Decoder).Skip`\r\n2. `(*Decoder).Decode`\r\n3. `(*Decoder).DecodeElement`\r\n4. `Unmarshal`",
"Impact": 5,
"VulnerabilityType": "Denial of service",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819244442820609,
"PublicVulnsExtendedTblId": 1792819244413460480,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "The attacker must find remote input that propagates into an `encoding/xml.Unmarshal` API call (first argument) or an `encoding/xml.NewDecoder` API call (first argument). In the latter case, the created decoder type must then also call either the `Skip`, `Decode` or `DecodeElement` methods.",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819244442820610,
"PublicVulnsExtendedTblId": 1792819244413460480,
"Name": "The issue has an exploit published",
"Description": "Published PoC in test code demonstrates denial of service",
"IsPositive": 0,
"InsertOrder": 2
}
],
"ExtendedReferences": [
{
"Id": 1792819244442820611,
"PublicVulnsExtendedTblId": 1792819244413460480,
"RefType": "Advisory",
"Title": "GitHub advisory",
"Url": "https://github.com/advisories/GHSA-3p2w-3263-9gr3",
"InsertOrder": 1
},
{
"Id": 1792819244442820612,
"PublicVulnsExtendedTblId": 1792819244413460480,
"RefType": "Exploit",
"Title": "Exploit in PoC test code",
"Url": "https://go.googlesource.com/go/+/08c46ed43d80bbb67cb904944ea3417989be4af3%5E%21/#F1",
"InsertOrder": 2
},
{
"Id": 1792819244442820613,
"PublicVulnsExtendedTblId": 1792819244413460480,
"RefType": "Patch",
"Title": "Patch",
"Url": "https://go.googlesource.com/go/+/08c46ed43d80bbb67cb904944ea3417989be4af3",
"InsertOrder": 3
},
{
"Id": 1792819244442820614,
"PublicVulnsExtendedTblId": 1792819244413460480,
"RefType": "Advisory",
"Title": "The official Golang advisory.",
"Url": "https://pkg.go.dev/vuln/GO-2022-0521",
"InsertOrder": 4
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-248651",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either \"..com\" or \"..exe\" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.17.11",
"1.18.0-0 ≤ Version < 1.18.3"
],
"fixed_versions": [
"1.17.11",
"1.18.3"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-30580",
"cwe": [
"CWE-94"
],
"cvss_v3": "7.8/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"description": "On Windows, executing Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset will unintentionally trigger execution of any binaries in the working directory named either \"..com\" or \"..exe\".",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819245550116864,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-248651",
"VulnerabilityTitle": "",
"ShortDescription": "Execution path hijacking in Golang's Cmd.Run, Cmd.Start, Cmd.Output and Cmd.CombinedOutput allows for local privilege escalation.",
"FullDescription": "On Windows, executing `Cmd.Run`, `Cmd.Start`, `Cmd.Output`, or `Cmd.CombinedOutput` when `Cmd.Path` is unset will unintentionally trigger execution of any binaries in the working directory named either `..com` or `..exe` \r\n\r\nAn attacker that can plant a malicious executable in the same working directory as a vulnerable Go application, will achieve code execution in the privileges of the vulnerable Go application.\r\nNote that it is extremely rare that any of the vulnerable APIs will be called with `Cmd.Path` being unset.\r\n\r\nExample code that can trigger this issue -\r\n```go\r\nfunc TestNoPath(t *testing.T) {\r\n\terr := new(exec.Cmd).Start()\r\n\twant := \"exec: no command\"\r\n\tif err == nil || err.Error() != want {\r\n\t\tt.Errorf(\"new(Cmd).Start() = %v, want %q\", err, want)\r\n\t}\r\n}\r\n```\r\n```",
"Impact": 5,
"VulnerabilityType": "Local privilege escalation",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819245583671297,
"PublicVulnsExtendedTblId": 1792819245550116864,
"Name": "The issue can only be exploited by an attacker that can execute code on the vulnerable machine (excluding exceedingly rare circumstances)",
"Description": "The attacker must be able to plant a malicious executable in a specified directory with a specified name",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819245583671298,
"PublicVulnsExtendedTblId": 1792819245550116864,
"Name": "The issue cannot result in a severe impact (such as remote code execution)",
"Description": "Local privilege escalation with the privileges of the vulnerable Go application",
"IsPositive": 1,
"InsertOrder": 2
},
{
"Id": 1792819245583671299,
"PublicVulnsExtendedTblId": 1792819245550116864,
"Name": "The issue is trivial to exploit and does not require a published writeup or PoC",
"Description": "An attacker simply needs to plant a malicious executable in a specified directory with a specified name",
"IsPositive": 0,
"InsertOrder": 3
},
{
"Id": 1792819245583671300,
"PublicVulnsExtendedTblId": 1792819245550116864,
"Name": "The prerequisites for exploiting the issue are extremely unlikely",
"Description": "It is extremely rare that any of the vulnerable APIs will be called with `Cmd.Path` being unset. In addition, the attacker must be able to plant an executable named `..exe` or `..com` in the working directory of the vulnerable Go app.",
"IsPositive": 1,
"InsertOrder": 4
},
{
"Id": 1792819245583671301,
"PublicVulnsExtendedTblId": 1792819245550116864,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "The vulnerable Go application must call `Cmd.Run`, `Cmd.Start`, `Cmd.Output`, or `Cmd.CombinedOutput` when `Cmd.Path` is unset. For example -\r\n```go\r\nerr := new(exec.Cmd).Start()\r\n```",
"IsPositive": 1,
"InsertOrder": 5
}
],
"ExtendedReferences": [
{
"Id": 1792819245583671302,
"PublicVulnsExtendedTblId": 1792819245550116864,
"RefType": "Advisory",
"Title": "Original advisory",
"Url": "https://github.com/golang/vulndb/blob/master/data/reports/GO-2022-0532.yaml",
"InsertOrder": 1
},
{
"Id": 1792819245583671303,
"PublicVulnsExtendedTblId": 1792819245550116864,
"RefType": "Patch",
"Title": "Official fix",
"Url": "https://go-review.googlesource.com/c/go/+/403759/",
"InsertOrder": 2
},
{
"Id": 1792819245583671304,
"PublicVulnsExtendedTblId": 1792819245550116864,
"RefType": "Exploit",
"Title": "Test code demonstrating a vulnerable method",
"Url": "https://go-review.googlesource.com/c/go/+/403759/4/src/os/exec/exec_test.go#1130",
"InsertOrder": 3
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-198037",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.16.14",
"1.17.0-0 ≤ Version < 1.17.7"
],
"fixed_versions": [
"1.16.14",
"1.17.7"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-23773",
"cwe": [
"CWE-436"
],
"cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N",
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
}
],
"description": "Incorrect access control is possible in the go command.The go command can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is authorized to create branches but not tags.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819243289387008,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-198037",
"VulnerabilityTitle": "",
"ShortDescription": "Design issue in Go's `cmd/go` package can lead to unexpected behavior when fetching a tag version that does not exist while a branch with the same name does exist.",
"FullDescription": "[cmd/go](https://pkg.go.dev/cmd/go) is a command-line tool and part of the Go programming language's toolchain. It is primarily used for managing Go modules, which are collections of Go packages and their dependencies.\r\nThe logic in `(*modfetch).codeRepo.Stat` function, part of the `cmd/go` package, has a short-circuit when processing a branch name that resembles a version tag (such as `v1.0.0` or `subdir/v2.0.0-dev`).\r\nIn that issue, the concern raised was that the vulnerability allowed branches with names resembling version tags to be treated as valid versions by the `go` command, potentially bypassing the existing ACLs. This means that even if an organization had restrictions on creating version tags, a branch named `v1.0.0` or similar could still be mistakenly recognized as a valid version by Go.\r\n\r\nFor example, if a system contains a branch named `v1.0.1` and a corresponding tag is missing for that specific version, running the command `go get [...]@v1.0.1` would fetch the branch instead of a version tag.",
"Impact": 4,
"VulnerabilityType": "Unspecified",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819243322941441,
"PublicVulnsExtendedTblId": 1792819243289387008,
"Name": "The issue can only be exploited by an attacker that can execute code on the vulnerable machine (excluding exceedingly rare circumstances)",
"Description": "This issue is locally exploitable as it requires the attacker to have access to a low-permission user in the system (that can fetch tags) to get a branch's content that is not supposed to be available to them.",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819243322941442,
"PublicVulnsExtendedTblId": 1792819243289387008,
"Name": "The prerequisites for exploiting the issue are extremely unlikely",
"Description": "This issue can be triggered in a very specific configuration where an organization or repository hosting a Go project may have ACLs in place to restrict the creation of version tags but not branches. The attackers must find a branch whose name resembles a version tag name which is very unlikely.",
"IsPositive": 1,
"InsertOrder": 2
},
{
"Id": 1792819243322941443,
"PublicVulnsExtendedTblId": 1792819243289387008,
"Name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.",
