LAYER: meta PACKAGE NAME: xdg-utils PACKAGE VERSION: 1.1.3 CVE: CVE-2008-0386 CVE STATUS: Patched CVE SUMMARY: Xdg-utils 1.0.2 and earlier allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a URL argument to (1) xdg-open or (2) xdg-email. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0386 LAYER: meta PACKAGE NAME: xdg-utils PACKAGE VERSION: 1.1.3 CVE: CVE-2009-0068 CVE STATUS: Patched CVE SUMMARY: Interaction error in xdg-open allows remote attackers to execute arbitrary code by sending a file with a dangerous MIME type but using a safe type that Firefox sends to xdg-open, which causes xdg-open to process the dangerous file type through automatic type detection, as demonstrated by overwriting the .desktop file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0068 LAYER: meta PACKAGE NAME: xdg-utils PACKAGE VERSION: 1.1.3 CVE: CVE-2014-9622 CVE STATUS: Patched CVE SUMMARY: Eval injection vulnerability in xdg-utils 1.1.0 RC1, when no supported desktop environment is identified, allows context-dependent attackers to execute arbitrary code via the URL argument to xdg-open. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9622 LAYER: meta PACKAGE NAME: xdg-utils PACKAGE VERSION: 1.1.3 CVE: CVE-2015-1877 CVE STATUS: Patched CVE SUMMARY: The open_generic_xdg_mime function in xdg-open in xdg-utils 1.1.0 rc1 in Debian, when using dash, does not properly handle local variables, which allows remote attackers to execute arbitrary commands via a crafted file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1877 LAYER: meta PACKAGE NAME: xdg-utils PACKAGE VERSION: 1.1.3 CVE: CVE-2017-18266 CVE STATUS: Patched CVE SUMMARY: The open_envvar function in xdg-open in xdg-utils before 1.1.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by %s in this environment variable. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18266 LAYER: meta PACKAGE NAME: xdg-utils PACKAGE VERSION: 1.1.3 CVE: CVE-2020-27748 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and newer. When handling mailto: URIs, xdg-email allows attachments to be discreetly added via the URI when being passed to Thunderbird. An attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure. It has been confirmed that the code behind this issue is in xdg-email and not in Thunderbird. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27748 LAYER: meta PACKAGE NAME: xdg-utils PACKAGE VERSION: 1.1.3 CVE: CVE-2022-4055 CVE STATUS: Patched CVE SUMMARY: When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4055 LAYER: meta-multimedia PACKAGE NAME: sox PACKAGE VERSION: 14.4.2 CVE: CVE-2004-0557 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in the st_wavstartread function in wav.c for Sound eXchange (SoX) 12.17.2 through 12.17.4 allow remote attackers to execute arbitrary code via certain WAV file header fields. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0557 LAYER: meta PACKAGE NAME: iputils PACKAGE VERSION: 20240117 CVE: CVE-2000-1213 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: Fixed in 2000-10-10, but the versioning of iputils breaks the version order. CVE SUMMARY: ping in iputils before 20001010, as distributed on Red Hat Linux 6.2 through 7J and other operating systems, does not drop privileges after acquiring a raw socket, which increases ping's exposure to bugs that otherwise would occur at lower privileges. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-1213 LAYER: meta PACKAGE NAME: iputils PACKAGE VERSION: 20240117 CVE: CVE-2000-1214 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: Fixed in 2000-10-10, but the versioning of iputils breaks the version order. CVE SUMMARY: Buffer overflows in the (1) outpack or (2) buf variables of ping in iputils before 20001010, as distributed on Red Hat Linux 6.2 through 7J and other operating systems, may allow local users to gain privileges. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-1214 LAYER: meta PACKAGE NAME: iputils PACKAGE VERSION: 20240117 CVE: CVE-2010-2529 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in ping.c in iputils 20020927, 20070202, 20071127, and 20100214 on Mandriva Linux allows remote attackers to cause a denial of service (hang) via a crafted echo response. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2529 LAYER: meta PACKAGE NAME: iputils PACKAGE VERSION: 20240117 CVE: CVE-2025-47268 CVE STATUS: Patched CVE SUMMARY: ping in iputils before 20250602 allows a denial of service (application error or incorrect data collection) via a crafted ICMP Echo Reply packet, because of a signed 64-bit integer overflow in timestamp multiplication. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-47268 LAYER: meta PACKAGE NAME: iputils PACKAGE VERSION: 20240117 CVE: CVE-2025-48964 CVE STATUS: Patched CVE SUMMARY: ping in iputils before 20250602 allows a denial of service (application error in adaptive ping mode or incorrect data collection) via a crafted ICMP Echo Reply packet, because a zero timestamp can lead to large intermediate values that have an integer overflow when squared during statistics calculations. NOTE: this issue exists because of an incomplete fix for CVE-2025-47268 (that fix was only about timestamp calculations, and it did not account for a specific scenario where the original timestamp in the ICMP payload is zero). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-48964 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2001-1147 CVE STATUS: Patched CVE SUMMARY: The PAM implementation in /bin/login of the util-linux package before 2.11 causes a password entry to be rewritten across multiple PAM calls, which could provide the credentials of one user to a different user, when used in certain PAM modules such as pam_limits. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1147 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2001-1175 CVE STATUS: Patched CVE SUMMARY: vipw in the util-linux package before 2.10 causes /etc/shadow to be world-readable in some cases, which would make it easier for local users to perform brute force password guessing. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1175 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2001-1494 CVE STATUS: Patched CVE SUMMARY: script command in the util-linux package before 2.11n allows local users to overwrite arbitrary files by setting a hardlink from the typescript log file to any file on the system, then having root execute the script command. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1494 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2003-0094 CVE STATUS: Patched CVE SUMMARY: A patch for mcookie in the util-linux package for Mandrake Linux 8.2 and 9.0 uses /dev/urandom instead of /dev/random, which causes mcookie to use an entropy source that is more predictable than expected, which may make it easier for certain types of attacks to succeed. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0094 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2004-0080 CVE STATUS: Patched CVE SUMMARY: The login program in util-linux 2.11 and earlier uses a pointer after it has been freed and reallocated, which could cause login to leak sensitive data. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0080 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2005-2876 CVE STATUS: Patched CVE SUMMARY: umount in util-linux 2.8 to 2.12q, 2.13-pre1, and 2.13-pre2, and other packages such as loop-aes-utils, allows local users with unmount permissions to gain privileges via the -r (remount) option, which causes the file system to be remounted with just the read-only flag, which effectively clears the nosuid, nodev, and other flags. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2876 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2006-7108 CVE STATUS: Patched CVE SUMMARY: login in util-linux-2.12a skips pam_acct_mgmt and chauth_tok when authentication is skipped, such as when a Kerberos krlogin session has been established, which might allow users to bypass intended access policies that would be enforced by pam_acct_mgmt and chauth_tok. CVSS v2 BASE SCORE: 4.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-7108 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2007-5191 CVE STATUS: Patched CVE SUMMARY: mount and umount in util-linux and loop-aes-utils call the setuid and setgid functions in the wrong order and do not check the return values, which might allow attackers to gain privileges via helpers such as mount.nfs. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5191 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2008-1926 CVE STATUS: Patched CVE SUMMARY: Argument injection vulnerability in login (login-utils/login.c) in util-linux-ng 2.14 and earlier makes it easier for remote attackers to hide activities by modifying portions of log events, as demonstrated by appending an "addr=" statement to the login name, aka "audit log injection." CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1926 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2011-1675 CVE STATUS: Patched CVE SUMMARY: mount in util-linux 2.19 and earlier attempts to append to the /etc/mtab.tmp file without first checking whether resource limits would interfere, which allows local users to trigger corruption of the /etc/mtab file via a process with a small RLIMIT_FSIZE value, a related issue to CVE-2011-1089. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1675 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2011-1676 CVE STATUS: Patched CVE SUMMARY: mount in util-linux 2.19 and earlier does not remove the /etc/mtab.tmp file after a failed attempt to add a mount entry, which allows local users to trigger corruption of the /etc/mtab file via multiple invocations. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1676 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2011-1677 CVE STATUS: Patched CVE SUMMARY: mount in util-linux 2.19 and earlier does not remove the /etc/mtab~ lock file after a failed attempt to add a mount entry, which has unspecified impact and local attack vectors. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1677 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2013-0157 CVE STATUS: Patched CVE SUMMARY: (a) mount and (b) umount in util-linux 2.14.1, 2.17.2, and probably other versions allow local users to determine the existence of restricted directories by (1) using the --guess-fstype command-line option or (2) attempting to mount a non-existent device, which generates different error messages depending on whether the directory exists. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0157 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2014-9114 CVE STATUS: Patched CVE SUMMARY: Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9114 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2015-5218 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27 allows local users to cause a denial of service (crash) via a crafted file, related to the page global variable. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5218 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2015-5224 CVE STATUS: Patched CVE SUMMARY: The mkostemp function in login-utils in util-linux when used incorrectly allows remote attackers to cause file name collision and possibly other attacks. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5224 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2016-2779 CVE STATUS: Patched CVE SUMMARY: runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2779 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2016-5011 CVE STATUS: Patched CVE SUMMARY: The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 4.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5011 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2017-2616 CVE STATUS: Patched CVE SUMMARY: A race condition was found in util-linux before 2.32.1 in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2616 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2018-7738 CVE STATUS: Patched CVE SUMMARY: In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7738 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2020-21583 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in hwclock.13-v2.27 allows attackers to gain escalated privlidges or execute arbitrary commands via the path parameter when setting the date. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-21583 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2021-37600 CVE STATUS: Patched CVE SUMMARY: An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file. NOTE: this is unexploitable in GNU C Library environments, and possibly in all realistic environments. CVSS v2 BASE SCORE: 1.2 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-37600 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2021-3995 CVE STATUS: Patched CVE SUMMARY: A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows an unprivileged local attacker to unmount FUSE filesystems that belong to certain other users who have a UID that is a prefix of the UID of the attacker in its string form. