First published: Tue Jul 12 2022(Updated: )
A flaw was found in golang encoding/xml. When calling Decoder, Skip while parsing a deeply nested XML document, a panic can occur due to stack exhaustion and allows an attacker to impact system availability.
Credit: cve@mitre.org security@golang.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/skupper-cli | <0:1.0.2-2.el8 | 0:1.0.2-2.el8 |
redhat/openshift-serverless-clients | <0:1.3.1-4.el8 | 0:1.3.1-4.el8 |
redhat/go-toolset | <1.17-golang-0:1.17.12-1.el7_9 | 1.17-golang-0:1.17.12-1.el7_9 |
redhat/grafana | <0:7.5.15-3.el8 | 0:7.5.15-3.el8 |
redhat/golang | <0:1.17.12-1.el9_0 | 0:1.17.12-1.el9_0 |
redhat/grafana | <0:7.5.15-3.el9 | 0:7.5.15-3.el9 |
redhat/kubevirt | <0:4.12.0-1057.el7 | 0:4.12.0-1057.el7 |
redhat/kubevirt | <0:4.12.0-1057.el8 | 0:4.12.0-1057.el8 |
Golang Go | <1.17.12 | |
Golang Go | >=1.18.0<1.18.4 | |
Fedoraproject Fedora | =35 | |
Netapp Cloud Insights Telegraf | ||
redhat/golang | <1.18.4 | 1.18.4 |
redhat/golang | <1.17.12 | 1.17.12 |
debian/golang-1.15 | <=1.15.15-1~deb11u4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2022-28131 is a vulnerability in Golang Go that allows a remote attacker to cause a denial of service (DoS) by exploiting an uncontrolled recursion flaw in Decoder.Skip in encoding/xml.
CVE-2022-28131 can lead to a panic in Golang Go, causing a DoS condition.
CVE-2022-28131 has a severity level of high with a score of 7.3.
Versions of Golang Go before 1.18.4 and 1.17.12 are affected by CVE-2022-28131.
To fix CVE-2022-28131, update Golang Go to version 1.18.4 or 1.17.12, which contain the necessary security patches.