"Description": "The impact depends on the sensitivity of the branch content. The worst case is data leakage of sensitive content on the next to-be-released versions.",
"IsPositive": 1,
"InsertOrder": 3
}
],
"ExtendedReferences": [
{
"Id": 1792819243322941444,
"PublicVulnsExtendedTblId": 1792819243289387008,
"RefType": "Advisory",
"Title": "Go advisory",
"Url": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ",
"InsertOrder": 1
},
{
"Id": 1792819243322941445,
"PublicVulnsExtendedTblId": 1792819243289387008,
"RefType": "Patch",
"Title": "Patch",
"Url": "https://go-review.googlesource.com/c/go/+/378400",
"InsertOrder": 2
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-257610",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.18.7",
"1.19.0-0 ≤ Version < 1.19.2"
],
"fixed_versions": [
"1.18.7",
"1.19.2"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-2879",
"cwe": [
"CWE-770"
],
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819248096059392,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-257610",
"VulnerabilityTitle": "",
"ShortDescription": "Insufficient input validation in Golang archive/tar enables attackers to perform denial of service via a maliciously crafted tar archive.",
"FullDescription": "Golang's [tar](https://pkg.go.dev/archive/tar) module provides access to reading and writing tar archives.\r\n\r\nIn the archive/tar module, the functions `Reader.parsePax`, and `Reader.next` do not limit the maximum size of file header's, which could cause an out of memory error when crafted files are parsed. \r\n\r\nAttackers can trigger the vulnerability by uploading a maliciously crafted tar archive with large headers, which subsequently needs to get processed via `tar.NewReader` and `Reader.Next`.",
"Impact": 5,
"VulnerabilityType": "Denial of service",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819248121225217,
"PublicVulnsExtendedTblId": 1792819248096059392,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "The attacker has to be able to upload tar archives which subsequently get processed via `tar.NewReader` and `Reader.Next`",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819248121225218,
"PublicVulnsExtendedTblId": 1792819248096059392,
"Name": "The issue has an exploit published",
"Description": "Test code contains a DoS PoC",
"IsPositive": 0,
"InsertOrder": 2
},
{
"Id": 1792819248121225219,
"PublicVulnsExtendedTblId": 1792819248096059392,
"Name": "The prerequisites for exploiting the issue are either extremely common or nonexistent (always exploitable)",
"Description": "It is likely that Golang's tar module will be used to process untrusted tar archives",
"IsPositive": 0,
"InsertOrder": 3
}
],
"ExtendedReferences": [
{
"Id": 1792819248121225220,
"PublicVulnsExtendedTblId": 1792819248096059392,
"RefType": "Exploit",
"Title": "DoS PoC from test code",
"Url": "https://go-review.googlesource.com/c/go/+/438498/2/src/archive/tar/testdata/pax-bad-hdr-large.tar.bz2",
"InsertOrder": 1
},
{
"Id": 1792819248121225221,
"PublicVulnsExtendedTblId": 1792819248096059392,
"RefType": "Advisory",
"Title": "The official Golang advisory",
"Url": "https://pkg.go.dev/vuln/GO-2022-1037",
"InsertOrder": 2
},
{
"Id": 1792819248121225222,
"PublicVulnsExtendedTblId": 1792819248096059392,
"RefType": "Patch",
"Title": "The official Golang patch",
"Url": "https://go-review.googlesource.com/c/go/+/439355",
"InsertOrder": 3
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-246851",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.12.16",
"1.13.0-0 ≤ Version < 1.13.7"
],
"fixed_versions": [
"1.12.16",
"1.13.7"
],
"more_details": {
"cves": [
{
"cve": "CVE-2020-0601",
"cwe": [
"CWE-295"
],
"cvss_v2": "5.8/CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N",
"cvss_v3": "8.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"
}
],
"description": "A Windows vulnerability allows attackers to spoof valid certificate chains when the system root store is in use.A workaround is present in Go 1.12.6+ and Go 1.13.7+, but affected users should additionally install the Windows security update to protect their system.See https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0601 for details on the Windows vulnerability.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-533052",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Line directives (\"//line\") can be used to bypass the restrictions on \"//go:cgo_\" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running \"go build\". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.20.9",
"1.21.0-0 ≤ Version < 1.21.2"
],
"fixed_versions": [
"1.20.9",
"1.21.2"
],
"more_details": {
"cves": [
{
"cve": "CVE-2023-39323",
"cwe": [
"NVD-CWE-noinfo"
],
"cvss_v3": "8.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"description": "Line directives (\"//line\") can be used to bypass the restrictions on \"//go:cgo_\" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running \"go build\". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819263556263936,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-533052",
"VulnerabilityTitle": "",
"ShortDescription": "A design problem in Golang's go command leads to arbitrary code execution when building crafted Go source code.",
"FullDescription": "Compiler directives are statements written in the source code that give the programmer the ability to control the compiler's behavior. Golang compiler accepts compiler directives as comments (using `//` single line and `/*` multi-line comments). \r\n\r\nA [line directive](https://pkg.go.dev/cmd/compile#hdr-Compiler_Directives) specifies the source position for the character immediately following the comment as having come from the specified file. The following example specifies that the filename is foo.go and the line number is 10 for the next line in the source code.\r\n\r\n`//line foo.go:10` \r\n\r\nThe `cgo` package lets Go packages call C code and combines c files and go files into a single Go package. The cgo directives are used to provide flags for the compiler and linker when building the C parts of the package. For security reasons (may lead to code execution), the Golang command restricts the use of `cgo` directives (`//go:cgo_`) unless the file is generated by cgo.\r\n\r\nThe Golang compiler has a design problem in the implementation of the `isCgoGeneratedFile()` function, which leads to cgo directives restrictions being bypassed when handling crafted line directives followed by cgo directives. This function's purpose is to determine whether a file was generated by cgo or not, tricking this function is the key to bypassing the compiler restrictions. The following combination tricks the compiler into handling cgo directives as it is part of cgo-generated code (`_cgo_` prefix) although it is not.\r\n\r\n```\r\n//line /tmp/_cgo_.go:1\r\n//go:cgo_dynamic_linker \"/elf/interp\"\r\n```\r\n\r\nUsing the directives above tricks the compiler to use restricted cgo directives, which can lead to arbitrary code execution when running the `go build` command on the manipulated source code.\r\n\r\nThe line directive requires the absolute path of the file in which the directive lives, which can make exploiting this issue more complex (may require per-target research).\r\n\r\nThe official fix solves this issue by correcting the implementation of the `isCgoGeneratedFile()` function to find the real position of a statement (not the position specified by the line directive).",
"Impact": 5,
"VulnerabilityType": "Remote code execution",
"Resolution": "##### Deployment mitigations\n\nDisable \"cgo\" support by running the go tool with CGO_ENABLED=0 -\r\n`CGO_ENABLED=0 go build .`",
"ExtendedImpactReasons": [
{
"Id": 1792819263581429766,
"PublicVulnsExtendedTblId": 1792819263556263936,
"Name": "The prerequisites for exploiting the issue are extremely unlikely",
"Description": "The attacker must be able to write the contents of a Go source code file (that will be compiled using the Go command) to exploit this issue, which is unlikely.",
"IsPositive": 1,
"InsertOrder": 5
},
{
"Id": 1792819263581429762,
"PublicVulnsExtendedTblId": 1792819263556263936,
"Name": "The issue is trivial to exploit and does not require a published writeup or PoC",
"Description": "",
"IsPositive": 0,
"InsertOrder": 1
},
{
"Id": 1792819263581429763,
"PublicVulnsExtendedTblId": 1792819263556263936,
"Name": "The issue results in a severe impact (such as remote code execution)",
"Description": "Arbitrary code execution",
"IsPositive": 0,
"InsertOrder": 2
},
{
"Id": 1792819263581429764,
"PublicVulnsExtendedTblId": 1792819263556263936,
"Name": "Exploiting the issue requires the user to interact with the vulnerable software",
"Description": "The victim must explicitly build malicious or tampered source code (ex. by running `go build`)",
"IsPositive": 1,
"InsertOrder": 3
},
{
"Id": 1792819263581429765,
"PublicVulnsExtendedTblId": 1792819263556263936,
"Name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact",
"Description": "",
"IsPositive": 1,
"InsertOrder": 4
}
],
"ExtendedReferences": [
{
"Id": 1792819263581429767,
"PublicVulnsExtendedTblId": 1792819263556263936,
"RefType": "Advisory",
"Title": "Golang advisory",
"Url": "https://pkg.go.dev/vuln/GO-2023-2095",
"InsertOrder": 1
},
{
"Id": 1792819263581429768,
"PublicVulnsExtendedTblId": 1792819263556263936,
"RefType": "Patch",
"Title": "Fix",
"Url": "https://go-review.googlesource.com/c/go/+/533195",
"InsertOrder": 2
