CVE-2018-17847Improper Restriction of Operations within the Bounds of a Memory Buffer in X NET

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-20Improper Input Validation14 documents6 sources
Severity
7.5HIGHNVD
EPSS
0.7%
top 28.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Golang.org X NETGolang NETFedoraproject Fedora
Timeline
PublishedOct 1
Latest updateJul 1

Description

The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in node.go, called from (*parser).clearActiveFormattingElements, during an html.Parse call.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

Gogolang.org/x_net< 0.0.0-20190125002852-4b62a64f59f7
NVDgolang/net2018-09-25

Also affects: Fedora 28, 29

🔴Vulnerability Details

5
OSV
Panic when parsing certain inputs in golang.org/x/net/html2022-07-01
OSV
golang.org/x/net/html has Improper Restriction of Operations within the Bounds of a Memory Buffer2022-05-13
OSV
golang.org/x/net/html Improper Validation of Array Index vulnerability2022-05-13
GHSA
golang.org/x/net/html has Improper Restriction of Operations within the Bounds of a Memory Buffer2022-05-13
CVEList
CVE-2018-17847: The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*nodeStack)2018-10-01

📋Vendor Advisories

1
Red Hat
golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call2018-10-01

💬Community

7
Bugzilla
CVE-2018-17847 golang-googlecode-net: golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call [fedora-all]2018-10-15
Bugzilla
CVE-2018-17847 kompose: golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call [fedora-all]2018-10-15
Bugzilla
CVE-2018-17847 heketi: golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call [epel-6]2018-10-15
Bugzilla
CVE-2018-17847 golang-googlecode-net: golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call [epel-6]2018-10-15
Bugzilla
CVE-2018-17847 golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call2018-10-15
CVE-2018-17847 — Golang.org X NET vulnerability | cvebase