Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Golang Subscribe
Filtered by product Go
Total 94 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-9634 2 Golang, Microsoft 2 Go, Windows 2022-08-16 6.8 MEDIUM 7.8 HIGH
Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection.
CVE-2022-30580 1 Golang 1 Go 2022-08-12 N/A 7.8 HIGH
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.
CVE-2020-0601 2 Golang, Microsoft 5 Go, Windows, Windows 10 and 2 more 2022-08-12 5.8 MEDIUM 8.1 HIGH
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'.
CVE-2021-34558 4 Fedoraproject, Golang, Netapp and 1 more 6 Fedora, Go, Cloud Insights Telegraf and 3 more 2022-08-04 2.6 LOW 6.5 MEDIUM
The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.
CVE-2021-39293 2 Golang, Netapp 2 Go, Cloud Insights Telegraf 2022-06-14 5.0 MEDIUM 7.5 HIGH
In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196.
CVE-2021-33194 2 Fedoraproject, Golang 2 Fedora, Go 2022-06-03 5.0 MEDIUM 7.5 HIGH
golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
CVE-2021-23772 2 Golang, Iris-go 2 Go, Iris 2022-01-04 6.8 MEDIUM 8.8 HIGH
This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder.
CVE-2020-28362 3 Fedoraproject, Golang, Netapp 4 Fedora, Go, Cloud Insights Telegraf Agent and 1 more 2021-11-30 5.0 MEDIUM 7.5 HIGH
Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.
CVE-2019-17596 6 Arista, Debian, Fedoraproject and 3 more 11 Cloudvision Portal, Eos, Mos and 8 more 2021-11-30 5.0 MEDIUM 7.5 HIGH
Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.
CVE-2012-2666 1 Golang 1 Go 2021-10-18 7.5 HIGH 9.8 CRITICAL
golang/go in 1.0.2 fixes all.bash on shared machines. dotest() in src/pkg/debug/gosym/pclntab_test.go creates a temporary file with predicable name and executes it as shell script.
CVE-2020-24553 4 Fedoraproject, Golang, Opensuse and 1 more 4 Fedora, Go, Leap and 1 more 2021-09-16 4.3 MEDIUM 6.1 MEDIUM
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
CVE-2015-5741 2 Golang, Redhat 3 Go, Enterprise Linux, Openstack 2021-08-04 7.5 HIGH 9.8 CRITICAL
The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.
CVE-2020-7919 4 Debian, Fedoraproject, Golang and 1 more 4 Debian Linux, Fedora, Go and 1 more 2021-06-14 7.8 HIGH 7.5 HIGH
Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.
CVE-2018-16873 4 Debian, Golang, Opensuse and 1 more 5 Debian Linux, Go, Backports Sle and 2 more 2021-03-25 6.8 MEDIUM 8.1 HIGH
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running "go get -u".
CVE-2018-16874 4 Debian, Golang, Opensuse and 1 more 5 Debian Linux, Go, Backports Sle and 2 more 2021-03-22 6.8 MEDIUM 8.1 HIGH
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.
CVE-2019-16276 6 Debian, Fedoraproject, Golang and 3 more 9 Debian Linux, Fedora, Go and 6 more 2021-03-22 5.0 MEDIUM 7.5 HIGH
Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.
CVE-2019-9741 4 Debian, Fedoraproject, Golang and 1 more 5 Debian Linux, Fedora, Go and 2 more 2021-03-22 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.
CVE-2017-15041 3 Debian, Golang, Redhat 7 Debian Linux, Go, Developer Tools and 4 more 2021-03-19 7.5 HIGH 9.8 CRITICAL
Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get."
CVE-2020-28851 1 Golang 1 Go 2021-02-22 5.0 MEDIUM 7.5 HIGH
In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)
CVE-2020-29509 2 Golang, Netapp 2 Go, Trident 2021-01-29 6.8 MEDIUM 5.6 MEDIUM
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.