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-263271",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS(\"C:/tmp\").Open(\"COM1\") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS(\"\") has changed. Previously, an empty root was treated equivalently to \"/\", so os.DirFS(\"\").Open(\"tmp\") would open the path \"/tmp\". This now returns an error.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.18.9",
"1.19.0-0 ≤ Version < 1.19.4"
],
"fixed_versions": [
"1.18.9",
"1.19.4"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-41720",
"cwe": [
"CWE-22"
],
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"description": "On Windows, restricted files can be accessed via os.DirFS and http.Dir.The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS(\"C:/tmp\").Open(\"COM1\") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access.In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system.With fix applied, the behavior of os.DirFS(\"\") has changed. Previously, an empty root was treated equivalently to \"/\", so os.DirFS(\"\").Open(\"tmp\") would open the path \"/tmp\". This now returns an error.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819257419997184,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-263271",
"VulnerabilityTitle": "",
"ShortDescription": "Insufficient input validation in Golang allows attackers to perform path traversal via os.DirFS and http.dir.",
"FullDescription": "[Golang](https://go.dev/) is a statically typed, compiled programming language.\r\n\r\nDue to insufficient checks in `os.DirFS` and `http.dir`, an attacker can perform path traversal and access any files on the system (according to the user's access).\r\n\r\nThere are multiple ways to trigger this vulnerability -\r\n\r\nOn Linux, opening an empty directory tree (`\"\"`) will be mistakenly treated as opening the root (`/`).\r\nAn example that will mistakenly open `/tmp`:\r\n`os.DirFS(\"\").Open(\"tmp\")`\r\n\r\nOn Windows, the affected functions mistakenly permitted access to Windows-reserved device names (for example `COM1` or `NUL`).\r\nAn example that will open `COM1` (works with any argument to `DirFS`):\r\n`os.DirFS(\"C:/tmp\").Open(\"COM1\")`\r\n\r\nAnother way to trigger the issue on Windows would be using ```os.DirFS(`\\`)``` which will permit an attacker to escape from the drive and access any path on the system (including network shares).",
"Impact": 5,
"VulnerabilityType": "Unspecified",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819257449357313,
"PublicVulnsExtendedTblId": 1792819257419997184,
"Name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.",
"Description": "The security impact of exploiting this vulnerability highly depends on the 1st-party code that uses `os.DirFS()` or `http.dir()`.\r\nFor example, if the code uses `os.DirFS(\"\").Open(attacker_filename)` in order to create an attacker-named externally-writable file in the current directory, the attacker will actually be able to create the file in an arbitrary filepath, leading to arbitrary file overwrite",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819257449357314,
"PublicVulnsExtendedTblId": 1792819257419997184,
"Name": "The issue has an exploit published",
"Description": "GitHub Issue contains PoC snippets with multiple ways to trigger the vulnerability.",
"IsPositive": 0,
"InsertOrder": 2
},
{
"Id": 1792819257449357315,
"PublicVulnsExtendedTblId": 1792819257419997184,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "The attacker must find a remote service that takes user input and specifically opens a file after calling the `os.DirFS()` or `http.dir()` functions. Refer to the full applicability conditions in the full description.",
"IsPositive": 1,
"InsertOrder": 3
}
],
"ExtendedReferences": [
{
"Id": 1792819257449357316,
"PublicVulnsExtendedTblId": 1792819257419997184,
"RefType": "Patch",
"Title": "Official Patch",
"Url": "https://github.com/golang/go/commit/7013a4f5f816af62033ad63dd06b77c30d7a62a7",
"InsertOrder": 1
},
{
"Id": 1792819257449357317,
"PublicVulnsExtendedTblId": 1792819257419997184,
"RefType": "Advisory",
"Title": "Official GitHub Issue",
"Url": "https://github.com/golang/go/issues/56694",
"InsertOrder": 2
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-520139",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Templates containing actions in unquoted HTML attributes (e.g. \"attr={{.}}\") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.19.9",
"1.20.0-0 ≤ Version < 1.20.4"
],
"fixed_versions": [
"1.19.9",
"1.20.4"
],
"more_details": {
"cves": [
{
"cve": "CVE-2023-29400",
"cwe": [
"CWE-74"
],
"cvss_v3": "7.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
}
],
"description": "Templates containing actions in unquoted HTML attributes (e.g. \"attr={{.}}\") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819261517832192,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-520139",
"VulnerabilityTitle": "",
"ShortDescription": "Insufficient filtering in Go's `html/template` leads to XSS when executing crafted templates.",
"FullDescription": "",
"Impact": 5,
"VulnerabilityType": "Script code injection",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819261542998019,
"PublicVulnsExtendedTblId": 1792819261517832192,
"Name": "The issue has an exploit published",
"Description": "Test code contains PoC that demonstrates code injection.",
"IsPositive": 0,
"InsertOrder": 1
},
{
"Id": 1792819261542998020,
"PublicVulnsExtendedTblId": 1792819261517832192,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "",
"IsPositive": 1,
"InsertOrder": 2
},
{
"Id": 1792819261542998021,
"PublicVulnsExtendedTblId": 1792819261517832192,
"Name": "The prerequisites for exploiting the issue are extremely unlikely",
"Description": "The attackers must find a remote input that propagates into a Go template that is subsequently rendered with `Template.Execute` or `Template.ExecuteTemplate`. This is highly unlikely and is considered a bad practice regardless of this vulnerability.",
"IsPositive": 1,
"InsertOrder": 3
}
],
"ExtendedReferences": [
{
"Id": 1792819261542998022,
"PublicVulnsExtendedTblId": 1792819261517832192,
"RefType": "Patch",
"Title": "Official Fix Commit",
"Url": "https://github.com/golang/go/commit/9db0e74f606b8afb28cc71d4b1c8b4ed24cabbf5",
"InsertOrder": 1
},
{
"Id": 1792819261542998023,
"PublicVulnsExtendedTblId": 1792819261517832192,
"RefType": "Advisory",
"Title": "Golang Advisory",
"Url": "https://pkg.go.dev/vuln/GO-2023-1753",
"InsertOrder": 2
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-535837",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "The filepath package does not recognize paths with a \\??\\ prefix as special. On Windows, a path beginning with \\??\\ is a Root Local Device path equivalent to a path beginning with \\\\?\\. Paths with a \\??\\ prefix may be used to access arbitrary locations on the system. For example, the path \\??\\c:\\x is equivalent to the more common path c:\\x. Before fix, Clean could convert a rooted path such as \\a\\..\\??\\b into the root local device path \\??\\b. Clean will now convert this to .\\??\\b. Similarly, Join(\\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \\??\\b. Join will now convert this to \\.\\??\\b. In addition, with fix, IsAbs now correctly reports paths beginning with \\??\\ as absolute, and VolumeName correctly reports the \\??\\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \\?, resulting in filepath.Clean(\\?\\c:) returning \\?\\c: rather than \\?\\c:\\ (among other effects). The previous behavior has been restored.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.20.11",
"1.20.11 < Version < 1.20.12",
"1.21.4 < Version < 1.21.5",
"1.21.0-0 ≤ Version < 1.21.4"
],
"fixed_versions": [
"1.20.11",
"1.20.12",
"1.21.4",
"1.21.5"
],
"more_details": {
"cves": [
{
"cve": "CVE-2023-45283",
"cwe": [
"CWE-22"
],
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"description": "The filepath package does not recognize paths with a \\??\\ prefix as special.On Windows, a path beginning with \\??\\ is a Root Local Device path equivalent to a path beginning with \\\\?\\. Paths with a \\??\\ prefix may be used to access arbitrary locations on the system. For example, the path \\??\\c:\\x is equivalent to the more common path c:\\x.Before fix, Clean could convert a rooted path such as \\a\\..\\??\\b into the root local device path \\??\\b. Clean will now convert this to .\\??\\b.Similarly, Join(\\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \\??\\b. Join will now convert this to \\.\\??\\b.In addition, with fix, IsAbs now correctly reports paths beginning with \\??\\ as absolute, and VolumeName correctly reports the \\??\\ prefix as a volume name.UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \\?, resulting in filepath.Clean(\\?\\c:) returning \\?\\c: rather than \\?\\c:\\ (among other effects). The previous behavior has been restored.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819264072163335,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-535837",
"VulnerabilityTitle": "",
"ShortDescription": "Insufficient input validation in Golang allows attackers to perform path traversal when parsing Windows paths.",
"FullDescription": "[Go](https://go.dev/) is an open source programming language that makes it easy to build simple, reliable, and efficient software.\r\nThe [`path/filepath`](https://pkg.go.dev/path/filepath) package of the Go programming language is used to parse and handle paths. This package takes into consideration the operating system.\r\nThe `Clean()` function in the `path/filepath` package is used to clean up a given path and return a shorter, cleaned version of the path. \r\nOn Windows, a path beginning with \\??\\ is a Root Local Device path equivalent to a path beginning with \\\\?\\. Paths with a \\??\\ prefix may be used to access arbitrary locations on the system.\r\n\r\nIt was discovered that when running Go applications on Windows, the `path/filepath` package does not recognize paths with a \\??\\ prefix as special. For example, the path \\??\\c:\\x is equivalent to the more common path c:\\x. Before fixing, `Clean()` could convert a rooted path such as \\a\\..\\??\\b into the root local device path \\??\\b. The vulnerability affects most of the functions of the `path/filepath` package, not just `Clean()`, this could lead to unexpected results when relying on the package, including path traversal which may lead to arbitrary file-read/file-write.",
"Impact": 4,
"VulnerabilityType": "Unspecified",
"Resolution": "##### Development mitigations\n\nReplace any path usage of `\\??\\` with the equivalent `\\\\?\\` which is handled properly by `Clean` and other path-related APIs.\r\n\r\nFor example -\r\n```go\r\n\tmy_path := `\\??\\my\\path`\r\n\tsafe_path := strings.Replace(my_path, `\\??\\`, `\\\\?\\`, -1)\r\n\t# safe_path can be used with Clean() etc.\r\n```",
"ExtendedImpactReasons": [
{
"Id": 1792819264097329153,
"PublicVulnsExtendedTblId": 1792819264072163335,
"Name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.",
"Description": "The security impact of exploiting this vulnerability highly depends on the 1st-party code that uses a `path/filepath` function.\r\nFor example, suppose the code uses `join()` to create an attacker-named externally writable file in the current directory. In that case, the attacker can create the file in an arbitrary file path, leading to arbitrary file overwrite.",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819264097329154,
"PublicVulnsExtendedTblId": 1792819264072163335,
"Name": "The issue has a detailed technical explanation published, that can aid in exploit development",
"Description": "The advisory contains an explanation of how to trigger the vulnerability.",
"IsPositive": 0,
"InsertOrder": 2
},
{
"Id": 1792819264097329155,
"PublicVulnsExtendedTblId": 1792819264072163335,
"Name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact",
"Description": "The CVSS does not reflect the contextual prerequisites required to exploit the vulnerability as well as the impact.",
"IsPositive": 1,
"InsertOrder": 3
},
{
"Id": 1792819264097329156,
"PublicVulnsExtendedTblId": 1792819264072163335,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "For the vulnerability to be exploitable, an attacker must find a remote service that takes user input and specifically opens a file after using a `path/filepath` package function, in which case the attacker may use it to open arbitrary files.",
"IsPositive": 1,
"InsertOrder": 4
},
{
"Id": 1792819264097329157,
"PublicVulnsExtendedTblId": 1792819264072163335,
"Name": "The prerequisites for exploiting the issue are extremely unlikely",
"Description": "The vulnerability only affects the Windows operating system.",
"IsPositive": 1,
"InsertOrder": 5
}
],
"ExtendedReferences": [
{
"Id": 1792819264097329158,
"PublicVulnsExtendedTblId": 1792819264072163335,
"RefType": "Advisory",
"Title": "Advisory",
"Url": "https://pkg.go.dev/vuln/GO-2023-2185",
"InsertOrder": 1
},
{
"Id": 1792819264097329159,
"PublicVulnsExtendedTblId": 1792819264072163335,
"RefType": "Patch",
"Title": "Fix commit",
"Url": "https://github.com/golang/go/commit/46fb78168596f7ce8834f528bb0eb9555c08bcae",
"InsertOrder": 2
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-180700",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.15.13",
"1.16.0-0 ≤ Version < 1.16.5"
],
"fixed_versions": [
"1.15.13",
"1.16.5"
],
"more_details": {
"cves": [
{
"cve": "CVE-2021-33198",
"cwe": [
"NVD-CWE-noinfo"
],
"cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "Rat.SetString and Rat.UnmarshalText may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-196313",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.16.8",
"1.17.0-0 ≤ Version < 1.17.1"
],
"fixed_versions": [
"1.16.8",
"1.17.1"
],
"more_details": {
"cves": [
{
"cve": "CVE-2021-39293",
"cwe": [
"CWE-770"
],
"cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "The NewReader and OpenReader functions in archive/zip can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size. This is caused by an incomplete fix for CVE-2021-33196.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-208841",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.17.9",
"1.18.0-0 ≤ Version < 1.18.1"
],
"fixed_versions": [
"1.17.9",
"1.18.1"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-24675",
"cwe": [
"CWE-674"
],
"cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819243998224384,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-208841",
"VulnerabilityTitle": "",
"ShortDescription": "A stack exhaustion in Golang when decoding PEM data leads to denial of service.",
"FullDescription": "[Go](https://go.dev/) is a statically typed, compiled programming language designed at Google. It is syntactically similar to C, but with memory safety, garbage collection, structural typing, and CSP-style concurrency. It is often referred to as Golang because of its former domain name, golang.org, but its proper name is Go.\r\n\r\nGo offers multiple built-in packages. One of them is [PEM package](https://pkg.go.dev/encoding/pem), responsible for encoding and decoding PEM data like TLS keys or certificates. \r\n\r\nThe PEM's data decoding can be compromised to cause a stack overflow/exhaustion and thus, a denial of service. The bug was proven to be triggered when decoding a large PEM data containing errors. Errors were triggering a recursive call the `Decode` function itself. Recursive calls fill up the calling stack until the crash. \r\n\r\nThe bug was fixed in Go version 1.18.1 and 1.17.9. A proof-of-concept was [published](https://go-review.googlesource.com/c/go/+/399820/1/src/encoding/pem/pem_test.go#164) as a test case.",
"Impact": 6,
"VulnerabilityType": "Denial of service",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819244027584514,
"PublicVulnsExtendedTblId": 1792819243998224384,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "The attacker must find a remote input that propagates into a PEM `Decode` call",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819244027584515,
"PublicVulnsExtendedTblId": 1792819243998224384,
"Name": "The prerequisites for exploiting the issue are either extremely common or nonexistent (always exploitable)",
"Description": "Network software tends to decode PEM data from untrusted sources (ex. SSL certificates)",
"IsPositive": 0,
"InsertOrder": 2
},
{
"Id": 1792819244027584516,
"PublicVulnsExtendedTblId": 1792819243998224384,
"Name": "The issue has multiple mentions in general media",
"Description": "",
"IsPositive": 0,
"InsertOrder": 3
},
{
"Id": 1792819244027584517,
"PublicVulnsExtendedTblId": 1792819243998224384,
"Name": "The issue has an exploit published",
"Description": "Crashing PoC test case",
"IsPositive": 0,
"InsertOrder": 4
}
],
"ExtendedReferences": [
{
"Id": 1792819244027584518,
"PublicVulnsExtendedTblId": 1792819243998224384,
"RefType": "Advisory",
"Title": "JFrog Security tweet",
"Url": "https://twitter.com/JFrogSecurity/status/1513899316041207814",
"InsertOrder": 1
},
{
"Id": 1792819244027584519,
"PublicVulnsExtendedTblId": 1792819243998224384,
"RefType": "Advisory",
"Title": "Github issue",
"Url": "https://github.com/golang/go/issues/51853",
"InsertOrder": 2
},
{
"Id": 1792819244027584520,
"PublicVulnsExtendedTblId": 1792819243998224384,
"RefType": "Patch",
"Title": "Patch for 1.18.x",
"Url": "https://go-review.googlesource.com/c/go/+/399817/",
"InsertOrder": 3
},
{
"Id": 1792819244027584521,
"PublicVulnsExtendedTblId": 1792819243998224384,
"RefType": "Patch",
"Title": "Patch for 1.17.x",
"Url": "https://go-review.googlesource.com/c/go/+/399816/",
"InsertOrder": 4
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-426748",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.19.6",
"1.20.0-0 ≤ Version < 1.20.1"
],
"fixed_versions": [
"1.19.6",
"1.20.1"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-41724",
"cwe": [
"CWE-400"
],
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "Large handshake records may cause panics in crypto/tls.Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses.This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819259273879552,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-426748",
"VulnerabilityTitle": "",
"ShortDescription": "Improper error management in Go's crypto/tls package can lead to denial of service when processing large TLS handshake records.",
"FullDescription": "The `crypto/tls` package in Go provides cryptographic protocols for secure communication over the network, including the Transport Layer Security (TLS) protocol.\r\nImproper error management when processing a large TLS handshake record can lead to panic when attempting to construct responses. \r\n\r\nA large TLS handshake can be generated by TLS 1.3 clients and TLS 1.2 clients with session resumption enabled, when the `Config.ClientSessionCache` setting has a non-nil value. In addition, a large TLS handshake can also be generated by TLS 1.3 servers when client authentication is enabled (`Config.ClientAuth` is set to `RequestClientCert` or a higher value).\r\n\r\nAlthough internal library code is vulnerable to this issue, currently it does not seem this issue can be triggered by an external attacker.",