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3995 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2021-3996 CVE STATUS: Patched CVE SUMMARY: A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows a local user on a vulnerable system to unmount other users' filesystems that are either world-writable themselves (like /tmp) or mounted in a world-writable directory. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3996 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2022-0563 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0563 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2024-28085 CVE STATUS: Patched CVE SUMMARY: wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-28085 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2012-2666 CVE STATUS: Patched CVE SUMMARY: golang/go in 1.0.2 fixes all.bash on shared machines. dotest() in src/pkg/debug/gosym/pclntab_test.go creates a temporary file with predicable name and executes it as shell script. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2666 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2014-7189 CVE STATUS: Patched CVE SUMMARY: crpyto/tls in Go 1.1 before 1.3.2, when SessionTicketsDisabled is enabled, allows man-in-the-middle attackers to spoof clients via unspecified vectors. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7189 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2015-5739 CVE STATUS: Patched CVE SUMMARY: The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content Length" instead of "Content-Length." CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5739 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2015-5740 CVE STATUS: Patched CVE SUMMARY: The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request with two Content-length headers. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5740 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2015-5741 CVE STATUS: Patched CVE SUMMARY: The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5741 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2015-8618 CVE STATUS: Patched CVE SUMMARY: The Int.Exp Montgomery code in the math/big library in Go 1.5.x before 1.5.3 mishandles carry propagation and produces incorrect output, which makes it easier for attackers to obtain private RSA keys via unspecified vectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8618 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2016-3958 CVE STATUS: Patched CVE SUMMARY: Untrusted search path vulnerability in Go before 1.5.4 and 1.6.x before 1.6.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, related to use of the LoadLibrary function. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3958 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2016-3959 CVE STATUS: Patched CVE SUMMARY: The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted public key to a program that uses HTTPS client certificates or SSH server libraries. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3959 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2016-5386 CVE STATUS: Patched CVE SUMMARY: The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5386 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2017-1000097 CVE STATUS: Patched CVE SUMMARY: On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000097 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2017-1000098 CVE STATUS: Patched CVE SUMMARY: The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000098 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2017-15041 CVE STATUS: Patched CVE SUMMARY: Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get." CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15041 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2017-15042 CVE STATUS: Patched CVE SUMMARY: An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15042 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2017-8932 CVE STATUS: Patched CVE SUMMARY: A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to progressively extract the scalar input to ScalarMult by submitting crafted points and observing failures to the derive correct output. This leads to a full key recovery attack against static ECDH, as used in popular JWT libraries. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8932 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2018-16873 CVE STATUS: Patched CVE SUMMARY: In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running "go get -u". CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16873 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2018-16874 CVE STATUS: Patched CVE SUMMARY: In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16874 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2018-16875 CVE STATUS: Patched CVE SUMMARY: The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16875 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2018-6574 CVE STATUS: Patched CVE SUMMARY: Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6574 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2018-7187 CVE STATUS: Patched CVE SUMMARY: The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7187 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2019-11888 CVE STATUS: Patched CVE SUMMARY: Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11888 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2019-14809 CVE STATUS: Patched CVE SUMMARY: net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14809 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2019-16276 CVE STATUS: Patched CVE SUMMARY: Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16276 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2019-17596 CVE STATUS: Patched CVE SUMMARY: Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17596 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2019-6486 CVE STATUS: Patched CVE SUMMARY: Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 8.2 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6486 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2019-9634 CVE STATUS: Patched CVE SUMMARY: Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9634 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2019-9741 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9741 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2020-0601 CVE STATUS: Patched CVE SUMMARY: A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0601 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2020-14039 CVE STATUS: Patched CVE SUMMARY: In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14039 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2020-15586 CVE