First published: Tue Jul 12 2022(Updated: )
A flaw was found in golang. Calling Unmarshal on an XML document into a Go struct, which has a nested field that uses the "any" field tag, can cause a panic due to stack exhaustion.
Credit: security@golang.org security@golang.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/skupper-cli | <0:1.0.2-2.el8 | 0:1.0.2-2.el8 |
redhat/openshift-serverless-clients | <0:1.3.1-4.el8 | 0:1.3.1-4.el8 |
redhat/go-toolset | <1.17-golang-0:1.17.12-1.el7_9 | 1.17-golang-0:1.17.12-1.el7_9 |
redhat/grafana | <0:7.5.15-3.el8 | 0:7.5.15-3.el8 |
redhat/golang | <0:1.17.12-1.el9_0 | 0:1.17.12-1.el9_0 |
redhat/grafana | <0:7.5.15-3.el9 | 0:7.5.15-3.el9 |
redhat/kubevirt | <0:4.12.0-1057.el7 | 0:4.12.0-1057.el7 |
redhat/kubevirt | <0:4.12.0-1057.el8 | 0:4.12.0-1057.el8 |
Golang Go | <1.17.12 | |
Golang Go | >=1.18.0<1.18.4 | |
redhat/golang | <1.18.4 | 1.18.4 |
redhat/golang | <1.17.12 | 1.17.12 |
debian/golang-1.15 | <=1.15.15-1~deb11u4 | |
debian/golang-1.19 | 1.19.8-2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
The vulnerability ID for this flaw is CVE-2022-30633.
CVE-2022-30633 has a severity keyword of 'high' and a severity value of 7.
CVE-2022-30633 exploits the vulnerability through uncontrolled recursion in the Unmarshal function in encoding/xml.
Versions before Go 1.17.12 and Go 1.18.4 of the golang package are affected by CVE-2022-30633.
To fix CVE-2022-30633, update the golang package to version 1.17.12 or 1.18.4.