"Impact": 4,
"VulnerabilityType": "Denial of service",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819259307433986,
"PublicVulnsExtendedTblId": 1792819259273879552,
"Name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact",
"Description": "The CVSS score does not reflect the real-world impact of the issue, since the issue cannot be exploited by an external attacker",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819259307433987,
"PublicVulnsExtendedTblId": 1792819259273879552,
"Name": "The issue cannot result in a severe impact (such as remote code execution)",
"Description": "Although internal library code is vulnerable to this issue, currently it does not seem this issue can be triggered by an external attacker.",
"IsPositive": 1,
"InsertOrder": 2
}
],
"ExtendedReferences": [
{
"Id": 1792819259307433988,
"PublicVulnsExtendedTblId": 1792819259273879552,
"RefType": "Advisory",
"Title": "Advisory",
"Url": "https://pkg.go.dev/vuln/GO-2023-1570",
"InsertOrder": 1
},
{
"Id": 1792819259307433989,
"PublicVulnsExtendedTblId": 1792819259273879552,
"RefType": "Patch",
"Title": "Patch",
"Url": "https://go.dev/cl/468125",
"InsertOrder": 2
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-426747",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing \"up to maxMemory bytes +10MB (reserved for non-file parts) in memory\". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, \"If stored on disk, the File's underlying concrete type will be an *os.File.\". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary ...",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.19.6",
"1.20.0-0 ≤ Version < 1.20.1"
],
"fixed_versions": [
"1.19.6",
"1.20.1"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-41725",
"cwe": [
"CWE-770"
],
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing \"up to maxMemory bytes +10MB (reserved for non-file parts) in memory\". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, \"If stored on disk, the File's underlying concrete type will be an *os.File.\". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary ...",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819259471011840,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-426747",
"VulnerabilityTitle": "",
"ShortDescription": "Missing length checks in Go's net/http and mime/multipart packages can lead to denial of service when processing crafted packets.",
"FullDescription": "The `net/http` and `mime/multipart` packages in Go are used for handling HTTP requests and responses, and for parsing multipart/form-data requests, respectively.\r\nWhen handling HTTP requests that contain multipart form data, the Go programming language provides two packages: `mime/multipart` and `net/http`. Multipart form data can be parsed using the `mime/multipart.Reader.ReadForm` function, as well as the Request methods `FormFile`, `FormValue`, `ParseMultipartForm`, and `PostFormValue` provided by the `net/http` package.\r\n\r\nBy default, the maximum amount of memory that can be used for buffering is set to `maxMemory` bytes + 10MB. However, there was an issue where certain metadata such as map entry overhead, part names, and MIME headers were not included in the memory size calculation. This could allow an attacker that controls the metadata's length to create excessively large files that could potentially exhaust the available disk space and cause a denial of service.\r\n\r\nVulnerable code example -\r\n```go\r\n// forms.go\r\npackage main\r\n\r\nimport (\r\n \"html/template\"\r\n \"net/http\"\r\n)\r\n\r\ntype ContactDetails struct {\r\n Email string\r\n Subject string\r\n Message string\r\n}\r\n\r\nfunc main() {\r\n tmpl := template.Must(template.ParseFiles(\"forms.html\"))\r\n\r\n http.HandleFunc(\"/\", func(w http.ResponseWriter, r *http.Request) {\r\n if r.Method != http.MethodPost {\r\n tmpl.Execute(w, nil)\r\n return\r\n }\r\n\r\n details := ContactDetails{\r\n Email: r.FormValue(\"email\"),\r\n Subject: r.FormValue(\"subject\"),\r\n Message: r.FormValue(\"message\"),\r\n }\r\n\r\n // do something with details\r\n _ = details\r\n\r\n tmpl.Execute(w, struct{ Success bool }{true})\r\n })\r\n\r\n http.ListenAndServe(\":8080\", nil)\r\n}\r\n```",
"Impact": 6,
"VulnerabilityType": "Denial of service",
"Resolution": "##### Development mitigations\n\nThe `multipart.ReadForm` and the `http.Request` methods that call it do not limit the amount of disk space consumed by temporary files, so callers can limit the size of form data using `http.MaxBytesReader`.\r\nExample:\r\n```\r\nhttp.HandleFunc(\"/bar\", func(w http.ResponseWriter, r *http.Request) {\r\n\t// Limit to 1MB\r\n\tmaxSize = 1024*1024 \r\n r.Body = http.MaxBytesReader(w, nopCloser{r.Body}, maxSize)\r\n})\r\n```",
"ExtendedImpactReasons": [
{
"Id": 1792819259504566273,
"PublicVulnsExtendedTblId": 1792819259471011840,
"Name": "The prerequisites for exploiting the issue are either extremely common or nonexistent (always exploitable)",
"Description": "It is highly likely that HTTP form data will be received from possibly untrusted sources",
"IsPositive": 0,
"InsertOrder": 1
},
{
"Id": 1792819259504566274,
"PublicVulnsExtendedTblId": 1792819259471011840,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "The attackers must find an input that propagates to one of the vulnerable functions - \r\n\r\n* mime/multipart `Reader.ReadForm`\r\n* net/http `Request.FormFile`\r\n* net/http `Request.FormValue`\r\n* net/http `Request.ParseMultipartForm`\r\n* net/http `Request.PostFormValue`",
"IsPositive": 1,
"InsertOrder": 2
},
{
"Id": 1792819259504566275,
"PublicVulnsExtendedTblId": 1792819259471011840,
"Name": "The issue is trivial to exploit and does not require a published writeup or PoC",
"Description": "A request containing large multipart form data is enough to trigger the issue.",
"IsPositive": 0,
"InsertOrder": 3
},
{
"Id": 1792819259504566276,
"PublicVulnsExtendedTblId": 1792819259471011840,
"Name": "The issue results in a severe impact (such as remote code execution)",
"Description": "This issue leads to denial of service in server applications.",
"IsPositive": 0,
"InsertOrder": 4
}
],
"ExtendedReferences": [
{
"Id": 1792819259504566277,
"PublicVulnsExtendedTblId": 1792819259471011840,
"RefType": "Advisory",
"Title": "Advisory",
"Url": "https://pkg.go.dev/vuln/GO-2023-1569",
"InsertOrder": 1
},
{
"Id": 1792819259504566278,
"PublicVulnsExtendedTblId": 1792819259471011840,
"RefType": "Patch",
"Title": "Patch",
"Url": "https://go.dev/cl/468124",
"InsertOrder": 2
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-90558",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.12.11",
"1.13.0-0 ≤ Version < 1.13.2"
],
"fixed_versions": [
"1.12.11",
"1.13.2"
],
"more_details": {
"cves": [
{
"cve": "CVE-2019-17596",
"cwe": [
"CWE-436"
],
"cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "Invalid DSA public keys can cause a panic in dsa.Verify. In particular, using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates don't chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected.Moreover, an application might crash invoking crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate request, parsing a golang.org/x/crypto/openpgp Entity, or during a golang.org/x/crypto/otr conversation. Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host key, while a server could panic if either PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts a certificate with a malformed public key.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819239501930496,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-90558",
"VulnerabilityTitle": "",
"ShortDescription": "Multiple crypto certificate verification (DSA, X.509) functions of the Go standard library are vulnerable to DoS if provided with untrusted user input.",
"FullDescription": "Go, also known as Golang, is an open-source, compiled, and statically typed programming language designed by Google. It is built to be simple, high-performing, readable, and efficient.\r\n\r\nGo-based applications could be vulnerable to DoS (Denial of Service) caused by an application panic if they provide untrusted user input as arguments to the following signature verifications function from the [crypto](https://pkg.go.dev/crypto) package of the Go standard library - \r\n\r\n- `crypto/dsa.Verify` (see [here](https://pkg.go.dev/crypto/dsa#Verify))\r\n- `crypto/x509.(*CertificateRequest).CheckSignature` (see [here](https://pkg.go.dev/crypto/x509#Certificate.CheckSignature))\r\n\r\nIndirectly, this can also affect applications that implement a HTTPS client by using the Go [net/http package](https://pkg.go.dev/net/http). Note that there is no effect on HTTP servers as they recover from this issue. If the HTTPS client verifies the certificates of servers it connects to, and it might connect to malicious servers, it is possible for a malicious HTTPS server (or an attacker performing a network MITM attack) to trigger the vulnerability in the `crypto/x509.Verify` function by supplying a maliciously crafted X.509 certificate chain. As the certificate chain doesn't have to be signed by a trusted root for the vulnerable code to be triggered, an attacker can supply a self-signed chain, making an attack far more likely.",
"Impact": 6,
