rpm package
almalinux/go-toolset
pkg:rpm/almalinux/go-toolset
Vulnerabilities (63)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-41725 | — | < 1.19.6-1.module_el8.8.0+3558+75c9cb88 | 1.19.6-1.module_el8.8.0+3558+75c9cb88 | Feb 28, 2023 | A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package wi | ||
| CVE-2022-41715 | — | < 1.18.9-1.el9_1 | 1.18.9-1.el9_1 | Oct 14, 2022 | Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively sm | ||
| CVE-2022-2880 | — | < 1.18.9-1.el9_1 | 1.18.9-1.el9_1 | Oct 14, 2022 | Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy s | ||
| CVE-2022-2879 | — | < 1.18.9-1.el9_1 | 1.18.9-1.el9_1 | Oct 14, 2022 | Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 Mi | ||
| CVE-2022-32148 | — | < 1.17.12-1.module_el8.6.0+3065+e17ed2d4 | 1.17.12-1.module_el8.6.0+3065+e17ed2d4 | Aug 9, 2022 | Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the | ||
| CVE-2022-1962 | — | < 1.17.12-1.module_el8.6.0+3065+e17ed2d4 | 1.17.12-1.module_el8.6.0+3065+e17ed2d4 | Aug 9, 2022 | Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations. | ||
| CVE-2022-30630 | — | < 1.17.12-1.module_el8.6.0+3065+e17ed2d4 | 1.17.12-1.module_el8.6.0+3065+e17ed2d4 | Aug 9, 2022 | Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators. | ||
| CVE-2022-1705 | — | < 1.17.12-1.module_el8.6.0+3065+e17ed2d4 | 1.17.12-1.module_el8.6.0+3065+e17ed2d4 | Aug 9, 2022 | Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid. | ||
| CVE-2022-30631 | — | < 1.17.12-1.module_el8.6.0+3065+e17ed2d4 | 1.17.12-1.module_el8.6.0+3065+e17ed2d4 | Aug 9, 2022 | Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files. | ||
| CVE-2022-30633 | — | < 1.17.12-1.module_el8.6.0+3065+e17ed2d4 | 1.17.12-1.module_el8.6.0+3065+e17ed2d4 | Aug 9, 2022 | Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag. | ||
| CVE-2022-30635 | — | < 1.17.12-1.module_el8.6.0+3065+e17ed2d4 | 1.17.12-1.module_el8.6.0+3065+e17ed2d4 | Aug 9, 2022 | Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures. | ||
| CVE-2022-30632 | — | < 1.17.12-1.module_el8.6.0+3065+e17ed2d4 | 1.17.12-1.module_el8.6.0+3065+e17ed2d4 | Aug 9, 2022 | Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators. | ||
| CVE-2022-28131 | — | < 1.17.12-1.module_el8.6.0+3065+e17ed2d4 | 1.17.12-1.module_el8.6.0+3065+e17ed2d4 | Aug 9, 2022 | Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document. | ||
| CVE-2022-23773 | — | < 1.17.7-1.module_el8.6.0+2736+ec10aba8 | 1.17.7-1.module_el8.6.0+2736+ec10aba8 | Feb 11, 2022 | cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags. | ||
| CVE-2022-23772 | — | < 1.17.7-1.module_el8.6.0+2736+ec10aba8 | 1.17.7-1.module_el8.6.0+2736+ec10aba8 | Feb 11, 2022 | Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. | ||
| CVE-2022-23806 | — | < 1.17.7-1.module_el8.6.0+2736+ec10aba8 | 1.17.7-1.module_el8.6.0+2736+ec10aba8 | Feb 11, 2022 | Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element. | ||
| CVE-2021-39293 | — | < 1.17.7-1.module_el8.6.0+2736+ec10aba8 | 1.17.7-1.module_el8.6.0+2736+ec10aba8 | Jan 24, 2022 | In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196. | ||
| CVE-2021-44717 | — | < 1.16.12-1.module_el8.5.0+2604+960c7771 | 1.16.12-1.module_el8.5.0+2604+960c7771 | Jan 1, 2022 | Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion. | ||
| CVE-2021-44716 | — | < 1.16.12-1.module_el8.5.0+2604+960c7771 | 1.16.12-1.module_el8.5.0+2604+960c7771 | Jan 1, 2022 | net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests. | ||
