Search CVE reports

41 – 50 of 65 results

Detailed view

Sort by:

CVE-2022-41717

Medium priority

Some fixes available 10 of 19

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped,...

10 affected packages

golang, golang-1.10, golang-1.13, golang-1.14, golang-1.16...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
golang	—	Not in release	Not in release	Not in release	Ignored
golang-1.10	—	Not in release	Not in release	Vulnerable	Needs evaluation
golang-1.13	Not in release	Fixed	Fixed	Fixed	Fixed
golang-1.14	—	Not in release	Vulnerable	Not in release	Not in release
golang-1.16	—	Not in release	Fixed	Fixed	Ignored
golang-1.17	—	Vulnerable	Not in release	Not in release	Ignored
golang-1.18	Not in release	Fixed	Fixed	Fixed	Fixed
golang-1.6	—	Not in release	Not in release	Not in release	Needs evaluation
golang-1.8	—	Not in release	Not in release	Vulnerable	Not in release
golang-1.9	—	Not in release	Not in release	Vulnerable	Not in release

CVE-2022-41720

Medium priority

Not affected

On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files...

10 affected packages

golang, golang-1.10, golang-1.13, golang-1.14, golang-1.16...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
golang	—	Not in release	Not in release	Not in release	Ignored
golang-1.10	—	Not in release	Not in release	Not affected	Not affected
golang-1.13	—	Not affected	Not affected	Not affected	Not affected
golang-1.14	—	Not in release	Not affected	Not in release	Not in release
golang-1.16	—	Not in release	Not affected	Not affected	Ignored
golang-1.17	—	Not affected	Not in release	Not in release	Ignored
golang-1.18	—	Not affected	Not affected	Not affected	Ignored
golang-1.6	—	Not in release	Not in release	Not in release	Not affected
golang-1.8	—	Not in release	Not in release	Not affected	Not in release
golang-1.9	—	Not in release	Not in release	Not affected	Not in release

CVE-2022-41716

Negligible priority

Needs evaluation

Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked...

12 affected packages

golang, golang-1.10, golang-1.13, golang-1.14, golang-1.16...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
golang	Not in release	Not in release	Not in release	Not in release	Ignored
golang-1.10	Not in release	Not in release	Not in release	Needs evaluation	Needs evaluation
golang-1.13	Not in release	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation
golang-1.14	Not in release	Not in release	Needs evaluation	Not in release	Not in release
golang-1.16	Not in release	Not in release	Needs evaluation	Needs evaluation	Ignored
golang-1.17	Not in release	Needs evaluation	Not in release	Not in release	Ignored
golang-1.18	Not in release	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation
golang-1.19	Not in release	Not in release	Not in release	Not in release	Ignored
golang-1.20	Not in release	Needs evaluation	Needs evaluation	Not in release	Ignored
golang-1.6	Not in release	Not in release	Not in release	Not in release	Needs evaluation
golang-1.8	Not in release	Not in release	Not in release	Needs evaluation	Not in release
golang-1.9	Not in release	Not in release	Not in release	Needs evaluation	Not in release

CVE-2022-41715

Medium priority

Some fixes available 3 of 16

Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant...

10 affected packages

golang-1.10, golang-1.13, golang-1.14, golang-1.16, golang-1.17...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
golang-1.10	Not in release	Not in release	Not in release	Needs evaluation	Needs evaluation
golang-1.13	Not in release	Vulnerable	Vulnerable	Vulnerable	Vulnerable
golang-1.14	Not in release	Not in release	Vulnerable	Not in release	Not in release
golang-1.16	Not in release	Not in release	Vulnerable	Vulnerable	Not in release
golang-1.17	—	Not affected	Not in release	Not in release	Ignored
golang-1.18	Not in release	Fixed	Fixed	Fixed	Not affected
golang-1.19	Not in release	Not in release	Not in release	Not in release	Ignored
golang-1.6	Not in release	Not in release	Not in release	Not in release	Vulnerable
golang-1.8	Not in release	Not in release	Not in release	Vulnerable	Not in release
golang-1.9	Not in release	Not in release	Not in release	Vulnerable	Not in release

CVE-2022-2880

Medium priority

Some fixes available 10 of 18

Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter...

