Moderate severityNVD Advisory· Published Jun 17, 2020· Updated Aug 4, 2024
CVE-2020-14040
CVE-2020-14040
Description
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
golang.org/x/textGo | < 0.3.3 | 0.3.3 |
Affected products
14- Go/x/textdescription
- osv-coords13 versionspkg:apk/chainguard/dex-k8s-authenticatorpkg:apk/chainguard/k3dpkg:apk/chainguard/k3d-proxypkg:apk/chainguard/k3d-toolspkg:apk/chainguard/vt-clipkg:apk/wolfi/k3dpkg:apk/wolfi/k3d-proxypkg:apk/wolfi/k3d-toolspkg:apk/wolfi/vt-clipkg:golang/golang.org/x/textpkg:rpm/almalinux/libslirppkg:rpm/almalinux/libslirp-develpkg:rpm/almalinux/python-podman-api
< 0+ 12 more
- (no CPE)range: < 0
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 1.0.0-r3
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 1.0.0-r3
- (no CPE)range: < 0.3.3
- (no CPE)range: < 4.3.1-1.module_el8.6.0+2876+9ed4eae2
- (no CPE)range: < 4.3.1-1.module_el8.6.0+2876+9ed4eae2
- (no CPE)range: < 1.2.0-0.2.gitd0a45fe.module_el8.5.0+2635+e4386a39
Patches
Vulnerability mechanics
References
13- github.com/advisories/GHSA-5rcv-m4m3-hfh7ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-14040ghsaADVISORY
- github.com/golang/go/issues/39491ghsaWEB
- github.com/golang/text/commit/23ae387dee1f90d29a23c0e87ee0b46038fbed0eghsaWEB
- go-review.googlesource.com/c/text/+/238238ghsaWEB
- go.dev/cl/238238ghsaWEB
- go.dev/issue/39491ghsaWEB
- go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0eghsaWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/forum/mitrex_refsource_MISC
- groups.google.com/g/golang-announce/c/bXVeAmGOqz0ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7OghsaWEB
News mentions
0No linked articles in our index yet.