| CVE-2021-41772 | — | < 1.17.7-1.module_el8.6.0+2736+ec10aba8 | 1.17.7-1.module_el8.6.0+2736+ec10aba8 | Nov 8, 2021 | Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field. |
- CVE-2022-41725Feb 28, 2023affected < 1.19.6-1.module_el8.8.0+3558+75c9cb88fixed 1.19.6-1.module_el8.8.0+3558+75c9cb88
A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package wi
- CVE-2022-41715Oct 14, 2022affected < 1.18.9-1.el9_1fixed 1.18.9-1.el9_1
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively sm
- CVE-2022-2880Oct 14, 2022affected < 1.18.9-1.el9_1fixed 1.18.9-1.el9_1
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy s
- CVE-2022-2879Oct 14, 2022affected < 1.18.9-1.el9_1fixed 1.18.9-1.el9_1
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 Mi
- CVE-2022-32148Aug 9, 2022affected < 1.17.12-1.module_el8.6.0+3065+e17ed2d4fixed 1.17.12-1.module_el8.6.0+3065+e17ed2d4
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the
- CVE-2022-1962Aug 9, 2022affected < 1.17.12-1.module_el8.6.0+3065+e17ed2d4fixed 1.17.12-1.module_el8.6.0+3065+e17ed2d4
Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.
- CVE-2022-30630Aug 9, 2022affected < 1.17.12-1.module_el8.6.0+3065+e17ed2d4fixed 1.17.12-1.module_el8.6.0+3065+e17ed2d4
Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.
- CVE-2022-1705Aug 9, 2022affected < 1.17.12-1.module_el8.6.0+3065+e17ed2d4fixed 1.17.12-1.module_el8.6.0+3065+e17ed2d4
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
- CVE-2022-30631Aug 9, 2022affected < 1.17.12-1.module_el8.6.0+3065+e17ed2d4fixed 1.17.12-1.module_el8.6.0+3065+e17ed2d4
Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files.
- CVE-2022-30633Aug 9, 2022affected < 1.17.12-1.module_el8.6.0+3065+e17ed2d4fixed 1.17.12-1.module_el8.6.0+3065+e17ed2d4
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.
- CVE-2022-30635Aug 9, 2022affected < 1.17.12-1.module_el8.6.0+3065+e17ed2d4fixed 1.17.12-1.module_el8.6.0+3065+e17ed2d4
Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
- CVE-2022-30632Aug 9, 2022affected < 1.17.12-1.module_el8.6.0+3065+e17ed2d4fixed 1.17.12-1.module_el8.6.0+3065+e17ed2d4
Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators.
- CVE-2022-28131Aug 9, 2022affected < 1.17.12-1.module_el8.6.0+3065+e17ed2d4fixed 1.17.12-1.module_el8.6.0+3065+e17ed2d4
Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.
- CVE-2022-23773Feb 11, 2022affected < 1.17.7-1.module_el8.6.0+2736+ec10aba8fixed 1.17.7-1.module_el8.6.0+2736+ec10aba8
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
- CVE-2022-23772Feb 11, 2022affected < 1.17.7-1.module_el8.6.0+2736+ec10aba8fixed 1.17.7-1.module_el8.6.0+2736+ec10aba8
Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.
- CVE-2022-23806Feb 11, 2022affected < 1.17.7-1.module_el8.6.0+2736+ec10aba8fixed 1.17.7-1.module_el8.6.0+2736+ec10aba8
Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.
- CVE-2021-39293Jan 24, 2022affected < 1.17.7-1.module_el8.6.0+2736+ec10aba8fixed 1.17.7-1.module_el8.6.0+2736+ec10aba8
In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196.
- CVE-2021-44717Jan 1, 2022affected < 1.16.12-1.module_el8.5.0+2604+960c7771fixed 1.16.12-1.module_el8.5.0+2604+960c7771
Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion.
- CVE-2021-44716Jan 1, 2022affected < 1.16.12-1.module_el8.5.0+2604+960c7771fixed 1.16.12-1.module_el8.5.0+2604+960c7771
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
- CVE-2021-41772Nov 8, 2021affected < 1.17.7-1.module_el8.6.0+2736+ec10aba8fixed 1.17.7-1.module_el8.6.0+2736+ec10aba8
Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.
Page 3 of 4