Latest Golang Vulnerabilities

CVE-2023-48795
Prefix Truncation Attacks in SSH Specification (Terrapin Attack)
pip/paramiko>=2.5.0<3.4.0
go/golang.org/x/crypto<0.17.0
rust/russh<0.40.2
Apple macOS Sonoma<14.4
Openbsd Openssh<9.6
Putty Putty<0.80
and 128 more
CVE-2023-39326
Denial of service via chunk extensions in net/http
ubuntu/golang-1.20<1.20.3-1ubuntu0.1~20.04.1
ubuntu/golang-1.20<1.20.3-1ubuntu0.1~22.04.1
ubuntu/golang-1.20<1.20.3-1ubuntu0.2
ubuntu/golang-1.20<1.20.12-1
ubuntu/golang-1.20<1.20.8-1ubuntu0.23.10.1
ubuntu/golang-1.21<1.21.5-1
and 13 more
CVE-2023-45285
Command 'go get' may unexpectedly fallback to insecure git in cmd/go
ubuntu/golang-1.20<1.20.12-1
ubuntu/golang-1.20<1.20.3-1ubuntu0.1~20.04.1
ubuntu/golang-1.20<1.20.3-1ubuntu0.1~22.04.1
ubuntu/golang-1.20<1.20.3-1ubuntu0.2
ubuntu/golang-1.20<1.20.8-1ubuntu0.23.10.1
ubuntu/golang-1.21<1.21.5-1
and 13 more
CVE-2023-45287
Before Go 1.20, the RSA based key exchange methods in crypto/tls may exhibit a timing side channel
Golang Go<1.20.0
redhat/golang<1.20
CVE-2023-45284
Incorrect detection of reserved device names on Windows in path/filepath
Golang Go<1.20.11
Golang Go>=1.21.0-0<1.21.4
Microsoft Windows
CVE-2023-45283
Insecure parsing of Windows paths with a \??\ prefix in path/filepath
Golang Go<1.20.11
Golang Go>=1.21.0-0<1.21.4
Microsoft Windows
CVE-2023-46324
pkg/suci/suci.go in free5GC udm before 1.2.0, when Go before 1.19 is used, allows an Invalid Curve Attack because it may compute a shared secret via an uncompressed public key that has not been valida...
go/github.com/free5gc/udm<1.2.0
Free5gc Udm<1.2.0
Golang Go<1.19
Free5gc Udm<1.2.0
Golang Go<1.19
CVE-2023-39325
HTTP/2 rapid reset can cause excessive work in net/http
go/golang.org/x/net<0.17.0
debian/golang-1.11<=1.11.6-1+deb10u4<=1.11.6-1+deb10u7
debian/golang-1.15<=1.15.15-1~deb11u4
debian/golang-1.19<=1.19.8-2
debian/golang-1.21
ubuntu/golang-1.20<1.20.3-1ubuntu0.1~20.04.1
and 19 more
CVE-2023-44487
- Rapid Reset HTTP/2 vulnerability
Microsoft Windows 11=21H2
Microsoft Windows 11=21H2
Microsoft Windows Server 2022
Microsoft Windows Server 2022
Microsoft Windows 11=22H2
Microsoft Windows 11=22H2
and 556 more
CVE-2023-39323
Arbitrary code execution during build via line directives in cmd/go
Golang Go<1.20.9
Golang Go>=1.21.0<1.21.2
Fedoraproject Fedora=37
Fedoraproject Fedora=38
Fedoraproject Fedora=39
ubuntu/golang-1.20<1.20.3-1ubuntu0.1~20.04.1
and 13 more
CVE-2023-39320
Arbitrary code execution via go.mod toolchain directive in cmd/go
Golang Go>=1.21.0<1.21.1
CVE-2023-39322
Memory exhaustion in QUIC connection handling in crypto/tls
Golang Go>=1.21.0<1.21.1
IBM Planning Analytics on Cloud Pak for Data<=4.0
redhat/golang<1.20.8
redhat/golang<1.21.1
CVE-2023-39318
Improper handling of HTML-like comments in script contexts in html/template
Golang Go<1.20.8
Golang Go>=1.21.0<1.21.1
IBM Planning Analytics<=2.0
ubuntu/golang-1.20<1.20.3-1ubuntu0.1~20.04.1
ubuntu/golang-1.20<1.20.3-1ubuntu0.1~22.04.1
ubuntu/golang-1.20<1.20.8
and 8 more
CVE-2023-39321
Panic when processing post-handshake message on QUIC connections in crypto/tls
Golang Go>=1.21.0<1.21.1
IBM Planning Analytics on Cloud Pak for Data<=4.0
redhat/golang<1.20.8
redhat/golang<1.21.1
CVE-2023-39319
Improper handling of special tags within script contexts in html/template
Golang Go<1.20.8
Golang Go>=1.21.0<1.21.1
IBM Planning Analytics<=2.0
ubuntu/golang-1.20<1.20.3-1ubuntu0.1~20.04.1
ubuntu/golang-1.20<1.20.3-1ubuntu0.1~22.04.1
ubuntu/golang-1.20<1.20.8
and 8 more
CVE-2023-39533
go-libp2p is the Go implementation of the libp2p Networking Stack. Prior to versions 0.27.8, 0.28.2, and 0.29.1 malicious peer can use large RSA keys to run a resource exhaustion attack & force a node...
Golang Go<1.19.12
Golang Go>=1.20.0<1.20.7
Libp2p Go-libp2p<0.27.8
Libp2p Go-libp2p>=0.28.0<0.28.2
Libp2p Go-libp2p=0.29.0
Quic Project Quic<0.37.2
and 1 more
CVE-2023-3978
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
go/golang.org/x/net<0.13.0
redhat/golang.org/x/net/html<0.13.0
Golang Networking Go<0.13.0
CVE-2023-29407
Excessive CPU consumption when decoding 0-height images in golang.org/x/image/tiff
Golang Image<0.10.0
go/golang.org/x/image<0.10.0
Fedoraproject Fedora=37
Fedoraproject Fedora=38
CVE-2023-29408
Excessive resource consumption in golang.org/x/image/tiff
Golang Image<0.10.0
go/golang.org/x/image<0.10.0
Fedoraproject Fedora=37
Fedoraproject Fedora=38
CVE-2023-29409
Large RSA keys can cause high CPU usage in crypto/tls
Golang Go<1.19.12
Golang Go>=1.20.0<1.20.7
Golang Go=1.21.0-rc1
Golang Go=1.21.0-rc2
Golang Go=1.21.0-rc3
redhat/Go<1.20.7
and 2 more
CVE-2023-29406
Insufficient sanitization of Host header in net/http
Golang Go>=1.20.0<1.20.6
Golang Go<1.19.11
IBM Cloud Pak for Business Automation<=V23.0.1 - V23.0.1-IF002
IBM Cloud Pak for Business Automation<=V21.0.3 - V21.0.3-IF024
IBM Cloud Pak for Business Automation<=V22.0.2 - V22.0.2-IF006 and later fixesV22.0.1 - V22.0.1-IF006 and later fixesV21.0.2 - V21.0.2-IF012 and later fixesV21.0.1 - V21.0.1-IF007 and later fixesV20.0.1 - V20.0.3 and later fixesV19.0.1 - V19.0.3 and later fixesV18.0.0 - V18.0.2 and later fixes
redhat/golang<1.19.11
and 1 more
CVE-2023-29405
Improper sanitization of LDFLAGS with embedded spaces in go command with cgo in cmd/go
Golang Go<1.19.10
Golang Go>=1.20.0<1.20.5
Fedoraproject Fedora=38
IBM Storage Protect Plus vSnap<=10.1
CVE-2023-29404
Improper handling of non-optional LDFLAGS in go command with cgo in cmd/go
Golang Go<1.19.10
Golang Go>=1.20.0<1.20.5
Fedoraproject Fedora=38
IBM Storage Protect Plus vSnap<=10.1
CVE-2023-29403
Unsafe behavior in setuid/setgid binaries in runtime
Golang Go<1.19.10
Golang Go>=1.20.0<1.20.5
Fedoraproject Fedora=38
IBM Storage Protect Plus vSnap<=10.1
CVE-2023-29402
Code injection via go command with cgo in cmd/go
Golang Go<1.19.10
Golang Go>=1.20.0<1.20.5
Fedoraproject Fedora=38
IBM Storage Protect Plus vSnap<=10.1
CVE-2023-29400
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This ma...
