CVE-2018-17142 — NULL Pointer Dereference in X NET

CWE-476 — NULL Pointer Dereference CWE-20 — Improper Input Validation13 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.7%

top 29.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Golang.org X NET Golang NET Fedoraproject Fedora

Timeline

PublishedSep 17

Latest updateJul 1

Description

The html package (aka x/net/html) through 2018-09-17 in Go mishandles , leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶Gogolang.org/x_net< 0.0.0-20180925071336-cf3bd585ca2a

▶NVDgolang/net2018-09-17

Also affects: Fedora 28, 29

🔴Vulnerability Details

OSV

Incorrect parsing of nested templates in golang.org/x/net/html↗2022-07-01

▶

OSV

golang.org/x/net/html NULL Pointer Dereference vulnerability↗2022-05-13

▶

GHSA

golang.org/x/net/html NULL Pointer Dereference vulnerability↗2022-05-13

▶

CVEList

CVE-2018-17142: The html package (aka x/net/html) through 2018-09-17 in Go mishandles , leading to a "panic: runtime error" in parseCurrentToken in parse↗2018-09-17

▶

📋Vendor Advisories

Red Hat

golang-org-x-net-html: Runtime panic in html.Parse() via crafted html↗2018-09-26

▶

💬Community

Bugzilla

CVE-2018-17142 golang-googlecode-net: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]↗2018-10-15

▶

Bugzilla

CVE-2018-17142 golang-googlecode-net: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [epel-6]↗2018-10-15

▶

Bugzilla

CVE-2018-17142 kompose: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]↗2018-09-26

▶

Bugzilla

CVE-2018-17142 heketi: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]↗2018-09-26

▶

Bugzilla

CVE-2018-17142 heketi: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [epel-6]↗2018-09-26

▶