"VulnerabilityType": "Denial of service",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819239531290625,
"PublicVulnsExtendedTblId": 1792819239501930496,
"Name": "The issue has an exploit published",
"Description": "Exploit demonstrates DoS on a simple Go HTTP server",
"IsPositive": 0,
"InsertOrder": 1
},
{
"Id": 1792819239531290626,
"PublicVulnsExtendedTblId": 1792819239501930496,
"Name": "The issue has a detailed technical explanation published, that can aid in exploit development",
"Description": "",
"IsPositive": 0,
"InsertOrder": 2
},
{
"Id": 1792819239531290627,
"PublicVulnsExtendedTblId": 1792819239501930496,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "The attacker must find a remote input that propagates into the `crypto/dsa.Verify` or `crypto/x509.(*CertificateRequest).CheckSignature` API calls\r\n\r\nIn some scenarios, such as TLS clients verifying the TLS server certificate, the attack vector is trivial (a malicious HTTPS server can provide a crafted TLS certificate and crash the client)",
"IsPositive": 1,
"InsertOrder": 3
}
],
"ExtendedReferences": [
{
"Id": 1792819239531290628,
"PublicVulnsExtendedTblId": 1792819239501930496,
"RefType": "Advisory",
"Title": "Fix commit - 1.13.x",
"Url": "https://github.com/golang/go/commit/4cabf6992e98f74a324e6f814a7cb35e41b05f25",
"InsertOrder": 1
},
{
"Id": 1792819239531290629,
"PublicVulnsExtendedTblId": 1792819239501930496,
"RefType": "Advisory",
"Title": "Fix commit - 1.12.x",
"Url": "https://github.com/golang/go/commit/2017d88dbc096381d4f348d2fb08bfb3c2b7ed73",
"InsertOrder": 2
},
{
"Id": 1792819239531290630,
"PublicVulnsExtendedTblId": 1792819239501930496,
"RefType": "Advisory",
"Title": "Golang mailing list announcement",
"Url": "https://groups.google.com/g/golang-announce/c/lVEm7llp0w0/m/VbafyRkgCgAJ",
"InsertOrder": 3
},
{
"Id": 1792819239531290631,
"PublicVulnsExtendedTblId": 1792819239501930496,
"RefType": "Exploit",
"Title": "PoC exploit (local crasher)",
"Url": "https://github.com/pquerna/poc-dsa-verify-CVE-2019-17596",
"InsertOrder": 4
},
{
"Id": 1792819239531290632,
"PublicVulnsExtendedTblId": 1792819239501930496,
"RefType": "Technical Writeup",
"Title": "Researcher writeup",
"Url": "https://paul.querna.org/articles/2019/10/24/dsa-verify-poc/",
"InsertOrder": 5
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-189376",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.16.10",
"1.17.0-0 ≤ Version < 1.17.3"
],
"fixed_versions": [
"1.16.10",
"1.17.3"
],
"more_details": {
"cves": [
{
"cve": "CVE-2021-41771",
"cwe": [
"CWE-119"
],
"cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "Calling File.ImportedSymbols on a loaded file which contains an invalid dynamic symbol table command can cause a panic, in particular if the encoded number of undefined symbols is larger than the number of symbols in the symbol table.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819242588938240,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-189376",
"VulnerabilityTitle": "",
"ShortDescription": "An out-of-bounds read in Go's `debug/macho` package may lead to a denial of service when processing a malformed Mach-O binary.",
"FullDescription": "The [debug/macho](https://pkg.go.dev/debug/macho) package in Go provides functionality to parse and analyze Mach-O (Mach Object) files, which are executable binary files used primarily in macOS and iOS operating systems.\r\nThe dynamic symbol table command within a `Mach-O` binary provides information about symbols that are dynamically linked during runtime. It includes details such as symbol names, addresses, and other relevant attributes for runtime symbol resolution.\r\n\r\nWhen opening a `Mach-O` binary with Go's `debug/macho` package, the `NewFile()` method lacks proper validation of symbol table indexes, particularly the `undefined symbol index`.\r\n\r\nThis vulnerability arises during parsing of the `dynamic symbol table` command and can result in processing symbols outside the binary's memory range. Additionally, the package does not verify if the number of undefined symbols exceeds the symbol table's length.\r\nThese issues can lead to an out-of-bounds read and may potentially result in a panic and a denial of service.\r\n\r\nThe `NewFile()` method can be also accessed through the publicly exposed functions `Open()` and `OpenFat()` in the `debug/macho` package. These functions are commonly utilized to open and parse Mach-O binary files.\r\n\r\nHere's an example of vulnerable code that demonstrates the issue when using `Open()` or `OpenFat()` on a Mach-O binary:\r\n```go\r\nfunc openMachOBinary() {\r\n\tfile, err := macho.Open(\"vulnerable_binary\")\r\n\tif err != nil {\r\n\t\tlog.Fatal(err)\r\n\t}\r\n\tdefer file.Close()\r\n}\r\n```",
"Impact": 4,
"VulnerabilityType": "Denial of service",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819242622492673,
"PublicVulnsExtendedTblId": 1792819242588938240,
"Name": "The prerequisites for exploiting the issue are extremely unlikely",
"Description": "The `debug/macho` package is primarily intended for low-level analysis and manipulation of Mach-O binaries, the format used in Apple's operating system. As such, it is rarely used in production code and in server code.",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819242622492674,
"PublicVulnsExtendedTblId": 1792819242588938240,
"Name": "The issue has an exploit published",
"Description": "The PoC contains an example of a Mach-O binary causing panic.",
"IsPositive": 0,
"InsertOrder": 2
},
{
"Id": 1792819242622492675,
"PublicVulnsExtendedTblId": 1792819242588938240,
"Name": "The issue cannot result in a severe impact (such as remote code execution)",
"Description": "Panic for a client application is not a severe impact.",
"IsPositive": 1,
"InsertOrder": 3
}
],
"ExtendedReferences": [
{
"Id": 1792819242622492676,
"PublicVulnsExtendedTblId": 1792819242588938240,
"RefType": "Exploit",
"Title": "Proof of Concept",
"Url": "https://go-review.googlesource.com/c/go/+/359454/2/src/debug/macho/testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64",
"InsertOrder": 1
},
{
"Id": 1792819242622492677,
"PublicVulnsExtendedTblId": 1792819242588938240,
"RefType": "Advisory",
"Title": "Issue discussion",
"Url": "https://github.com/golang/go/issues/48990",
"InsertOrder": 2
},
{
"Id": 1792819242622492678,
"PublicVulnsExtendedTblId": 1792819242588938240,
"RefType": "Patch",
"Title": "Patch",
"Url": "https://go-review.googlesource.com/c/go/+/359454",
"InsertOrder": 3
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-597401",
"severity": "Medium",
"severity_source": "Unknown",
"pkg_type": "go",
"summary": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.21.9",
"1.22.0-0 ≤ Version < 1.22.2"
],
"fixed_versions": [
"1.21.9",
"1.22.2"
],
"more_details": {
"cves": [
{
"cve": "CVE-2023-45288",
"cwe": [
"CWE-400"
],
"cvss_v3": "5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"description": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.",
"provider": "JFrog"
}
},
"edited": "2024-05-03T02:26:02-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1786296160077418496,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-597401",
"VulnerabilityTitle": "",
"ShortDescription": "A design problem in the implementation of the HTTP/2 protocol in Golang may lead to denial of service by abusing frame flags.",
"FullDescription": "The `net/http` package in Go is used for handling HTTP requests and responses.\r\n`HTTP/2` is a binary protocol where the client and server exchange binary frames instead of text lines as in `HTTP/1.x`. `HTTP/2` resolves numerous concerns found in HTTP/1.1 by organizing each HTTP message into a series of HTTP/2 frames. These frames include frame type, length, flags, stream identifier (ID), and payload.\r\n\r\nThe `HEADERS` frame type allows sending HTTP headers of, both, request and response. The `HEADERS` frame contains many flags.\r\nThe `CONTINUATION` frame type is similar to the `HEADER` frame, but it has just one flag: `END_HEADERS`. When it is not set, the peer knows that more headers are coming in the following `CONTINUATION` frames.\r\n\r\nThis mechanism allows an attacker to send an `HTTP/2` stream with `CONTINUATION` frames, without setting the `END_HEADERS` flag in any of the frames. This can cause denial-of-service when sending an excessive number of these crafted frames due to caching all frames in memory.\r\n\r\nThough the `net/http` package uses HTTP/2 by default, a Golang web server must have HTTPS configured to be vulnerable to exploitation.\r\nThe `x/net/http2` package is vulnerable by default.",
"Impact": 5,
"VulnerabilityType": "Denial of service",
"Resolution": "##### Development mitigations\n\nFrom Golang version 1.6, the `net/http` package is using the `HTTP/2` protocol by default when using HTTPS. You can disable HTTP/2 by setting `Server.TLSNextProto` (for servers) to a non-nil, empty map.\r\n\r\nFor example:\r\n```\r\npackage main\r\n\r\nimport (\r\n \"log\"\r\n \"net/http\"\r\n \"crypto/tls\"\r\n)\r\n\r\nfunc main() {\r\n m := http.NewServeMux()\r\n srv := &http.Server{\r\n Handler: m,\r\n Addr: \"127.0.0.1:8080\",\r\n TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)),\r\n }\r\n log.Fatal(srv.ListenAndServe())\r\n}\r\n```\r\n\r\nAlternatively, the following GODEBUG settings are also supported, which disables the HTTP/2 server support:\r\n```\r\nGODEBUG=http2server=0\r\n```",
"ExtendedImpactReasons": [
{
"Id": 1786296160102584321,
"PublicVulnsExtendedTblId": 1786296160077418496,
