CVE-2020-28852 β€” Improper Validation of Array Index in Text

CWE-129 β€” Improper Validation of Array Index9 documents8 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 71.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Golang Text
Timeline
PublishedJan 2
Latest updateFeb 16

Description

In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

β–ΆNVDgolang/text< 0.3.5

πŸ”΄Vulnerability Details

4
OSV
golang-golang-x-text, golang-x-text vulnerabilities↗2023-02-16
β–Ά
GHSA
GHSA-5rvp-q2j7-h9rj: In x/text in Go 1β†—2022-05-24
β–Ά
CVEList
CVE-2020-28852: In x/text in Go before v0β†—2021-01-02
β–Ά
OSV
CVE-2020-28852: In x/text in Go before v0β†—2021-01-02
β–Ά

πŸ“‹Vendor Advisories

4
Ubuntu
Go Text vulnerabilities↗2023-02-16
β–Ά
Microsoft
In x/text in Go before v0.3.5 a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-β†—2021-01-12
β–Ά
Red Hat
golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag↗2021-01-02
β–Ά
Debian
CVE-2020-28852: golang-golang-x-text - In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in lan...β†—2020
β–Ά
CVE-2020-28852 β€” Improper Validation of Array Index | cvebase