Filtered by vendor Redhat
Subscriptions
Filtered by product Devtools
Subscriptions
Total
72 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2020-14040 | 3 Fedoraproject, Golang, Redhat | 16 Fedora, Text, 3scale Amp and 13 more | 2024-11-21 | 7.5 High |
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String. | ||||
CVE-2019-9741 | 4 Debian, Fedoraproject, Golang and 1 more | 6 Debian Linux, Fedora, Go and 3 more | 2024-11-21 | 6.1 Medium |
An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command. | ||||
CVE-2019-9514 | 13 Apache, Apple, Canonical and 10 more | 44 Traffic Server, Mac Os X, Swiftnio and 41 more | 2024-11-21 | 7.5 High |
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. | ||||
CVE-2019-9512 | 6 Apache, Apple, Canonical and 3 more | 24 Traffic Server, Mac Os X, Swiftnio and 21 more | 2024-11-21 | 7.5 High |
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. | ||||
CVE-2019-17596 | 6 Arista, Debian, Fedoraproject and 3 more | 13 Cloudvision Portal, Eos, Mos and 10 more | 2024-11-21 | 7.5 High |
Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates. | ||||
CVE-2019-16276 | 6 Debian, Fedoraproject, Golang and 3 more | 11 Debian Linux, Fedora, Go and 8 more | 2024-11-21 | 7.5 High |
Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling. | ||||
CVE-2019-14809 | 3 Debian, Golang, Redhat | 4 Debian Linux, Go, Devtools and 1 more | 2024-11-21 | N/A |
net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com. | ||||
CVE-2018-6574 | 3 Debian, Golang, Redhat | 8 Debian Linux, Go, Devtools and 5 more | 2024-11-21 | N/A |
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked. | ||||
CVE-2018-1000622 | 2 Redhat, Rust-lang | 2 Devtools, Rust | 2024-11-21 | N/A |
The Rust Programming Language rustdoc version Between 0.8 and 1.27.0 contains a CWE-427: Uncontrolled Search Path Element vulnerability in rustdoc plugins that can result in local code execution as a different user. This attack appear to be exploitable via using the --plugin flag without the --plugin-path flag. This vulnerability appears to have been fixed in 1.27.1. | ||||
CVE-2017-15095 | 5 Debian, Fasterxml, Netapp and 2 more | 31 Debian Linux, Jackson-databind, Oncommand Balance and 28 more | 2024-11-21 | 9.8 Critical |
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. | ||||
CVE-2017-15042 | 2 Golang, Redhat | 3 Go, Devtools, Enterprise Linux | 2024-11-21 | N/A |
An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password. | ||||
CVE-2017-15041 | 3 Debian, Golang, Redhat | 9 Debian Linux, Go, Developer Tools and 6 more | 2024-11-21 | 9.8 Critical |
Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get." |