CVE-2018-17848
published 2018-10-01CVE-2018-17848: The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop…
PriorityP433high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
2.68%
83.9th percentile
The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| golang.org | x_net | >= 0 < 0.0.0-20190125002852-4b62a64f59f7 | 0.0.0-20190125002852-4b62a64f59f7 |
| golang | net | <= 2018-09-25 | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Panic when parsing certain inputs in golang.org/x/net/html
osv·2022-07-01
CVE-2018-17847 Panic when parsing certain inputs in golang.org/x/net/html
Panic when parsing certain inputs in golang.org/x/net/html
The Parse function can panic on some invalid inputs.
For example, the Parse function panics on the input "".
GHSA
golang.org/x/net/html Improper Validation of Array Index vulnerability
ghsa·2022-05-13
CVE-2018-17848 [HIGH] CWE-129 golang.org/x/net/html Improper Validation of Array Index vulnerability
golang.org/x/net/html Improper Validation of Array Index vulnerability
The html package (aka `x/net/html`) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call.
OSV
golang.org/x/net/html has Improper Restriction of Operations within the Bounds of a Memory Buffer
osv·2022-05-13
CVE-2018-17847 [HIGH] golang.org/x/net/html has Improper Restriction of Operations within the Bounds of a Memory Buffer
golang.org/x/net/html has Improper Restriction of Operations within the Bounds of a Memory Buffer
The html package (aka `x/net/html`) through 2018-09-25 in Go mishandles ``, leading to a `panic: runtime error` (index out of range) in `(*nodeStack).pop` in node.go, called from `(*parser).clearActiveFormattingElements`, during an `html.Parse` call.
OSV
golang.org/x/net/html Improper Validation of Array Index vulnerability
osv·2022-05-13
CVE-2018-17847 [HIGH] golang.org/x/net/html Improper Validation of Array Index vulnerability
golang.org/x/net/html Improper Validation of Array Index vulnerability
The html package (aka `x/net/html`) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call.
Red Hat
golang-org-x-net-html: index out of range in (*insertionModeStack).pop in node.go causes runtime panic during html.Parse() call
vendor_redhat·2018-10-01·CVSS 7.5
CVE-2018-17848 [HIGH] CWE-20 golang-org-x-net-html: index out of range in (*insertionModeStack).pop in node.go causes runtime panic during html.Parse() call
golang-org-x-net-html: index out of range in (*insertionModeStack).pop in node.go causes runtime panic during html.Parse() call
The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call.
Package: grafana (Red Hat Ceph Storage 2) - Not affected
Package: grafana (Red Hat Ceph Storage 3) - Not affected
Package: golang-googlecode-net (Red Hat Enterprise Linux 7) - Not affected
Package: atomic-openshift (Red Hat OpenShift Container Platform 3.10) - Not affected
Package: atomic-openshift (Red Hat OpenShift Container Platform 3.11) - Not affected
Package: atomic-openshift (Red Hat OpenShift Container Platform 3.2) - Not affected
Pa
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-17848 golang-org-x-net-html: index out of range in (*insertionModeStack).pop in node.go causes runtime panic during html.Parse() call
bugzilla·2018-10-15·CVSS 7.5
CVE-2018-17848 [HIGH] CVE-2018-17848 golang-org-x-net-html: index out of range in (*insertionModeStack).pop in node.go causes runtime panic during html.Parse() call
CVE-2018-17848 golang-org-x-net-html: index out of range in (*insertionModeStack).pop in node.go causes runtime panic during html.Parse() call
The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call.
Upstream Issue:
https://github.com/golang/go/issues/27846
Discussion:
Created golang-googlecode-net tracking bugs for this issue:
Affects: epel-6 [bug 1639131]
Affects: fedora-all [bug 1639130]
Created heketi tracking bugs for this issue:
Affects: epel-6 [bug 1639129]
Affects: fedora-all [bug 1639128]
Created kompose tracking bugs for this issue:
Affects: fedora-all [bug 1639127]
Created origin tracking bugs for this is
Bugzilla
CVE-2018-17848 heketi: golang-org-x-net-html: index out of range in (*insertionModeStack).pop in node.go causes runtime panic during html.Parse() call [epel-6]
bugzilla·2018-10-15·CVSS 7.5
CVE-2018-17848 [HIGH] CVE-2018-17848 heketi: golang-org-x-net-html: index out of range in (*insertionModeStack).pop in node.go causes runtime panic during html.Parse() call [epel-6]
CVE-2018-17848 heketi: golang-org-x-net-html: index out of range in (*insertionModeStack).pop in node.go causes runtime panic during html.Parse() call [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and th
Bugzilla
CVE-2018-17848 golang-googlecode-net: golang-org-x-net-html: index out of range in (*insertionModeStack).pop in node.go causes runtime panic during html.Parse() call [epel-6]
bugzilla·2018-10-15·CVSS 7.5
CVE-2018-17848 [HIGH] CVE-2018-17848 golang-googlecode-net: golang-org-x-net-html: index out of range in (*insertionModeStack).pop in node.go causes runtime panic during html.Parse() call [epel-6]
CVE-2018-17848 golang-googlecode-net: golang-org-x-net-html: index out of range in (*insertionModeStack).pop in node.go causes runtime panic during html.Parse() call [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM c
Bugzilla
CVE-2018-17848 golang-googlecode-net: golang-org-x-net-html: index out of range in (*insertionModeStack).pop in node.go causes runtime panic during html.Parse() call [fedora-all]
bugzilla·2018-10-15·CVSS 7.5
CVE-2018-17848 [HIGH] CVE-2018-17848 golang-googlecode-net: golang-org-x-net-html: index out of range in (*insertionModeStack).pop in node.go causes runtime panic during html.Parse() call [fedora-all]
CVE-2018-17848 golang-googlecode-net: golang-org-x-net-html: index out of range in (*insertionModeStack).pop in node.go causes runtime panic during html.Parse() call [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in t
Bugzilla
CVE-2018-17848 kompose: golang-org-x-net-html: index out of range in (*insertionModeStack).pop in node.go causes runtime panic during html.Parse() call [fedora-all]
bugzilla·2018-10-15·CVSS 7.5
CVE-2018-17848 [HIGH] CVE-2018-17848 kompose: golang-org-x-net-html: index out of range in (*insertionModeStack).pop in node.go causes runtime panic during html.Parse() call [fedora-all]
CVE-2018-17848 kompose: golang-org-x-net-html: index out of range in (*insertionModeStack).pop in node.go causes runtime panic during html.Parse() call [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changel
Bugzilla
CVE-2018-17848 origin: golang-org-x-net-html: index out of range in (*insertionModeStack).pop in node.go causes runtime panic during html.Parse() call [fedora-all]
bugzilla·2018-10-15·CVSS 7.5
CVE-2018-17848 [HIGH] CVE-2018-17848 origin: golang-org-x-net-html: index out of range in (*insertionModeStack).pop in node.go causes runtime panic during html.Parse() call [fedora-all]
CVE-2018-17848 origin: golang-org-x-net-html: index out of range in (*insertionModeStack).pop in node.go causes runtime panic during html.Parse() call [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelo
Bugzilla
CVE-2018-17848 heketi: golang-org-x-net-html: index out of range in (*insertionModeStack).pop in node.go causes runtime panic during html.Parse() call [fedora-all]
bugzilla·2018-10-15·CVSS 7.5
CVE-2018-17848 [HIGH] CVE-2018-17848 heketi: golang-org-x-net-html: index out of range in (*insertionModeStack).pop in node.go causes runtime panic during html.Parse() call [fedora-all]
CVE-2018-17848 heketi: golang-org-x-net-html: index out of range in (*insertionModeStack).pop in node.go causes runtime panic during html.Parse() call [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelo
https://github.com/golang/go/issues/27846https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHON/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBK/https://github.com/golang/go/issues/27846https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHON/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBK/
2018-10-01
Published