"Name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"Description": "Though the `net/http` package uses HTTP/2 by default, a Golang web server must have HTTPS configured to be vulnerable to exploitation.\r\nThe `x/net/http2` package is vulnerable by default.",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1786296160102584322,
"PublicVulnsExtendedTblId": 1786296160077418496,
"Name": "The issue has multiple mentions in general media",
"Description": "This issue is related to the well-covered attack \"HTTP/2 CONTINUATION Flood\".",
"IsPositive": 0,
"InsertOrder": 2
},
{
"Id": 1786296160102584323,
"PublicVulnsExtendedTblId": 1786296160077418496,
"Name": "The issue has a detailed technical explanation published, that can aid in exploit development",
"Description": "A very detailed technical write-up has been published regarding the issue.",
"IsPositive": 0,
"InsertOrder": 3
},
{
"Id": 1786296160102584324,
"PublicVulnsExtendedTblId": 1786296160077418496,
"Name": "The issue can be exploited by attackers over the network",
"Description": "",
"IsPositive": 0,
"InsertOrder": 4
}
],
"ExtendedReferences": [
{
"Id": 1786296160102584325,
"PublicVulnsExtendedTblId": 1786296160077418496,
"RefType": "Technical Writeup",
"Title": "Techincal write-up",
"Url": "https://nowotarski.info/http2-continuation-flood-technical-details/",
"InsertOrder": 1
},
{
"Id": 1786296160102584326,
"PublicVulnsExtendedTblId": 1786296160077418496,
"RefType": "Patch",
"Title": "Patch",
"Url": "https://go.dev/cl/576155",
"InsertOrder": 2
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-531550",
"severity": "Medium",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "The html/template package does not properly handle HTML-like \"\" comment tokens, nor hashbang \"#!\" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.20.8",
"1.21.0-0 ≤ Version < 1.21.1"
],
"fixed_versions": [
"1.20.8",
"1.21.1"
],
"more_details": {
"cves": [
{
"cve": "CVE-2023-39318",
"cwe": [
"CWE-79"
],
"cvss_v3": "6.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"description": "The html/template package does not properly handle HTML-like \"\" comment tokens, nor hashbang \"#!\" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-139164",
"severity": "Medium",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.14.14",
"1.15.0-0 ≤ Version < 1.15.7"
],
"fixed_versions": [
"1.14.14",
"1.15.7"
],
"more_details": {
"cves": [
{
"cve": "CVE-2021-3114",
"cwe": [
"CWE-682"
],
"cvss_v2": "6.4/CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N",
"cvss_v3": "6.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
}
],
"description": "The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-180701",
"severity": "Medium",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.15.13",
"1.16.0-0 ≤ Version < 1.16.5"
],
"fixed_versions": [
"1.15.13",
"1.16.5"
],
"more_details": {
"cves": [
{
"cve": "CVE-2021-33197",
"cwe": [
"CWE-862"
],
"cvss_v2": "4.3/CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N",
"cvss_v3": "5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
}
],
"description": "ReverseProxy can be made to forward certain hop-by-hop headers, including Connection. If the target of the ReverseProxy is itself a reverse proxy, this lets an attacker drop arbitrary headers, including those set by the ReverseProxy.Director.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-114287",
"severity": "Medium",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.13.13",
"1.14.0-0 ≤ Version < 1.14.5"
],
"fixed_versions": [
"1.13.13",
"1.14.5"
],
"more_details": {
"cves": [
{
"cve": "CVE-2020-15586",
"cwe": [
"CWE-362"
],
"cvss_v2": "4.3/CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P",
"cvss_v3": "5.9/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "GO-2021-0224:HTTP servers where the Handler concurrently reads the request body and writes a response can encounter a data race and crash. The httputil.ReverseProxy Handler is affected.GO-2021-0141:A Go HTTP server which reads from the request body whilesimultaneously writing a response can panic when clientssend a \"Expect: 100-continue\" header.",
"provider": "JFrog"
}
},
"edited": "2024-07-02T02:26:08-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-540331",
"severity": "Medium",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.20.12",
"1.21.0-0 ≤ Version < 1.21.5"
],
"fixed_versions": [
"1.20.12",
"1.21.5"
],
"more_details": {
"cves": [
{
"cve": "CVE-2023-39326",
"cwe": [
"NVD-CWE-noinfo"
],
"cvss_v3": "5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
],
"description": "A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body.A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request.Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-122286",
"severity": "Medium",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.14.8",
"1.15.0-0 ≤ Version < 1.15.1"
],
"fixed_versions": [
"1.14.8",
"1.15.1"
],
"more_details": {
"cves": [
{
"cve": "CVE-2020-24553",
"cwe": [
"CWE-79"
],
"cvss_v2": "4.3/CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N",
"cvss_v3": "6.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"description": "GO-2021-0143:When a Handler does not explicitly set the Content-Type header,the net/http/cgi and net/http/fcgi packages default to \"text/html\",which can cause a Cross-Site Scripting vulnerability if an attackercan control any part of the contents of a response.GO-2021-0226:When a Handler does not explicitly set the Content-Type header, the the package would default to “text/html”, which could cause a Cross-Site Scripting vulnerability if an attacker can control any part of the contents of a response.The Content-Type header is now set based on the contents of the first Write using http.DetectContentType, which is consistent with the behavior of the net/http package.Although this protects some applications that validate the contents of uploaded files, not setting the Content-Type header explicitly on any attacker-controlled file is unsafe and should be avoided.",
"provider": "JFrog"
}
},
"edited": "2024-07-02T02:26:08-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-114289",
"severity": "Medium",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.13.13",
"1.14.0-0 ≤ Version < 1.14.5"
],
"fixed_versions": [
"1.13.13",
"1.14.5"
],
"more_details": {
"cves": [
{
"cve": "CVE-2020-14039",
"cwe": [
"CWE-295"
],
"cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N",
"cvss_v3": "5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
}
],
"description": "GO-2021-0223:On Windows, if VerifyOptions.Roots is nil, Certificate.Verify does not check the EKU requirements specified in VerifyOptions.KeyUsages. This may allow a certificate to be used for an unintended purpose.GO-2021-0140:X509 Certificate verification does not validate KeyUsages EKUrequirements on Windows if VerifyOptions.Roots is nil.",
"provider": "JFrog"
}
},
"edited": "2024-06-06T02:26:32-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-531549",
"severity": "Medium",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "The html/template package does not apply the proper rules for handling occurrences of \"<script\", \"<!--\", and \"</script\" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.20.8",
"1.21.0-0 ≤ Version < 1.21.1"
],
"fixed_versions": [
"1.20.8",
"1.21.1"
],
"more_details": {
"cves": [
{
"cve": "CVE-2023-39319",
"cwe": [
"CWE-79"
],
"cvss_v3": "6.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"description": "The html/template package does not apply the proper rules for handling occurrences of \"<script\", \"<!--\", and \"</script\" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-248646",
"severity": "Medium",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.17.12",
"1.18.0-0 ≤ Version < 1.18.4"
],
"fixed_versions": [
"1.17.12",
"1.18.4"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-32148",
"cwe": [
"NVD-CWE-noinfo"
],
"cvss_v3": "6.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
}
],
"description": "Client IP adresses may be unintentionally exposed via X-Forwarded-For headers.When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy sets the client IP as the value of the X-Forwarded-For header, contrary to its documentation.In the more usual case where a Director function sets the X-Forwarded-For header value to nil, ReverseProxy leaves the header unmodified as expected.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-523140",
"severity": "Medium",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.19.11",
"1.20.0-0 ≤ Version < 1.20.6"
],
"fixed_versions": [
"1.19.11",
"1.20.6"
],
"more_details": {
"cves": [
{
"cve": "CVE-2023-29406",
"cwe": [
"CWE-436"
],
"cvss_v3": "6.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"
}
],
"description": "The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests.With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-193494",
"severity": "Medium",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.16.12",
"1.17.0-0 ≤ Version < 1.17.5"
],
"fixed_versions": [
"1.16.12",
"1.17.5"
],
"more_details": {
"cves": [
{
"cve": "CVE-2021-44717",
"cwe": [
"CWE-404"
],
"cvss_v2": "5.8/CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N",
"cvss_v3": "4.8/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
}
],
"description": "When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one.For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-181818",
"severity": "Medium",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.15.15",
