Filtered by vendor Golang Subscriptions
Total 148 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2020-29510 2 Golang, Netapp 2 Go, Trident 2024-11-21 9.8 Critical
The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
CVE-2020-29509 2 Golang, Netapp 2 Go, Trident 2024-11-21 9.8 Critical
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
CVE-2020-28852 2 Golang, Redhat 5 Text, Acm, Enterprise Linux and 2 more 2024-11-21 7.5 High
In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)
CVE-2020-28851 2 Golang, Redhat 5 Go, Acm, Enterprise Linux and 2 more 2024-11-21 7.5 High
In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)
CVE-2020-28367 2 Golang, Redhat 4 Go, Devtools, Enterprise Linux and 1 more 2024-11-21 7.5 High
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.
CVE-2020-28366 4 Fedoraproject, Golang, Netapp and 1 more 7 Fedora, Go, Cloud Insights Telegraf Agent and 4 more 2024-11-21 7.5 High
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.
CVE-2020-28362 4 Fedoraproject, Golang, Netapp and 1 more 12 Fedora, Go, Cloud Insights Telegraf Agent and 9 more 2024-11-21 7.5 High
Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.
CVE-2020-24553 5 Fedoraproject, Golang, Opensuse and 2 more 6 Fedora, Go, Leap and 3 more 2024-11-21 6.1 Medium
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
CVE-2020-16845 5 Debian, Fedoraproject, Golang and 2 more 13 Debian Linux, Fedora, Go and 10 more 2024-11-21 7.5 High
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
CVE-2020-15586 6 Cloudfoundry, Debian, Fedoraproject and 3 more 15 Cf-deployment, Routing-release, Debian Linux and 12 more 2024-11-21 5.9 Medium
Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.
CVE-2020-14040 3 Fedoraproject, Golang, Redhat 16 Fedora, Text, 3scale Amp and 13 more 2024-11-21 7.5 High
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
CVE-2020-14039 2 Golang, Opensuse 2 Go, Leap 2024-11-21 5.3 Medium
In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete.
CVE-2020-0601 2 Golang, Microsoft 5 Go, Windows, Windows 10 and 2 more 2024-11-21 8.1 High
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'.
CVE-2019-9741 4 Debian, Fedoraproject, Golang and 1 more 6 Debian Linux, Fedora, Go and 3 more 2024-11-21 6.1 Medium
An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.
CVE-2019-9634 2 Golang, Microsoft 2 Go, Windows 2024-11-21 7.8 High
Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection.
CVE-2019-6486 3 Debian, Golang, Opensuse 3 Debian Linux, Go, Leap 2024-11-21 N/A
Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.
CVE-2019-17596 6 Arista, Debian, Fedoraproject and 3 more 13 Cloudvision Portal, Eos, Mos and 10 more 2024-11-21 7.5 High
Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.
CVE-2019-16276 6 Debian, Fedoraproject, Golang and 3 more 11 Debian Linux, Fedora, Go and 8 more 2024-11-21 7.5 High
Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.
CVE-2019-14809 3 Debian, Golang, Redhat 4 Debian Linux, Go, Devtools and 1 more 2024-11-21 N/A
net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.
CVE-2019-11888 2 Golang, Microsoft 2 Go, Windows 2024-11-21 N/A
Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges.