Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Golang Subscribe
Total 114 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-30630 1 Golang 1 Go 2023-03-01 N/A 7.5 HIGH
Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.
CVE-2022-1962 1 Golang 1 Go 2023-03-01 N/A 5.5 MEDIUM
Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.
CVE-2022-30634 3 Golang, Microsoft, Netapp 3 Go, Windows, Cloud Insights Telegraf Agent 2023-02-28 N/A 7.5 HIGH
Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes.
CVE-2022-29804 2 Golang, Microsoft 2 Go, Windows 2023-02-28 N/A 7.5 HIGH
Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack.
CVE-2022-28131 3 Fedoraproject, Golang, Netapp 3 Fedora, Go, Cloud Insights Telegraf 2023-02-28 N/A 7.5 HIGH
Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.
CVE-2020-28366 3 Fedoraproject, Golang, Netapp 4 Fedora, Go, Cloud Insights Telegraf Agent and 1 more 2023-02-28 5.1 MEDIUM 7.5 HIGH
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.
CVE-2021-44716 3 Debian, Golang, Netapp 3 Debian Linux, Go, Cloud Insights Telegraf 2023-02-14 5.0 MEDIUM 7.5 HIGH
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
CVE-2021-44717 3 Debian, Golang, Opengroup 3 Debian Linux, Go, Unix 2023-02-14 5.8 MEDIUM 4.8 MEDIUM
Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion.
CVE-2022-24675 3 Fedoraproject, Golang, Netapp 3 Fedora, Go, Kubernetes Monitoring Operator 2023-02-14 5.0 MEDIUM 7.5 HIGH
encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.
CVE-2022-28327 2 Fedoraproject, Golang 3 Extra Packages For Enterprise Linux, Fedora, Go 2023-02-14 5.0 MEDIUM 7.5 HIGH
The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.
CVE-2021-41772 3 Fedoraproject, Golang, Oracle 3 Fedora, Go, Timesten In-memory Database 2023-02-14 5.0 MEDIUM 7.5 HIGH
Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.
CVE-2021-41771 3 Debian, Fedoraproject, Golang 3 Debian Linux, Fedora, Go 2023-02-14 5.0 MEDIUM 7.5 HIGH
ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.
CVE-2022-24921 3 Debian, Golang, Netapp 3 Debian Linux, Go, Astra Trident 2023-02-14 5.0 MEDIUM 7.5 HIGH
regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.
CVE-2020-14039 2 Golang, Opensuse 2 Go, Leap 2023-02-03 5.0 MEDIUM 5.3 MEDIUM
In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete.
CVE-2020-16845 4 Debian, Fedoraproject, Golang and 1 more 4 Debian Linux, Fedora, Go and 1 more 2023-02-02 5.0 MEDIUM 7.5 HIGH
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
CVE-2022-41721 1 Golang 1 H2c 2023-01-24 N/A 7.5 HIGH
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
CVE-2021-38561 1 Golang 1 Text 2023-01-04 N/A 7.5 HIGH
golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.
CVE-2021-27919 2 Fedoraproject, Golang 2 Fedora, Go 2022-12-13 4.3 MEDIUM 5.5 MEDIUM
archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename.
CVE-2021-27918 1 Golang 1 Go 2022-12-13 5.0 MEDIUM 7.5 HIGH
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.
CVE-2022-41717 1 Golang 2 Go, Http2 2022-12-12 N/A 5.3 MEDIUM
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.