Golang Go<1.19.9
Golang Go>=1.20.0<1.20.4
CVE-2023-24540
Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript conte...
Golang Go<1.19.9
Golang Go>=1.20.0<1.20.4
redhat/golang<1.19.9
redhat/golang<1.20.4
CVE-2023-24539
Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the C...
Golang Go<1.19.9
Golang Go>=1.20.0<1.20.4
redhat/golang<1.19.9
redhat/golang<1.20.4
CVE-2023-24537
Infinite loop in parsing in go/scanner
Golang Go<1.19.8
Golang Go>=1.20.0<1.20.3
redhat/golang<1.20.3
redhat/golang<1.19.8
CVE-2023-24534
Excessive memory allocation in net/http and net/textproto
Golang Go<1.19.8
Golang Go>=1.20.0<1.20.3
redhat/golang<1.20.3
redhat/golang<1.19.8
CVE-2023-24536
Excessive resource consumption in net/http, net/textproto and mime/multipart
Golang Go<1.19.8
Golang Go>=1.20.0<1.20.3
CVE-2023-24538
Backticks not treated as string delimiters in html/template
Golang Go<1.19.8
Golang Go>=1.20.0<1.20.3
redhat/golang<1.20.3
redhat/golang<1.19.8
CVE-2023-24532
The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not i...
Golang Go<1.19.7
Golang Go>=1.20.0<1.20.2
redhat/Go 1.20.2 and Go<1.19.7
CVE-2022-41724
Panic on large handshake records in crypto/tls
Golang Go<1.19.6
Golang Go=1.20.0
Golang Go=1.20.0-rc1
Golang Go=1.20.0-rc2
Golang Go=1.20.0-rc3
CVE-2022-41725
Excessive resource consumption in mime/multipart
Golang Go<1.19.6
Golang Go=1.20.0
Golang Go=1.20.0-rc1
Golang Go=1.20.0-rc2
Golang Go=1.20.0-rc3
CVE-2022-41723
Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net
redhat/openshift-serverless-clients<0:1.8.1-3.el8
redhat/openshift<0:4.13.0-202304211155.p0.gb404935.assembly.stream.el9
redhat/etcd<0:3.3.23-14.el8
redhat/skupper-cli<0:1.4.1-2.el8
redhat/skupper-cli<0:1.4.1-2.el9
go/golang.org/x/net<0.7.0
and 7 more
CVE-2022-41727
Denial of service via crafted TIFF image in golang.org/x/image/tiff
Golang Image<0.5.0
Golang Tiff
Fedoraproject Fedora=37
Fedoraproject Fedora=38
CVE-2022-41722
A flaw was found in Go, where it could allow a remote attacker to traverse directories on the system, caused by improper validation of user requests by the filepath.Clean on Windows package. This flaw...
Golang Go<1.19.6
Golang Go=1.20.0
Microsoft Windows
redhat/Go<1.20.1
redhat/Go<1.19.6
redhat/openshift-clients<0:4.13.0-202305291355.p0.g1024efc.assembly.stream.el8
CVE-2022-41721
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the...
Golang H2c<2022-11-04
go/golang.org/x/net>=0.0.0-20220524220425-1d687d428aca<0.1.1-0.20221104162952-702349b0e862
redhat/golang.org/x/net 0.1.1-0.20221104162952<702349
CVE-2022-41717
Excessive memory growth in net/http and golang.org/x/net/http2
go/golang.org/x/net/http2<0.4.0
redhat/golang<1.19.4
redhat/golang<1.18.9
Golang Go<1.18.9
Golang Go>=1.19.0<1.19.4
Golang Http2 Go<0.4.0
and 2 more
CVE-2022-41720
On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit ac...