"1.16.0-0 ≤ Version < 1.16.7"
],
"fixed_versions": [
"1.15.15",
"1.16.7"
],
"more_details": {
"cves": [
{
"cve": "CVE-2021-36221",
"cwe": [
"CWE-362"
],
"cvss_v2": "4.3/CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P",
"cvss_v3": "5.9/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "ReverseProxy can panic after encountering a problem copying a proxied response body.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-527218",
"severity": "Medium",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.19.12",
"1.20.0-0 ≤ Version < 1.20.7",
"1.21.0-0 ≤ Version < 1.21.0-rc.4"
],
"fixed_versions": [
"1.19.12",
"1.20.7",
"1.21.0-rc.4"
],
"more_details": {
"cves": [
{
"cve": "CVE-2023-29409",
"cwe": [
"CWE-400"
],
"cvss_v3": "5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"description": "Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures.With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits.Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-179699",
"severity": "Medium",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.15.14",
"1.16.0-0 ≤ Version < 1.16.6"
],
"fixed_versions": [
"1.15.14",
"1.16.6"
],
"more_details": {
"cves": [
{
"cve": "CVE-2021-34558",
"cwe": [
"CWE-295"
],
"cvss_v2": "2.6/CVSS:2.0/AV:N/AC:H/Au:N/C:N/I:N/A:P",
"cvss_v3": "6.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
}
],
"description": "crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters. net/http clients performing HTTPS requests are also affected.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": true,
"high_profile_info": {
"Id": 1792819241485836311,
"PublicVulnsTblID": 0,
"VulnId": "XRAY-179699",
"VulnerabilityTitle": "",
"ShortDescription": "Insufficient input in crypto/tls in go allows a network attacker to perform denial of service by providing a certificate of the wrong type.",
"FullDescription": "Golang's `crypto/tls` handles TLS sessions including key exchanges. When `crypto/tls` receives the \r\nwrong type of certificate (according to the negotiated type) the client can crash due to \r\ninsufficient certificate checks.\r\nThe vulnerability affects `net/http` clients too when using TLS under the same conditions.\r\nThere is a PoC already [published](https://github.com/alexzorin/cve-2021-34558) online, demonstrating the `crypto/tls` and `net/http` crash.\r\n\r\nThe crash can be triggered by a local network attacker that uses a MitM attack to redirect a `net/http`-based client to a malicious TLS server. The crash can be triggered by an attacker even without access to the server’s private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists or the client is configured with `Config.InsecureSkipVerify `.",
"Impact": 5,
"VulnerabilityType": "Denial of service",
"Resolution": "",
"ExtendedImpactReasons": [
{
"Id": 1792819241515196416,
"PublicVulnsExtendedTblId": 1792819241485836311,
"Name": "The prerequisites for exploiting the issue are extremely unlikely",
"Description": "In order to trigger the crash, a trusted ECDSA or Ed25519 certificate for the server must exist, or the client is must be configured with `Config.InsecureSkipVerify` (meaning that the client does not validate the TLS certificate). Clients that do not validate the TLS certificate are prone to much more severe attacks through SSL MitM.",
"IsPositive": 1,
"InsertOrder": 1
},
{
"Id": 1792819241515196417,
"PublicVulnsExtendedTblId": 1792819241485836311,
"Name": "The issue can be exploited by attackers over the network",
"Description": "Remotely exploitable by local network attackers that perform MitM",
"IsPositive": 0,
"InsertOrder": 2
},
{
"Id": 1792819241515196418,
"PublicVulnsExtendedTblId": 1792819241485836311,
"Name": "The issue cannot result in a severe impact (such as remote code execution)",
"Description": "Denial of service in client applications",
"IsPositive": 1,
"InsertOrder": 3
},
{
"Id": 1792819241515196419,
"PublicVulnsExtendedTblId": 1792819241485836311,
"Name": "The issue has an exploit published",
"Description": "Exploit fully demonstrates a malicious server that causes client crashes",
"IsPositive": 0,
"InsertOrder": 4
}
],
"ExtendedReferences": [
{
"Id": 1792819241515196420,
"PublicVulnsExtendedTblId": 1792819241485836311,
"RefType": "Patch",
"Title": "https://github.com/golang/go/commit/a98589711da5e9d935e8d690cfca92892e86d557",
"Url": "https://github.com/golang/go/commit/a98589711da5e9d935e8d690cfca92892e86d557",
"InsertOrder": 1
},
{
"Id": 1792819241515196421,
"PublicVulnsExtendedTblId": 1792819241485836311,
"RefType": "Advisory",
"Title": "Github issue",
"Url": "https://github.com/golang/go/issues/47143",
"InsertOrder": 2
},
{
"Id": 1792819241515196422,
"PublicVulnsExtendedTblId": 1792819241485836311,
"RefType": "Exploit",
"Title": "PoC",
"Url": "https://github.com/alexzorin/cve-2021-34558",
"InsertOrder": 3
}
],
"ExtendedRelatedVulns": null
},
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-248653",
"severity": "Medium",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.17.12",
"1.18.0-0 ≤ Version < 1.18.4"
],
"fixed_versions": [
"1.17.12",
"1.18.4"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-1962",
"cwe": [
"CWE-674"
],
"cvss_v3": "5.5/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-535836",
"severity": "Medium",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as \"COM1 \", and reserved names \"COM\" and \"LPT\" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now correctly reports these names as non-local.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.20.11",
"1.21.0-0 ≤ Version < 1.21.4"
],
"fixed_versions": [
"1.20.11",
"1.21.4"
],
"more_details": {
"cves": [
{
"cve": "CVE-2023-45284",
"cwe": [
"NVD-CWE-noinfo"
],
"cvss_v3": "5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
}
],
"description": "On Windows, The IsLocal function does not correctly detect reserved device names in some cases.Reserved names followed by spaces, such as \"COM1 \", and reserved names \"COM\" and \"LPT\" followed by superscript 1, 2, or 3, are incorrectly reported as local.With fix, IsLocal now correctly reports these names as non-local.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-427380",
"severity": "Medium",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.19.7",
"1.20.0-0 ≤ Version < 1.20.2"
],
"fixed_versions": [
"1.19.7",
"1.20.2"
],
"more_details": {
"cves": [
{
"cve": "CVE-2023-24532",
"cwe": [
"CWE-682"
],
"cvss_v3": "5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
}
],
"description": "The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve).This does not impact usages of crypto/ecdsa or crypto/ecdh.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:34-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-248633",
"severity": "Medium",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.17.12",
"1.18.0-0 ≤ Version < 1.18.4"
],
"fixed_versions": [
"1.17.12",
"1.18.4"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-1705",
"cwe": [
"CWE-444"
],
"cvss_v3": "6.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
}
],
"description": "The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a \"chunked\" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-134984",
"severity": "Medium",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.15.6"
],
"fixed_versions": [
"1.15.6"
],
"more_details": {
"cves": [
{
"cve": "CVE-2020-29510",
"cwe": [
"NVD-CWE-Other"
],
"cvss_v2": "6.8/CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P",
"cvss_v3": "5.6/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
}
],
"description": "The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.",
"provider": "JFrog"
}
},
"edited": "2024-03-09T01:31:08-06:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-134983",
"severity": "Medium",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.15.6"
],
"fixed_versions": [
"1.15.6"
],
"more_details": {
"cves": [
{
"cve": "CVE-2020-29511",
"cwe": [
"NVD-CWE-Other"
],
"cvss_v2": "6.8/CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P",
"cvss_v3": "5.6/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
}
],
"description": "The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.",
"provider": "JFrog"
}
},
"edited": "2024-03-09T01:33:50-06:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
},
{
"id": "XRAY-248650",
"severity": "Low",
"severity_source": "CVSS V3 from NVD",
"pkg_type": "go",
"summary": "Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.",
"issue_type": "security",
"provider": "JFrog",
"component": "github.com/golang/go",
"source_id": "go://github.com/golang/go",
"source_comp_id": "go://github.com/golang/go:1.12.2",
"component_versions": {
"id": "github.com/golang/go",
"vulnerable_versions": [
"< 1.17.11",
"1.18.0-0 ≤ Version < 1.18.3"
],
"fixed_versions": [
"1.17.11",
"1.18.3"
],
"more_details": {
"cves": [
{
"cve": "CVE-2022-30629",
"cwe": [
"CWE-330"
],
"cvss_v3": "3.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"
}
],
"description": "An attacker can correlate a resumed TLS session with a previous connection.Session tickets generated by crypto/tls do not contain a randomly generated ticket_age_add, which allows an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.",
"provider": "JFrog"
}
},
"edited": "2024-05-21T02:26:28-05:00",
"is_source_root": false,
"is_high_profile": false,
"component_physical_paths": [
"github.com/gabriel-vasile/[email protected]/testdata/exe.exe/github.com/lang/go/go"
]
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment