CVE-2018-17143
published 2018-09-17CVE-2018-17143: The html package (aka x/net/html) through 2018-09-17 in Go mishandles , leading to a "panic: runtime error" in inBodyIM in parse.go during an html.Parse call.
PriorityP432high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
2.77%
84.5th percentile
The html package (aka x/net/html) through 2018-09-17 in Go mishandles , leading to a "panic: runtime error" in inBodyIM in parse.go during an html.Parse call.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| golang.org | x_net | >= 0 < 0.0.0-20180921000356-2f5d2388922f | 0.0.0-20180921000356-2f5d2388922f |
| golang | net | <= 2018-09-17 | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Panic on unconsidered isindex and template combination in golang.org/x/net/html
osv·2022-07-06
CVE-2018-17143 Panic on unconsidered isindex and template combination in golang.org/x/net/html
Panic on unconsidered isindex and template combination in golang.org/x/net/html
The Parse function can panic on some invalid inputs.
For example, the Parse function panics on the input "".
OSV
golang.org/x/net/html has Improper Restriction of Operations within the Bounds of a Memory Buffer
osv·2022-05-13
CVE-2018-17143 [HIGH] golang.org/x/net/html has Improper Restriction of Operations within the Bounds of a Memory Buffer
golang.org/x/net/html has Improper Restriction of Operations within the Bounds of a Memory Buffer
The html package (aka x/net/html) through 2018-09-17 in Go mishandles , leading to a "panic: runtime error" in inBodyIM in parse.go during an html.Parse call
GHSA
golang.org/x/net/html has Improper Restriction of Operations within the Bounds of a Memory Buffer
ghsa·2022-05-13
CVE-2018-17143 [HIGH] CWE-119 golang.org/x/net/html has Improper Restriction of Operations within the Bounds of a Memory Buffer
golang.org/x/net/html has Improper Restriction of Operations within the Bounds of a Memory Buffer
The html package (aka x/net/html) through 2018-09-17 in Go mishandles , leading to a "panic: runtime error" in inBodyIM in parse.go during an html.Parse call
Red Hat
golang-org-x-net-html: Runtime panic in html.Parse() via crafted html
vendor_redhat·2018-09-26·CVSS 7.5
CVE-2018-17143 [HIGH] CWE-20 golang-org-x-net-html: Runtime panic in html.Parse() via crafted html
golang-org-x-net-html: Runtime panic in html.Parse() via crafted html
The html package (aka x/net/html) through 2018-09-17 in Go mishandles , leading to a "panic: runtime error" in inBodyIM in parse.go during an html.Parse call.
Package: grafana (Red Hat Ceph Storage 2) - Not affected
Package: grafana (Red Hat Ceph Storage 3) - Not affected
Package: golang-googlecode-net (Red Hat Enterprise Linux 7) - Not affected
Package: atomic-openshift (Red Hat OpenShift Container Platform 3.10) - Not affected
Package: atomic-openshift (Red Hat OpenShift Container Platform 3.11) - Not affected
Package: atomic-openshift (Red Hat OpenShift Container Platform 3.2) - Not affected
Package: atomic-openshift (Red Hat OpenShift Container Platform 3.3) - Not affected
Package: atomic-openshift (Red Hat
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-17143 golang-googlecode-net: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]
bugzilla·2018-10-15·CVSS 7.5
CVE-2018-17143 [HIGH] CVE-2018-17143 golang-googlecode-net: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]
CVE-2018-17143 golang-googlecode-net: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: thi
Bugzilla
CVE-2018-17143 golang-googlecode-net: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [epel-6]
bugzilla·2018-10-15·CVSS 7.5
CVE-2018-17143 [HIGH] CVE-2018-17143 golang-googlecode-net: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [epel-6]
CVE-2018-17143 golang-googlecode-net: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use
Bugzilla
CVE-2018-17143 heketi: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [epel-6]
bugzilla·2018-09-26·CVSS 7.5
CVE-2018-17143 [HIGH] CVE-2018-17143 heketi: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [epel-6]
CVE-2018-17143 heketi: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following t
Bugzilla
CVE-2018-17143 origin: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]
bugzilla·2018-09-26·CVSS 7.5
CVE-2018-17143 [HIGH] CVE-2018-17143 origin: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]
CVE-2018-17143 origin: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects
Bugzilla
CVE-2018-17143 heketi: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]
bugzilla·2018-09-26·CVSS 7.5
CVE-2018-17143 [HIGH] CVE-2018-17143 heketi: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]
CVE-2018-17143 heketi: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects
Bugzilla
CVE-2018-17143 golang-org-x-net-html: Runtime panic in html.Parse() via crafted html
bugzilla·2018-09-26·CVSS 7.5
CVE-2018-17143 [HIGH] CVE-2018-17143 golang-org-x-net-html: Runtime panic in html.Parse() via crafted html
CVE-2018-17143 golang-org-x-net-html: Runtime panic in html.Parse() via crafted html
The html package (aka x/net/html) through 2018-09-17 in Go mishandles , leading to a "panic: runtime error" in inBodyIM in parse.go during an html.Parse call.
Upstream Issue:
https://github.com/golang/go/issues/27704
Upstream Patch:
https://go-review.googlesource.com/c/net/+/136575
Discussion:
Created heketi tracking bugs for this issue:
Affects: epel-6 [bug 1633040]
Affects: fedora-all [bug 1633039]
Created kompose tracking bugs for this issue:
Affects: fedora-all [bug 1633038]
Created origin tracking bugs for this issue:
Affects: fedora-all [bug 1633037]
---
upstream fix
https://github.com/golang/net/commit/2f5d2388922f370f4355f327fcf4cfe9f5583908
---
Created golang-googlecode-net tr
Bugzilla
CVE-2018-17143 kompose: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]
bugzilla·2018-09-26·CVSS 7.5
CVE-2018-17143 [HIGH] CVE-2018-17143 kompose: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]
CVE-2018-17143 kompose: golang-org-x-net-html: Runtime panic in html.Parse() via crafted html [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affect
https://github.com/golang/go/issues/27704https://go-review.googlesource.com/c/net/+/136575https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHON/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBK/https://github.com/golang/go/issues/27704https://go-review.googlesource.com/c/net/+/136575https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHON/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBK/
2018-09-17
Published