Search CVE reports

1 – 10 of 28 results

Detailed view

Sort by:

CVE-2022-30629

Medium priority

Some fixes available 10 of 13

Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

8 affected packages

golang-1.11, golang-1.13, golang-1.15, golang-1.16, golang-1.17...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
golang-1.11	—	—	—	—	—
golang-1.13	Not in release	Fixed	Fixed	Fixed	Fixed
golang-1.15	—	—	—	—	—
golang-1.16	Not in release	Not in release	Fixed	Fixed	Ignored
golang-1.17	Not in release	Vulnerable	—	—	—
golang-1.18	Not in release	Fixed	Fixed	Fixed	Fixed
golang-1.7	—	—	—	—	—
golang-1.8	—	—	—	Not affected	—

CVE-2022-30580

Medium priority

Not affected

Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when...

6 affected packages

golang-1.11, golang-1.15, golang-1.17, golang-1.18, golang-1.7, golang-1.8

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
golang-1.11	—	—	—	—	—
golang-1.15	—	—	—	—	—
golang-1.17	—	Not affected	—	—	—
golang-1.18	—	Not affected	Not affected	Not affected	—
golang-1.7	—	—	—	—	—
golang-1.8	—	—	—	Not affected	—

CVE-2022-29804

Medium priority

Ignored

Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack.

6 affected packages

golang-1.11, golang-1.15, golang-1.17, golang-1.18, golang-1.7, golang-1.8

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
golang-1.11	—	—	—	—	—
golang-1.15	—	—	—	—	—
golang-1.17	—	Not affected	—	—	—
golang-1.18	—	Not affected	Not affected	Not affected	—
golang-1.7	—	—	—	—	—
golang-1.8	—	—	—	Not affected	—

CVE-2022-30634

Medium priority

Needs evaluation

Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes.

6 affected packages

golang-1.11, golang-1.15, golang-1.17, golang-1.18, golang-1.7, golang-1.8

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
golang-1.11	—	—	—	—	—
golang-1.15	—	—	—	—	—
golang-1.17	Not in release	Needs evaluation	—	—	—
golang-1.18	Not in release	Not affected	Not affected	Not affected	Not affected
golang-1.7	—	—	—	—	—
golang-1.8	—	—	—	Needs evaluation	—

CVE-2021-39293

Medium priority

Needs evaluation

In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete...

6 affected packages

golang-1.11, golang-1.15, golang-1.16, golang-1.17, golang-1.7, golang-1.8

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
golang-1.11	Not in release	Not in release	Not in release	Not in release	Ignored
golang-1.15	—	—	Not in release	Not in release	Ignored
golang-1.16	Not in release	Not in release	Needs evaluation	Needs evaluation	Ignored
golang-1.17	Not in release	Not affected	Not in release	Not in release	Ignored
golang-1.7	Not in release	Not in release	Not in release	Not in release	Ignored
golang-1.8	Not in release	Not in release	Not in release	Needs evaluation	Ignored

CVE-2021-44717

Medium priority

Vulnerable

Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion.

5 affected packages

golang-1.11, golang-1.15, golang-1.17, golang-1.7, golang-1.8

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
golang-1.11	Not in release	Not in release	Not in release	Not in release	Ignored
golang-1.15	—	—	Not in release	Not in release	Ignored
golang-1.17	Not in release	Vulnerable	Not in release	Not in release	Ignored
golang-1.7	Not in release	Not in release	Not in release	Not in release	Ignored
golang-1.8	Not in release	Not in release	Not in release	Vulnerable	Ignored

CVE-2021-44716

Medium priority

Some fixes available 5 of 21

net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.

8 affected packages

golang-1.11, golang-1.15, golang-1.17, golang-1.7, golang-1.8...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
golang-1.11	Not in release	Not in release	Not in release	Not in release	Ignored
golang-1.15	—	—	Not in release	Not in release	Ignored
golang-1.17	Not in release	Vulnerable	Not in release	Not in release	Ignored
golang-1.7	Not in release	Not in release	Not in release	Not in release	Ignored
golang-1.8	Not in release	Not in release	Not in release	Vulnerable	Ignored
golang-golang-x-net	Not affected	Not affected	Not in release	Not in release	Not in release
golang-golang-x-net-dev	Not in release	Not in release	Vulnerable	Vulnerable	Needs evaluation
google-guest-agent	Fixed	Fixed	Fixed	Vulnerable	Vulnerable

CVE-2021-41772

Medium priority

Needs evaluation

Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.

6 affected packages

golang-1.11, golang-1.15, golang-1.16, golang-1.17, golang-1.7, golang-1.8

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
golang-1.11	—	—	—	—	Ignored
golang-1.15	—	—	—	—	Ignored
golang-1.16	Not in release	Not in release	Needs evaluation	Needs evaluation	Ignored
golang-1.17	Not in release	Needs evaluation	—	—	Ignored
golang-1.7	—	—	—	—	Ignored
golang-1.8	—	—	—	Needs evaluation	Ignored

CVE-2021-41771

Low priority

Needs evaluation

ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.

6 affected packages

golang-1.11, golang-1.15, golang-1.16, golang-1.17, golang-1.7, golang-1.8

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
golang-1.11	—	—	—	—	Ignored
golang-1.15	—	—	—	—	Ignored
golang-1.16	Not in release	Not in release	Needs evaluation	Needs evaluation	Ignored
golang-1.17	Not in release	Needs evaluation	—	—	Ignored
golang-1.7	—	—	—	—	Ignored
golang-1.8	—	—	—	Needs evaluation	Ignored

CVE-2021-33198

Low priority

Needs evaluation

In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.

5 affected packages

golang-1.11, golang-1.15, golang-1.16, golang-1.7, golang-1.8

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
golang-1.11	Not in release	Not in release	Not in release	Not in release	Ignored
golang-1.15	—	—	Not in release	Not in release	Ignored
golang-1.16	Not in release	Not in release	Needs evaluation	Needs evaluation	Ignored
golang-1.7	Not in release	Not in release	Not in release	Not in release	Ignored
golang-1.8	Not in release	Not in release	Not in release	Needs evaluation	Ignored

Export to JSON

Results by page: