VYPR

rpm package

suse/go1.18-openssl&distro=SUSE Linux Enterprise Module for Development Tools 15 SP4

pkg:rpm/suse/go1.18-openssl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4

Vulnerabilities (28)

  • CVE-2022-41725HigFeb 28, 2023
    affected < 1.18.10.1-150000.1.9.1fixed 1.18.10.1-150000.1.9.1

    A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package wi

  • CVE-2022-41724HigFeb 28, 2023
    affected < 1.18.10.1-150000.1.9.1fixed 1.18.10.1-150000.1.9.1

    Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly

  • CVE-2022-41723HigFeb 28, 2023
    affected < 1.18.10.1-150000.1.9.1fixed 1.18.10.1-150000.1.9.1

    A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

  • CVE-2022-41717MedDec 8, 2022
    affected < 1.18.10.1-150000.1.9.1fixed 1.18.10.1-150000.1.9.1

    An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the s

  • CVE-2022-41720HigDec 7, 2022
    affected < 1.18.10.1-150000.1.9.1fixed 1.18.10.1-150000.1.9.1

    On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Op

  • CVE-2022-41716HigNov 2, 2022
    affected < 1.18.10.1-150000.1.9.1fixed 1.18.10.1-150000.1.9.1

    Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can ex

  • CVE-2022-41715HigOct 14, 2022
    affected < 1.18.10.1-150000.1.9.1fixed 1.18.10.1-150000.1.9.1

    Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively sm

  • CVE-2022-2880HigOct 14, 2022
    affected < 1.18.10.1-150000.1.9.1fixed 1.18.10.1-150000.1.9.1

    Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy s

  • CVE-2022-2879HigOct 14, 2022
    affected < 1.18.10.1-150000.1.9.1fixed 1.18.10.1-150000.1.9.1

    Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 Mi

  • CVE-2022-27664HigSep 6, 2022
    affected < 1.18.10.1-150000.1.9.1fixed 1.18.10.1-150000.1.9.1

    In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

  • CVE-2022-32189HigAug 10, 2022
    affected < 1.18.10.1-150000.1.9.1fixed 1.18.10.1-150000.1.9.1

    A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.

  • CVE-2022-32148MedAug 10, 2022
    affected < 1.18.10.1-150000.1.9.1fixed 1.18.10.1-150000.1.9.1

    Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the

  • CVE-2022-30635HigAug 10, 2022
    affected < 1.18.10.1-150000.1.9.1fixed 1.18.10.1-150000.1.9.1

    Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.

  • CVE-2022-30633HigAug 10, 2022
    affected < 1.18.10.1-150000.1.9.1fixed 1.18.10.1-150000.1.9.1

    Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.

  • CVE-2022-30632HigAug 10, 2022
    affected < 1.18.10.1-150000.1.9.1fixed 1.18.10.1-150000.1.9.1

    Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators.

  • CVE-2022-30631HigAug 10, 2022
    affected < 1.18.10.1-150000.1.9.1fixed 1.18.10.1-150000.1.9.1

    Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files.

  • CVE-2022-30630HigAug 10, 2022
    affected < 1.18.10.1-150000.1.9.1fixed 1.18.10.1-150000.1.9.1

    Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.

  • CVE-2022-30629LowAug 10, 2022
    affected < 1.18.10.1-150000.1.9.1fixed 1.18.10.1-150000.1.9.1

    Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

  • CVE-2022-30580HigAug 10, 2022
    affected < 1.18.10.1-150000.1.9.1fixed 1.18.10.1-150000.1.9.1

    Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.

  • CVE-2022-29804HigAug 10, 2022
    affected < 1.18.10.1-150000.1.9.1fixed 1.18.10.1-150000.1.9.1

    Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack.

Page 1 of 2