Search CVE reports
1 – 10 of 28 results
CVE-2022-30629
Medium prioritySome fixes available 10 of 13
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
8 affected packages
golang-1.11, golang-1.13, golang-1.15, golang-1.16, golang-1.17...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
golang-1.11 | — | — | — | — | — |
golang-1.13 | Not in release | Fixed | Fixed | Fixed | Fixed |
golang-1.15 | — | — | — | — | — |
golang-1.16 | Not in release | Not in release | Fixed | Fixed | Ignored |
golang-1.17 | Not in release | Vulnerable | — | — | — |
golang-1.18 | Not in release | Fixed | Fixed | Fixed | Fixed |
golang-1.7 | — | — | — | — | — |
golang-1.8 | — | — | — | Not affected | — |
CVE-2022-30580
Medium priorityCode injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when...
6 affected packages
golang-1.11, golang-1.15, golang-1.17, golang-1.18, golang-1.7, golang-1.8
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
golang-1.11 | — | — | — | — | — |
golang-1.15 | — | — | — | — | — |
golang-1.17 | — | Not affected | — | — | — |
golang-1.18 | — | Not affected | Not affected | Not affected | — |
golang-1.7 | — | — | — | — | — |
golang-1.8 | — | — | — | Not affected | — |
CVE-2022-29804
Medium priorityIncorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack.
6 affected packages
golang-1.11, golang-1.15, golang-1.17, golang-1.18, golang-1.7, golang-1.8
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
golang-1.11 | — | — | — | — | — |
golang-1.15 | — | — | — | — | — |
golang-1.17 | — | Not affected | — | — | — |
golang-1.18 | — | Not affected | Not affected | Not affected | — |
golang-1.7 | — | — | — | — | — |
golang-1.8 | — | — | — | Not affected | — |
CVE-2022-30634
Medium priorityInfinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes.
6 affected packages
golang-1.11, golang-1.15, golang-1.17, golang-1.18, golang-1.7, golang-1.8
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
golang-1.11 | — | — | — | — | — |
golang-1.15 | — | — | — | — | — |
golang-1.17 | Not in release | Needs evaluation | — | — | — |
golang-1.18 | Not in release | Not affected | Not affected | Not affected | Not affected |
golang-1.7 | — | — | — | — | — |
golang-1.8 | — | — | — | Needs evaluation | — |
CVE-2021-39293
Medium priorityIn archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete...
6 affected packages
golang-1.11, golang-1.15, golang-1.16, golang-1.17, golang-1.7, golang-1.8
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
golang-1.11 | Not in release | Not in release | Not in release | Not in release | Ignored |
golang-1.15 | — | — | Not in release | Not in release | Ignored |
golang-1.16 | Not in release | Not in release | Needs evaluation | Needs evaluation | Ignored |
golang-1.17 | Not in release | Not affected | Not in release | Not in release | Ignored |
golang-1.7 | Not in release | Not in release | Not in release | Not in release | Ignored |
golang-1.8 | Not in release | Not in release | Not in release | Needs evaluation | Ignored |
CVE-2021-44717
Medium priorityGo before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion.
5 affected packages
golang-1.11, golang-1.15, golang-1.17, golang-1.7, golang-1.8
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
golang-1.11 | Not in release | Not in release | Not in release | Not in release | Ignored |
golang-1.15 | — | — | Not in release | Not in release | Ignored |
golang-1.17 | Not in release | Vulnerable | Not in release | Not in release | Ignored |
golang-1.7 | Not in release | Not in release | Not in release | Not in release | Ignored |
golang-1.8 | Not in release | Not in release | Not in release | Vulnerable | Ignored |
CVE-2021-44716
Medium prioritySome fixes available 5 of 21
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
8 affected packages
golang-1.11, golang-1.15, golang-1.17, golang-1.7, golang-1.8...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
golang-1.11 | Not in release | Not in release | Not in release | Not in release | Ignored |
golang-1.15 | — | — | Not in release | Not in release | Ignored |
golang-1.17 | Not in release | Vulnerable | Not in release | Not in release | Ignored |
golang-1.7 | Not in release | Not in release | Not in release | Not in release | Ignored |
golang-1.8 | Not in release | Not in release | Not in release | Vulnerable | Ignored |
golang-golang-x-net | Not affected | Not affected | Not in release | Not in release | Not in release |
golang-golang-x-net-dev | Not in release | Not in release | Vulnerable | Vulnerable | Needs evaluation |
google-guest-agent | Fixed | Fixed | Fixed | Vulnerable | Vulnerable |
CVE-2021-41772
Medium priorityGo before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.
6 affected packages
golang-1.11, golang-1.15, golang-1.16, golang-1.17, golang-1.7, golang-1.8
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
golang-1.11 | — | — | — | — | Ignored |
golang-1.15 | — | — | — | — | Ignored |
golang-1.16 | Not in release | Not in release | Needs evaluation | Needs evaluation | Ignored |
golang-1.17 | Not in release | Needs evaluation | — | — | Ignored |
golang-1.7 | — | — | — | — | Ignored |
golang-1.8 | — | — | — | Needs evaluation | Ignored |
CVE-2021-41771
Low priorityImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.
6 affected packages
golang-1.11, golang-1.15, golang-1.16, golang-1.17, golang-1.7, golang-1.8
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
golang-1.11 | — | — | — | — | Ignored |
golang-1.15 | — | — | — | — | Ignored |
golang-1.16 | Not in release | Not in release | Needs evaluation | Needs evaluation | Ignored |
golang-1.17 | Not in release | Needs evaluation | — | — | Ignored |
golang-1.7 | — | — | — | — | Ignored |
golang-1.8 | — | — | — | Needs evaluation | Ignored |
CVE-2021-33198
Low priorityIn Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.
5 affected packages
golang-1.11, golang-1.15, golang-1.16, golang-1.7, golang-1.8
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
golang-1.11 | Not in release | Not in release | Not in release | Not in release | Ignored |
golang-1.15 | — | — | Not in release | Not in release | Ignored |
golang-1.16 | Not in release | Not in release | Needs evaluation | Needs evaluation | Ignored |
golang-1.7 | Not in release | Not in release | Not in release | Not in release | Ignored |
golang-1.8 | Not in release | Not in release | Not in release | Needs evaluation | Ignored |