STATUS: Patched CVE SUMMARY: Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15586 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2020-16845 CVE STATUS: Patched CVE SUMMARY: Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-16845 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2020-24553 CVE STATUS: Patched CVE SUMMARY: Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24553 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2020-28362 CVE STATUS: Patched CVE SUMMARY: Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-28362 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2020-28366 CVE STATUS: Patched CVE SUMMARY: Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-28366 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2020-28367 CVE STATUS: Patched CVE SUMMARY: Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-28367 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2020-28851 CVE STATUS: Patched CVE SUMMARY: In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-28851 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2020-29509 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: The encoding/xml package in go can potentially be used for security exploits if not used correctly CVE applies to a netapp product as well as flagging a general issue. We don't ship anything exposing this interface in an exploitable way CVE SUMMARY: The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29509 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2020-29510 CVE STATUS: Patched CVE SUMMARY: The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29510 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2020-29511 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: The encoding/xml package in go can potentially be used for security exploits if not used correctly CVE applies to a netapp product as well as flagging a general issue. We don't ship anything exposing this interface in an exploitable way CVE SUMMARY: The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29511 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2020-7919 CVE STATUS: Patched CVE SUMMARY: Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-7919 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-27918 CVE STATUS: Patched CVE SUMMARY: encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-27918 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-27919 CVE STATUS: Patched CVE SUMMARY: archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-27919 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-29923 CVE STATUS: Patched CVE SUMMARY: Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-29923 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-3114 CVE STATUS: Patched CVE SUMMARY: In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3114 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-3115 CVE STATUS: Patched CVE SUMMARY: Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download). CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3115 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-31525 CVE STATUS: Patched CVE SUMMARY: net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-31525 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-33194 CVE STATUS: Patched CVE SUMMARY: golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33194 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-33195 CVE STATUS: Patched CVE SUMMARY: Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33195 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-33196 CVE STATUS: Patched CVE SUMMARY: In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33196 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-33197 CVE STATUS: Patched CVE SUMMARY: In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33197 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-33198 CVE STATUS: Patched CVE SUMMARY: In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33198 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-34558 CVE STATUS: Patched CVE SUMMARY: The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-34558 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-36221 CVE STATUS: Patched CVE SUMMARY: Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-36221 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-38297 CVE STATUS: Patched CVE SUMMARY: Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38297 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-39293 CVE STATUS: Patched CVE SUMMARY: In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-39293 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-41771 CVE STATUS: Patched CVE SUMMARY: ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-41771 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-41772 CVE STATUS: Patched CVE SUMMARY: Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-41772 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-44716 CVE STATUS: Patched CVE SUMMARY: net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-44716 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-44717 CVE STATUS: Patched CVE SUMMARY: Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 4.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-44717 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-1705 CVE STATUS: Patched CVE SUMMARY: Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1705 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-1962 CVE STATUS: Patched CVE SUMMARY: Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1962 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-23772 CVE STATUS: Patched CVE SUMMARY: Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23772 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-23773 CVE STATUS: Patched CVE SUMMARY: cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23773 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-23806 CVE STATUS: Patched CVE SUMMARY: Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23806 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-24675 CVE STATUS: Patched CVE SUMMARY: encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-24675 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-24921 CVE STATUS: Patched CVE SUMMARY: regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-24921 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-27536 CVE STATUS: Patched CVE SUMMARY: Certificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1 can be caused to panic on macOS when presented with certain malformed certificates. This allows a remote TLS server to cause a TLS client to panic. