Vulnerabilities (CVE)

Vendor filter

Golang Subscribe

Product filter

Filter

29 total CVE
CVE Vendors Products Updated CVSS
CVE-2019-16276 1 Golang 1 Go 2019-10-08 5.0
Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.
CVE-2018-6574 3 Golang, Debian, Redhat 6 Go, Debian Linux, Enterprise Linux Server and 3 more 2019-10-03 4.6
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
CVE-2018-17848 2 Golang, Fedoraproject 2 Go, Fedora 2019-10-03 5.0
The html package (aka x/net/html) through 2018-09-25 in Go mishandles <math><template><mn><b></template>, leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call.
CVE-2017-8932 5 Novell, Golang, Fedoraproject and 2 more 5 Suse Package Hub For Suse Linux Enterprise, Go, Fedora and 2 more 2019-10-03 4.3
A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to...
CVE-2017-15042 1 Golang 1 Go 2019-10-03 4.3
An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in...
CVE-2018-17846 2 Golang, Fedoraproject 2 Go, Fedora 2019-10-03 5.0
The html package (aka x/net/html) through 2018-09-25 in Go mishandles <table><math><select><mi><select></table>, leading to an infinite loop during an html.Parse call because inSelectIM and inSelectInTableIM do not comply with a specification.
CVE-2017-15041 1 Golang 1 Go 2019-10-03 7.5
Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git...
CVE-2019-14809 2 Golang, Debian 2 Go, Debian Linux 2019-08-24 7.5
net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is...
CVE-2019-6486 3 Golang, Debian, Opensuse 3 Go, Debian Linux, Leap 2019-06-03 6.4
Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.
CVE-2018-16875 2 Golang, Opensuse 2 Go, Leap 2019-06-03 7.8
The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS...
CVE-2018-16874 2 Golang, Opensuse 2 Go, Leap 2019-06-03 6.8
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is...
CVE-2018-16873 2 Golang, Opensuse 2 Go, Leap 2019-06-03 6.8
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly....
CVE-2019-9741 1 Golang 1 Go 2019-05-30 4.3
An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.
CVE-2019-11888 1 Golang 1 Go 2019-05-13 7.5
Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges.
CVE-2015-5739 3 Golang, Fedoraproject, Redhat 6 Go, Fedora, Enterprise Linux Server and 3 more 2019-05-10 7.5
The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content...
CVE-2015-5740 3 Golang, Fedoraproject, Redhat 6 Go, Fedora, Enterprise Linux Server and 3 more 2019-05-09 7.5
The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request with two Content-length headers.
CVE-2019-9634 1 Golang 1 Go 2019-04-12 6.8
Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection.
CVE-2018-17847 1 Golang 1 Go 2019-03-25 5.0
The html package (aka x/net/html) through 2018-09-25 in Go mishandles <svg><template><desc><t><svg></template>, leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in node.go, called from...
CVE-2018-17143 1 Golang 1 Go 2019-03-25 5.0
The html package (aka x/net/html) through 2018-09-17 in Go mishandles <template><tBody><isindex/action=0>, leading to a "panic: runtime error" in inBodyIM in parse.go during an html.Parse call.
CVE-2018-17142 1 Golang 1 Go 2019-03-25 5.0
The html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call.