CVE-2020-16845Infinite Loop in XZ

CWE-835Infinite Loop16 documents9 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 64.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Ulikunitz XZGithub.com Ulikunitz XZGolang GO+3 more
Timeline
PublishedAug 6
Latest updateMay 23

Description

Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

NVDgolang/go1.141.14.7+1
CVEListV5ulikunitz/xz< 0.5.8
NVDopensuse/leap15.1, 15.2+1

Also affects: Debian Linux 10.0, 9.0, Fedora 31, 32

🔴Vulnerability Details

6
OSV
Unbounded read from invalid inputs in encoding/binary2022-07-01
GHSA
Withdrawn Advisory: Infinite loop in xz2021-12-16
OSV
Withdrawn Advisory: Infinite loop in xz2021-12-16
GHSA
github.com/ulikunitz/xz fixes readUvarint Denial of Service (DoS)2021-05-25
OSV
CVE-2020-16845: Go before 12020-08-06

📋Vendor Advisories

6
Ubuntu
Go vulnerability2023-05-23
Ubuntu
Go vulnerability2022-11-15
Red Hat
ulikunitz/xz: Infinite loop in readUvarint allows for denial of service2020-08-19
Microsoft
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.2020-08-11
Red Hat
golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs2020-08-06

💬Community

3
Bugzilla
CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs2020-08-07
Bugzilla
CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs [fedora-all]2020-08-07
Bugzilla
CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs [epel-all]2020-08-07
CVE-2020-16845 — Infinite Loop in Ulikunitz XZ | cvebase