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27536 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-27664 CVE STATUS: Patched CVE SUMMARY: In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27664 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-28131 CVE STATUS: Patched CVE SUMMARY: Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-28131 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-28327 CVE STATUS: Patched CVE SUMMARY: The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-28327 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-2879 CVE STATUS: Patched CVE SUMMARY: Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2879 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-2880 CVE STATUS: Patched CVE SUMMARY: Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2880 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-29526 CVE STATUS: Patched CVE SUMMARY: Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-29526 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-29804 CVE STATUS: Patched CVE SUMMARY: Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-29804 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-30580 CVE STATUS: Patched CVE SUMMARY: Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-30580 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-30629 CVE STATUS: Patched CVE SUMMARY: Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-30629 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-30630 CVE STATUS: Patched CVE SUMMARY: Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-30630 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-30631 CVE STATUS: Patched CVE SUMMARY: Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-30631 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-30632 CVE STATUS: Patched CVE SUMMARY: Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-30632 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-30633 CVE STATUS: Patched CVE SUMMARY: Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-30633 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-30634 CVE STATUS: Patched CVE SUMMARY: Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-30634 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-30635 CVE STATUS: Patched CVE SUMMARY: Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-30635 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-32148 CVE STATUS: Patched CVE SUMMARY: Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32148 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-32189 CVE STATUS: Patched CVE SUMMARY: A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32189 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-32190 CVE STATUS: Patched CVE SUMMARY: JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32190 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-41715 CVE STATUS: Patched CVE SUMMARY: Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41715 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-41716 CVE STATUS: Patched CVE SUMMARY: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D". CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41716 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-41717 CVE STATUS: Patched CVE SUMMARY: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41717 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-41720 CVE STATUS: Patched CVE SUMMARY: On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41720 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-41722 CVE STATUS: Patched CVE SUMMARY: A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".\c:\b". CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41722 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-41723 CVE STATUS: Patched CVE SUMMARY: A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41723 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-41724 CVE STATUS: Patched CVE SUMMARY: Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41724 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-41725 CVE STATUS: Patched CVE SUMMARY: A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, "If stored on disk, the File's underlying concrete type will be an *os.File.". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41725 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-24532 CVE STATUS: Patched CVE SUMMARY: The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24532 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-24534 CVE STATUS: Patched CVE SUMMARY: HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24534 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-24536 CVE STATUS: Patched CVE SUMMARY: Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24536 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-24537 CVE STATUS: Patched CVE SUMMARY: Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24537 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-24538 CVE STATUS: Patched CVE SUMMARY: Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24538 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-24539 CVE STATUS: Patched CVE SUMMARY: Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24539 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-24540 CVE STATUS: Patched CVE SUMMARY: Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24540 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-29400 CVE STATUS: Patched CVE SUMMARY: Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-29400 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-29402 CVE STATUS: Patched CVE SUMMARY: The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-29402 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-29403 CVE STATUS: Patched CVE SUMMARY: On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-29403 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-29404 CVE STATUS: Patched CVE SUMMARY: The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-29404 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-29405 CVE STATUS: Patched CVE SUMMARY: The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-29405 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-29406 CVE STATUS: Patched CVE SUMMARY: The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-29406 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-29409 CVE STATUS: Patched CVE SUMMARY: Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-29409 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-39318 CVE STATUS: Patched CVE SUMMARY: The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in