Vulnerabilities (CVE)

Vendor filter

Golang Subscribe

Product filter

Filter

28 total CVE
CVE Vendors Products Updated CVSS
CVE-2019-14809 2 Golang, Debian 2 Go, Debian Linux 2019-08-24 7.5
net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is...
CVE-2019-6486 3 Golang, Debian, Opensuse 3 Go, Debian Linux, Leap 2019-06-03 6.4
Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.
CVE-2018-16875 2 Golang, Opensuse 2 Go, Leap 2019-06-03 7.8
The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS...
CVE-2018-16874 2 Golang, Opensuse 2 Go, Leap 2019-06-03 6.8
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is...
CVE-2018-16873 2 Golang, Opensuse 2 Go, Leap 2019-06-03 6.8
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly....
CVE-2019-9741 1 Golang 1 Go 2019-05-30 4.3
An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.
CVE-2019-11888 1 Golang 1 Go 2019-05-13 7.5
Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges.
CVE-2015-5739 3 Golang, Fedoraproject, Redhat 6 Go, Fedora, Enterprise Linux Server and 3 more 2019-05-10 7.5
The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content...
CVE-2015-5740 3 Golang, Fedoraproject, Redhat 6 Go, Fedora, Enterprise Linux Server and 3 more 2019-05-09 7.5
The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request with two Content-length headers.
CVE-2019-9634 1 Golang 1 Go 2019-04-12 6.8
Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection.
CVE-2018-17848 1 Golang 1 Go 2019-03-25 5.0
The html package (aka x/net/html) through 2018-09-25 in Go mishandles <math><template><mn><b></template>, leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call.
CVE-2018-17847 1 Golang 1 Go 2019-03-25 5.0
The html package (aka x/net/html) through 2018-09-25 in Go mishandles <svg><template><desc><t><svg></template>, leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in node.go, called from...
CVE-2018-17846 1 Golang 1 Go 2019-03-25 5.0
The html package (aka x/net/html) through 2018-09-25 in Go mishandles <table><math><select><mi><select></table>, leading to an infinite loop during an html.Parse call because inSelectIM and inSelectInTableIM do not comply with a specification.
CVE-2018-17143 1 Golang 1 Go 2019-03-25 5.0
The html package (aka x/net/html) through 2018-09-17 in Go mishandles <template><tBody><isindex/action=0>, leading to a "panic: runtime error" in inBodyIM in parse.go during an html.Parse call.
CVE-2018-17142 1 Golang 1 Go 2019-03-25 5.0
The html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call.
CVE-2018-17075 1 Golang 1 Go 2019-03-25 5.0
The html package (aka x/net/html) before 2018-07-13 in Go mishandles "in frameset" insertion mode, leading to a "panic: runtime error" for html.Parse of <template><object>, <template><applet>, or <template><marquee>. This is related to...
CVE-2018-6574 3 Golang, Debian, Redhat 6 Go, Debian Linux, Enterprise Linux Server and 3 more 2019-03-01 4.6
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
CVE-2018-7187 2 Golang, Debian 2 Go, Debian Linux 2019-02-28 9.3
The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands...
CVE-2017-8932 5 Novell, Golang, Fedoraproject and 2 more 5 Suse Package Hub For Suse Linux Enterprise, Go, Fedora and 2 more 2018-10-30 4.3
A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to...
CVE-2015-8618 3 Golang, Novell, Opensuse 3 Go, Leap, Leap 2018-10-30 5.0
The Int.Exp Montgomery code in the math/big library in Go 1.5.x before 1.5.3 mishandles carry propagation and produces incorrect output, which makes it easier for attackers to obtain private RSA keys via unspecified vectors.