CVE-2022-32149Missing Release of Resource after Effective Lifetime in X Text Golang.org X Text Language

CWE-772Missing Release of Resource after Effective LifetimeCWE-407Inefficient Algorithmic Complexity12 documents9 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 83.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Golang.org X Text Golang.org X Text LanguageGolang.org X TextGolang Text+1 more
Timeline
PublishedOct 14
Latest updateApr 8

Description

An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

NVDgolang/text< 0.3.8
Gogolang.org/x_text< 0.3.8
Palo Altopaloalto/pan-os

🔴Vulnerability Details

6
OSV
golang-golang-x-text, golang-x-text vulnerabilities2023-02-16
GHSA
golang.org/x/text/language Denial of service via crafted Accept-Language header2022-10-14
OSV
golang.org/x/text/language Denial of service via crafted Accept-Language header2022-10-14
CVEList
Denial of service via crafted Accept-Language header in golang.org/x/text/language2022-10-14
OSV
CVE-2022-32149: An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse2022-10-14

📋Vendor Advisories

5
Palo Alto
PAN-SA-2026-0005 Informational Bulletin: OSS CVEs Fixed in PAN-OS2026-04-08
Ubuntu
Go Text vulnerabilities2023-02-16
Red Hat
golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags2022-10-11
Microsoft
Denial of service via crafted Accept-Language header in golang.org/x/text/language2022-10-11
Debian
CVE-2022-32149: golang-golang-x-text - An attacker may cause a denial of service by crafting an Accept-Language header ...2022
CVE-2022-32149 — HIGH severity | cvebase