Search CVE reports
51 – 60 of 63 results
CVE-2022-30634
Medium priorityInfinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes.
6 affected packages
golang-1.11, golang-1.15, golang-1.17, golang-1.18, golang-1.7, golang-1.8
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| golang-1.11 | — | — | — | — | — |
| golang-1.15 | — | — | — | — | — |
| golang-1.17 | Not in release | Needs evaluation | — | — | — |
| golang-1.18 | Not in release | Not affected | Not affected | Not affected | Not affected |
| golang-1.7 | — | — | — | — | — |
| golang-1.8 | — | — | — | Needs evaluation | — |
CVE-2022-29526
Medium prioritySome fixes available 6 of 19
Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.
11 affected packages
golang, golang-1.10, golang-1.13, golang-1.14, golang-1.15...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| golang | Not in release | Not in release | Not in release | Not in release | Not in release |
| golang-1.10 | Not in release | Not in release | Not in release | Needs evaluation | Needs evaluation |
| golang-1.13 | Not in release | Not affected | Not affected | Not affected | Not affected |
| golang-1.14 | Not in release | Not in release | Needs evaluation | Not in release | Not in release |
| golang-1.15 | — | — | Not in release | Not in release | Not in release |
| golang-1.16 | Not in release | Not in release | Fixed | Fixed | Ignored |
| golang-1.17 | Not in release | Needs evaluation | Not in release | Not in release | Ignored |
| golang-1.18 | Not in release | Fixed | Fixed | Fixed | Fixed |
| golang-1.6 | Not in release | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.8 | Not in release | Not in release | Not in release | Needs evaluation | Not in release |
| golang-1.9 | Not in release | Not in release | Not in release | Needs evaluation | Not in release |
CVE-2022-28327
Medium prioritySome fixes available 4 of 6
The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.
2 affected packages
golang-1.17, golang-1.18
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| golang-1.17 | Not in release | Needs evaluation | — | — | Ignored |
| golang-1.18 | Not in release | Fixed | Fixed | Fixed | Fixed |
CVE-2022-27536
Medium priorityCertificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1 can be caused to panic on macOS when presented with certain malformed certificates. This allows a remote TLS server to cause a TLS client to panic.
2 affected packages
golang-1.17, golang-1.18
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| golang-1.17 | — | Not affected | — | — | Ignored |
| golang-1.18 | — | Not affected | Not affected | Not affected | Ignored |
CVE-2022-24675
Medium prioritySome fixes available 4 of 6
encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.
2 affected packages
golang-1.17, golang-1.18
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| golang-1.17 | Not in release | Needs evaluation | — | — | Ignored |
| golang-1.18 | Not in release | Fixed | Fixed | Fixed | Fixed |
CVE-2022-24921
Low priorityregexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.
9 affected packages
golang-1.10, golang-1.13, golang-1.14, golang-1.15, golang-1.16...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| golang-1.10 | — | — | — | Needs evaluation | Needs evaluation |
| golang-1.13 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| golang-1.14 | — | — | Needs evaluation | — | Ignored |
| golang-1.15 | — | — | — | — | Ignored |
| golang-1.16 | Not in release | Not in release | Needs evaluation | Needs evaluation | Ignored |
| golang-1.17 | Not in release | Needs evaluation | — | — | Ignored |
| golang-1.6 | — | — | — | — | Needs evaluation |
| golang-1.8 | — | — | — | Needs evaluation | Ignored |
| golang-1.9 | — | — | — | Needs evaluation | Ignored |
CVE-2022-23773
Medium prioritycmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
10 affected packages
golang, golang-1.10, golang-1.13, golang-1.14, golang-1.15...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| golang | Not in release | Not in release | Not in release | Not in release | Not in release |
| golang-1.10 | Not in release | Not in release | Not in release | Needs evaluation | Needs evaluation |
| golang-1.13 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| golang-1.14 | Not in release | Not in release | Needs evaluation | Not in release | Not in release |
| golang-1.15 | — | — | Not in release | Not in release | Not in release |
| golang-1.16 | Not in release | Not in release | Needs evaluation | Needs evaluation | Ignored |
| golang-1.17 | Not in release | Needs evaluation | Not in release | Not in release | Ignored |
| golang-1.6 | Not in release | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.8 | Not in release | Not in release | Not in release | Needs evaluation | Not in release |
| golang-1.9 | Not in release | Not in release | Not in release | Needs evaluation | Not in release |
CVE-2022-23772
Medium priorityRat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.
10 affected packages
golang, golang-1.10, golang-1.13, golang-1.14, golang-1.15...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| golang | Not in release | Not in release | Not in release | Not in release | Not in release |
| golang-1.10 | Not in release | Not in release | Not in release | Needs evaluation | Needs evaluation |
| golang-1.13 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| golang-1.14 | Not in release | Not in release | Needs evaluation | Not in release | Not in release |
| golang-1.15 | — | — | Not in release | Not in release | Not in release |
| golang-1.16 | Not in release | Not in release | Needs evaluation | Needs evaluation | Ignored |
| golang-1.17 | Not in release | Needs evaluation | Not in release | Not in release | Ignored |
| golang-1.6 | Not in release | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.8 | Not in release | Not in release | Not in release | Needs evaluation | Not in release |
| golang-1.9 | Not in release | Not in release | Not in release | Needs evaluation | Not in release |
CVE-2021-39293
Medium priorityIn archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete...
6 affected packages
golang-1.11, golang-1.15, golang-1.16, golang-1.17, golang-1.7, golang-1.8
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| golang-1.11 | Not in release | Not in release | Not in release | Not in release | Ignored |
| golang-1.15 | — | — | Not in release | Not in release | Ignored |
| golang-1.16 | Not in release | Not in release | Needs evaluation | Needs evaluation | Ignored |
| golang-1.17 | Not in release | Not affected | Not in release | Not in release | Ignored |
| golang-1.7 | Not in release | Not in release | Not in release | Not in release | Ignored |
| golang-1.8 | Not in release | Not in release | Not in release | Needs evaluation | Ignored |
CVE-2021-44717
Medium priorityGo before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion.
5 affected packages
golang-1.11, golang-1.15, golang-1.17, golang-1.7, golang-1.8
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| golang-1.11 | Not in release | Not in release | Not in release | Not in release | Ignored |
| golang-1.15 | — | — | Not in release | Not in release | Ignored |
| golang-1.17 | Not in release | Vulnerable | Not in release | Not in release | Ignored |
| golang-1.7 | Not in release | Not in release | Not in release | Not in release | Ignored |
| golang-1.8 | Not in release | Not in release | Not in release | Vulnerable | Ignored |