Golang Go<1.18.9
Golang Go>=1.19.0<1.19.4
Microsoft Windows
CVE-2022-41716
Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL va...
Golang Go<1.18.8
Golang Go>=1.19.0<1.19.3
Microsoft Windows
IBM Cloud Pak for Business Automation<=V22.0.2 - V22.0.2-IF001
IBM Cloud Pak for Business Automation<=V21.0.3 - V21.0.3-IF017
IBM Cloud Pak for Business Automation<=V22.0.1 - V22.0.1-IF006 and later fixes V21.0.2 - V21.0.2-IF012 and later fixesV21.0.1 - V21.0.1-IF007 and later fixesV20.0.1 - V20.0.3 and later fixesV19.0.1 - V19.0.3 and later fixesV18.0.0 - V18.0.2 and later fixes
CVE-2022-32149
A vulnerability was found in golang.org/x/text/language package which could cause a denial of service. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant t...
redhat/podman<3:4.2.0-7.rhaos4.12.el9
redhat/kubevirt<0:4.13.0-1469.el7
redhat/kubevirt<0:4.13.0-1469.el8
redhat/kubevirt<0:4.13.0-1469.el9
Golang Text<0.3.8
go/golang.org/x/text<0.3.8
and 3 more
CVE-2022-41715
Memory exhaustion when compiling regular expressions in regexp/syntax
redhat/openshift-serverless-clients<0:1.6.1-1.el8
redhat/go-toolset<1.18-0:1.18.9-1.el7_9
redhat/go-toolset<1.18-golang-0:1.18.9-1.el7_9
redhat/osbuild-composer<0:75-1.el8
redhat/weldr-client<0:35.9-2.el8
redhat/grafana<0:7.5.15-4.el8
and 24 more
CVE-2022-2879
Unbounded memory consumption when reading headers in archive/tar
redhat/openshift-serverless-clients<0:1.6.1-1.el8
redhat/go-toolset<1.18-0:1.18.9-1.el7_9
redhat/go-toolset<1.18-golang-0:1.18.9-1.el7_9
redhat/osbuild-composer<0:75-1.el8
redhat/weldr-client<0:35.9-2.el8
redhat/golang<0:1.18.9-1.el9_1
and 13 more
CVE-2022-2880
Incorrect sanitization of forwarded query parameters in net/http/httputil
redhat/openshift-serverless-clients<0:1.6.1-1.el8
redhat/go-toolset<1.18-0:1.18.9-1.el7_9
redhat/go-toolset<1.18-golang-0:1.18.9-1.el7_9
redhat/osbuild-composer<0:75-1.el8
redhat/weldr-client<0:35.9-2.el8
redhat/grafana<0:7.5.15-4.el8
and 19 more
CVE-2022-32190
JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath doc...
Golang Go=1.19.0
Golang Go=1.19.0-beta1
Golang Go=1.19.0-rc1
Golang Go=1.19.0-rc2
redhat/openshift-clients<0:4.12.0-202301042257.p0.g854f807.assembly.stream.el8
redhat/podman<3:4.2.0-7.rhaos4.12.el9
and 4 more
CVE-2022-27664
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
go/golang.org/x/net/http2<0.0.0-20220906165146-f3363e06e74c
go/golang.org/x/net<0.0.0-20220906165146-f3363e06e74c
redhat/openshift-serverless-clients<0:1.6.1-1.el8
redhat/git-lfs<0:2.13.3-3.el8_6
redhat/osbuild-composer<0:75-1.el8
redhat/weldr-client<0:35.9-2.el8
and 29 more
CVE-2022-30580
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Outp...
Golang Go<1.17.11
Golang Go>=1.18.0<1.18.3
CVE-2022-29804
Path traversal via Clean on Windows in path/filepath
Golang Go<1.17.11
Golang Go>=1.18.0<1.18.3
Microsoft Windows

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203