RSS   Podatności dla 'GO'   RSS

2020-09-02
 
CVE-2020-24553

CWE-79
 

 
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.

 
2020-08-06
 
CVE-2020-16845

CWE-835
 

 
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.

 
2020-07-17
 
CVE-2020-15586

CWE-362
 

 
Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.

 
 
CVE-2020-14039

CWE-295
 

 
In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete.

 
2020-03-16
 
CVE-2020-7919

CWE-295
 

 
Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.

 
2020-02-08
 
CVE-2015-5741

CWE-444
 

 
The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.

 
2019-09-30
 
CVE-2019-16276

CWE-444
 

 
Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.

 
2019-08-13
 
CVE-2019-14809

CWE-20
 

 
net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.

 
2019-05-13
 
CVE-2019-11888

CWE-264
 

 
Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges.

 
2019-03-13
 
CVE-2019-9741

CWE-93
 

 
An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.

 


Copyright 2020, cxsecurity.com

 

Back to Top