CVE-2018-17847
published 2018-10-01CVE-2018-17847: The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in…
PriorityP433high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
2.83%
84.9th percentile
The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in node.go, called from (*parser).clearActiveFormattingElements, during an html.Parse call.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| golang.org | x_net | >= 0 < 0.0.0-20190125002852-4b62a64f59f7 | 0.0.0-20190125002852-4b62a64f59f7 |
| golang | net | <= 2018-09-25 | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Panic when parsing certain inputs in golang.org/x/net/html
osv·2022-07-01
CVE-2018-17847 Panic when parsing certain inputs in golang.org/x/net/html
Panic when parsing certain inputs in golang.org/x/net/html
The Parse function can panic on some invalid inputs.
For example, the Parse function panics on the input "".
OSV
golang.org/x/net/html has Improper Restriction of Operations within the Bounds of a Memory Buffer
osv·2022-05-13
CVE-2018-17847 [HIGH] golang.org/x/net/html has Improper Restriction of Operations within the Bounds of a Memory Buffer
golang.org/x/net/html has Improper Restriction of Operations within the Bounds of a Memory Buffer
The html package (aka `x/net/html`) through 2018-09-25 in Go mishandles ``, leading to a `panic: runtime error` (index out of range) in `(*nodeStack).pop` in node.go, called from `(*parser).clearActiveFormattingElements`, during an `html.Parse` call.
OSV
golang.org/x/net/html Improper Validation of Array Index vulnerability
osv·2022-05-13
CVE-2018-17847 [HIGH] golang.org/x/net/html Improper Validation of Array Index vulnerability
golang.org/x/net/html Improper Validation of Array Index vulnerability
The html package (aka `x/net/html`) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call.
GHSA
golang.org/x/net/html has Improper Restriction of Operations within the Bounds of a Memory Buffer
ghsa·2022-05-13
CVE-2018-17847 [HIGH] CWE-119 golang.org/x/net/html has Improper Restriction of Operations within the Bounds of a Memory Buffer
golang.org/x/net/html has Improper Restriction of Operations within the Bounds of a Memory Buffer
The html package (aka `x/net/html`) through 2018-09-25 in Go mishandles ``, leading to a `panic: runtime error` (index out of range) in `(*nodeStack).pop` in node.go, called from `(*parser).clearActiveFormattingElements`, during an `html.Parse` call.
Red Hat
golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call
vendor_redhat·2018-10-01·CVSS 7.5
CVE-2018-17847 [HIGH] CWE-20 golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call
golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call
The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in node.go, called from (*parser).clearActiveFormattingElements, during an html.Parse call.
Package: grafana (Red Hat Ceph Storage 2) - Not affected
Package: grafana (Red Hat Ceph Storage 3) - Not affected
Package: golang-googlecode-net (Red Hat Enterprise Linux 7) - Not affected
Package: atomic-openshift (Red Hat OpenShift Container Platform 3.10) - Not affected
Package: atomic-openshift (Red Hat OpenShift Container Platform 3.11) - Not affected
Package: atomic-openshift (Red Hat OpenShift Container Platform 3.2) - Not
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-17847 golang-googlecode-net: golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call [fedora-all]
bugzilla·2018-10-15·CVSS 7.5
CVE-2018-17847 [HIGH] CVE-2018-17847 golang-googlecode-net: golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call [fedora-all]
CVE-2018-17847 golang-googlecode-net: golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM ch
Bugzilla
CVE-2018-17847 kompose: golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call [fedora-all]
bugzilla·2018-10-15·CVSS 7.5
CVE-2018-17847 [HIGH] CVE-2018-17847 kompose: golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call [fedora-all]
CVE-2018-17847 kompose: golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and th
Bugzilla
CVE-2018-17847 heketi: golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call [epel-6]
bugzilla·2018-10-15·CVSS 7.5
CVE-2018-17847 [HIGH] CVE-2018-17847 heketi: golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call [epel-6]
CVE-2018-17847 heketi: golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg
Bugzilla
CVE-2018-17847 golang-googlecode-net: golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call [epel-6]
bugzilla·2018-10-15·CVSS 7.5
CVE-2018-17847 [HIGH] CVE-2018-17847 golang-googlecode-net: golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call [epel-6]
CVE-2018-17847 golang-googlecode-net: golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog
Bugzilla
CVE-2018-17847 golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call
bugzilla·2018-10-15·CVSS 7.5
CVE-2018-17847 [HIGH] CVE-2018-17847 golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call
CVE-2018-17847 golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call
The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in node.go, called from (*parser).clearActiveFormattingElements, during an html.Parse call.
Upstream Issue:
https://github.com/golang/go/issues/27846
Discussion:
Created golang-googlecode-net tracking bugs for this issue:
Affects: epel-6 [bug 1639122]
Affects: fedora-all [bug 1639121]
Created heketi tracking bugs for this issue:
Affects: epel-6 [bug 1639120]
Affects: fedora-all [bug 1639119]
Created kompose tracking bugs for this issue:
Affects: fedora-all [bug 1639118]
Created origin tracking bug
Bugzilla
CVE-2018-17847 origin: golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call [fedora-all]
bugzilla·2018-10-15·CVSS 7.5
CVE-2018-17847 [HIGH] CVE-2018-17847 origin: golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call [fedora-all]
CVE-2018-17847 origin: golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bugzilla
CVE-2018-17847 heketi: golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call [fedora-all]
bugzilla·2018-10-15·CVSS 7.5
CVE-2018-17847 [HIGH] CVE-2018-17847 heketi: golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call [fedora-all]
CVE-2018-17847 heketi: golang-org-x-net-html: index out of range in (*nodeStack).pop in node.go causes runtime panic during html.Parse() call [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
https://github.com/golang/go/issues/27846https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHON/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBK/https://github.com/golang/go/issues/27846https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHON/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBK/
2018-10-01
Published