CVE-2018-17142
published 2018-09-17CVE-2018-17142: The html package (aka x/net/html) through 2018-09-17 in Go mishandles , leading to a "panic: runtime error" in parseCurrentToken in parse.go during an…
PriorityP432high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
2.81%
84.7th percentile
The html package (aka x/net/html) through 2018-09-17 in Go mishandles , leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| golang.org | x_net | >= 0 < 0.0.0-20180925071336-cf3bd585ca2a | 0.0.0-20180925071336-cf3bd585ca2a |
| golang | net | <= 2018-09-17 | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Incorrect parsing of nested templates in golang.org/x/net/html
osv·2022-07-01
CVE-2018-17142 Incorrect parsing of nested templates in golang.org/x/net/html
Incorrect parsing of nested templates in golang.org/x/net/html
The Parse function can panic on some invalid inputs.
For example, the Parse function panics on the input "".
OSV
golang.org/x/net/html NULL Pointer Dereference vulnerability
osv·2022-05-13
CVE-2018-17142 [HIGH] golang.org/x/net/html NULL Pointer Dereference vulnerability
golang.org/x/net/html NULL Pointer Dereference vulnerability
The html package (aka x/net/html) through 2018-09-17 in Go mishandles , leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call
GHSA
golang.org/x/net/html NULL Pointer Dereference vulnerability
ghsa·2022-05-13
CVE-2018-17142 [HIGH] CWE-476 golang.org/x/net/html NULL Pointer Dereference vulnerability
golang.org/x/net/html NULL Pointer Dereference vulnerability
The html package (aka x/net/html) through 2018-09-17 in Go mishandles , leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call
Red Hat
golang-org-x-net-html: Runtime panic in html.Parse() via crafted html
vendor_redhat·2018-09-26·CVSS 7.5
CVE-2018-17142 [HIGH] CWE-20 golang-org-x-net-html: Runtime panic in html.Parse() via crafted html
golang-org-x-net-html: Runtime panic in html.Parse() via crafted html
The html package (aka x/net/html) through 2018-09-17 in Go mishandles , leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call.
Package: grafana (Red Hat Ceph Storage 2) - Not affected
Package: grafana (Red Hat Ceph Storage 3) - Not affected
Package: golang-googlecode-net (Red Hat Enterprise Linux 7) - Not affected
Package: atomic-openshift (Red Hat OpenShift Container Platform 3.10) - Not affected
Package: atomic-openshift (Red Hat OpenShift Container Platform 3.11) - Not affected
Package: atomic-openshift (Red Hat OpenShift Container Platform 3.2) - Not affected
Package: atomic-openshift (Red Hat OpenShift Container Platform 3.3) - Not affected
Package: atomic-openshift
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-17142 golang-googlecode-net: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]
bugzilla·2018-10-15·CVSS 7.5
CVE-2018-17142 [HIGH] CVE-2018-17142 golang-googlecode-net: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]
CVE-2018-17142 golang-googlecode-net: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: thi
Bugzilla
CVE-2018-17142 golang-googlecode-net: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [epel-6]
bugzilla·2018-10-15·CVSS 7.5
CVE-2018-17142 [HIGH] CVE-2018-17142 golang-googlecode-net: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [epel-6]
CVE-2018-17142 golang-googlecode-net: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use
Bugzilla
CVE-2018-17142 kompose: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]
bugzilla·2018-09-26·CVSS 7.5
CVE-2018-17142 [HIGH] CVE-2018-17142 kompose: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]
CVE-2018-17142 kompose: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affect
Bugzilla
CVE-2018-17142 heketi: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]
bugzilla·2018-09-26·CVSS 7.5
CVE-2018-17142 [HIGH] CVE-2018-17142 heketi: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]
CVE-2018-17142 heketi: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects
Bugzilla
CVE-2018-17142 heketi: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [epel-6]
bugzilla·2018-09-26·CVSS 7.5
CVE-2018-17142 [HIGH] CVE-2018-17142 heketi: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [epel-6]
CVE-2018-17142 heketi: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following t
Bugzilla
CVE-2018-17142 golang-org-x-net-html: Runtime panic in html.Parse() via crafted html
bugzilla·2018-09-26·CVSS 7.5
CVE-2018-17142 [HIGH] CVE-2018-17142 golang-org-x-net-html: Runtime panic in html.Parse() via crafted html
CVE-2018-17142 golang-org-x-net-html: Runtime panic in html.Parse() via crafted html
The html package (aka x/net/html) through 2018-09-17 in Go mishandles , leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call.
Upstream Issue:
https://github.com/golang/go/issues/27702
Discussion:
Created heketi tracking bugs for this issue:
Affects: epel-6 [bug 1633026]
Affects: fedora-all [bug 1633025]
Created kompose tracking bugs for this issue:
Affects: fedora-all [bug 1633024]
Created origin tracking bugs for this issue:
Affects: fedora-all [bug 1633023]
---
upstream fix:
https://github.com/golang/net/commit/cf3bd585ca2a5a21b057abd8be7eea2204af89d0
---
Created golang-googlecode-net tracking bugs for this issue:
Affects: epel-6 [bug 1639105]
Bugzilla
CVE-2018-17142 origin: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]
bugzilla·2018-09-26·CVSS 7.5
CVE-2018-17142 [HIGH] CVE-2018-17142 origin: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]
CVE-2018-17142 origin: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects
https://github.com/golang/go/issues/27702https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHON/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBK/https://github.com/golang/go/issues/27702https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHON/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBK/
2018-09-17
Published