Bitnami package
golang
pkg:bitnami/golang
Vulnerabilities (168)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-28367 | — | < 1.14.12 | 1.14.12 | Nov 18, 2020 | Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive. | ||
| CVE-2020-28366 | — | < 1.14.12 | 1.14.12 | Nov 18, 2020 | Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file. | ||
| CVE-2020-24553 | — | < 1.14.8 | 1.14.8 | Sep 2, 2020 | Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header. | ||
| CVE-2020-16845 | — | < 1.13.15 | 1.13.15 | Aug 6, 2020 | Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs. | ||
| CVE-2020-14039 | — | < 1.13.13 | 1.13.13 | Jul 17, 2020 | In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete. | ||
| CVE-2020-15586 | — | < 1.13.13 | 1.13.13 | Jul 17, 2020 | Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time. | ||
| CVE-2020-7919 | — | >= 1.12.0, < 1.12.6 | 1.12.6 | Mar 16, 2020 | Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate. | ||
| CVE-2020-0601 | — | KEV | >= 1.12.0, < 1.12.16 | 1.12.16 | Jan 14, 2020 | A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file wa |
- CVE-2020-28367Nov 18, 2020affected < 1.14.12fixed 1.14.12
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.
- CVE-2020-28366Nov 18, 2020affected < 1.14.12fixed 1.14.12
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.
- CVE-2020-24553Sep 2, 2020affected < 1.14.8fixed 1.14.8
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
- CVE-2020-16845Aug 6, 2020affected < 1.13.15fixed 1.13.15
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
- CVE-2020-14039Jul 17, 2020affected < 1.13.13fixed 1.13.13
In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete.
- CVE-2020-15586Jul 17, 2020affected < 1.13.13fixed 1.13.13
Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.
- CVE-2020-7919Mar 16, 2020affected >= 1.12.0, < 1.12.6fixed 1.12.6
Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.
- affected >= 1.12.0, < 1.12.16fixed 1.12.16
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file wa
Page 9 of 9