Golang Go vulnerabilities

CVE-2022-24921 [HIGH] CWE-674 CVE-2022-24921: regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply ne regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.

CVE-2022-23806 [CRITICAL] CWE-252 CVE-2022-23806: Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly ret Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.

CVE-2022-23773 [HIGH] CWE-436 CVE-2022-23773: cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appe cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.

CVE-2022-23772 [HIGH] CWE-190 CVE-2022-23772: Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lea Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.

CVE-2021-39293 [HIGH] CVE-2021-39293: In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely desig In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196.

CVE-2021-44716 [HIGH] CWE-400 CVE-2021-44716: net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.

CVE-2021-44717 [MEDIUM] CWE-404 CVE-2021-44717: Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion.

CVE-2021-41771 [HIGH] CWE-119 CVE-2021-41771: ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 A ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.

CVE-2021-41772 [HIGH] CWE-20 CVE-2021-41772: Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.

CVE-2021-38297 [CRITICAL] CWE-120 CVE-2021-38297: Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function in Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.

CVE-2021-36221 [MEDIUM] CWE-362 CVE-2021-36221: Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort.

CVE-2021-29923 [HIGH] CVE-2021-29923: Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP addre Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.

CVE-2021-33198 [HIGH] CVE-2021-33198: In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.

CVE-2021-33196 [HIGH] CWE-20 CVE-2021-33196: In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic.

CVE-2021-33195 [HIGH] CWE-74 CVE-2021-33195: Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replie Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.

CVE-2021-33197 [MEDIUM] CWE-862 CVE-2021-33197: In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/ht In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.

CVE-2021-34558 [MEDIUM] CWE-295 CVE-2021-34558: The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.

CVE-2012-2666 [CRITICAL] CWE-377 CVE-2012-2666: golang/go in 1.0.2 fixes all.bash on shared machines. dotest() in src/pkg/debug/gosym/pclntab_test.g golang/go in 1.0.2 fixes all.bash on shared machines. dotest() in src/pkg/debug/gosym/pclntab_test.go creates a temporary file with predicable name and executes it as shell script.

CVE-2021-31525 [MEDIUM] CWE-674 CVE-2021-31525: net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.

CVE-2021-33194 [HIGH] CWE-835 CVE-2021-33194: golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of ser golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.