10 affected packages

golang-1.10, golang-1.13, golang-1.14, golang-1.16, golang-1.17...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
golang-1.10	Not in release	Not in release	Not in release	Vulnerable	Vulnerable
golang-1.13	Not in release	Fixed	Fixed	Fixed	Fixed
golang-1.14	Not in release	Not in release	Vulnerable	Not in release	Not in release
golang-1.16	Not in release	Not in release	Fixed	Fixed	Ignored
golang-1.17	—	Vulnerable	Not in release	Not in release	Ignored
golang-1.18	Not in release	Fixed	Fixed	Fixed	Fixed
golang-1.19	Not in release	Not in release	Not in release	Not in release	Ignored
golang-1.6	Not in release	Not in release	Not in release	Not in release	Vulnerable
golang-1.8	Not in release	Not in release	Not in release	Vulnerable	Not in release
golang-1.9	Not in release	Not in release	Not in release	Vulnerable	Not in release

CVE-2022-2879

Medium priority

Some fixes available 10 of 18

Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After...

10 affected packages

golang-1.10, golang-1.13, golang-1.14, golang-1.16, golang-1.17...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
golang-1.10	Not in release	Not in release	Not in release	Vulnerable	Vulnerable
golang-1.13	Not in release	Fixed	Fixed	Fixed	Fixed
golang-1.14	Not in release	Not in release	Vulnerable	Not in release	Not in release
golang-1.16	Not in release	Not in release	Fixed	Fixed	Ignored
golang-1.17	—	Vulnerable	Not in release	Not in release	Ignored
golang-1.18	Not in release	Fixed	Fixed	Fixed	Fixed
golang-1.19	Not in release	Not in release	Not in release	Not in release	Ignored
golang-1.6	Not in release	Not in release	Not in release	Not in release	Vulnerable
golang-1.8	Not in release	Not in release	Not in release	Vulnerable	Not in release
golang-1.9	Not in release	Not in release	Not in release	Vulnerable	Not in release

CVE-2022-32190

Medium priority

Not affected

JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../...

9 affected packages

golang-1.10, golang-1.13, golang-1.14, golang-1.16, golang-1.17...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
golang-1.10	—	Not in release	Not in release	Not affected	Not affected
golang-1.13	—	Not affected	Not affected	Not affected	Not affected
golang-1.14	—	Not in release	Not affected	Not in release	Ignored
golang-1.16	—	Not in release	Not affected	Not affected	Ignored
golang-1.17	—	Not affected	Not in release	Not in release	Ignored
golang-1.18	—	Not affected	Not affected	Not affected	Ignored
golang-1.6	—	Not in release	Not in release	Not in release	Not affected
golang-1.8	—	Not in release	Not in release	Not affected	Ignored
golang-1.9	—	Not in release	Not in release	Not affected	Ignored

CVE-2022-27664

Medium priority

Some fixes available 15 of 32

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

14 affected packages

containerd, golang, golang-1.10, golang-1.13, golang-1.14...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
containerd	Not affected	Not affected	Not affected	Not affected	Not affected
golang	—	Not in release	Not in release	Not in release	Ignored
golang-1.10	—	Not in release	Not in release	Vulnerable	Vulnerable
golang-1.13	Not in release	Fixed	Fixed	Fixed	Fixed
golang-1.14	—	Not in release	Vulnerable	Not in release	Ignored
golang-1.16	—	Not in release	Fixed	Fixed	Ignored
golang-1.17	—	Vulnerable	Not in release	Not in release	Ignored
golang-1.18	Not in release	Fixed	Fixed	Fixed	Fixed
golang-1.6	—	Not in release	Not in release	Not in release	Vulnerable
golang-1.8	—	Not in release	Not in release	Vulnerable	Ignored
golang-1.9	—	Not in release	Not in release	Vulnerable	Ignored
golang-golang-x-net	Not affected	Vulnerable	Not in release	Not in release	Not in release
golang-golang-x-net-dev	Not in release	Not in release	Needs evaluation	Needs evaluation	Needs evaluation
google-guest-agent	Fixed	Fixed	Fixed	Needs evaluation	Needs evaluation

CVE-2022-32189

Medium priority

Some fixes available 10 of 19

A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.

11 affected packages

golang, golang-1.10, golang-1.13, golang-1.14, golang-1.15...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
golang	Not in release	Not in release	Not in release	Not in release	Not in release
golang-1.10	Not in release	Not in release	Not in release	Needs evaluation	Needs evaluation
golang-1.13	Not in release	Fixed	Fixed	Fixed	Fixed
golang-1.14	Not in release	Not in release	Needs evaluation	Not in release	Not in release
golang-1.15	—	—	Not in release	Not in release	Not in release
golang-1.16	Not in release	Not in release	Fixed	Fixed	Ignored
golang-1.17	Not in release	Needs evaluation	Not in release	Not in release	Ignored
golang-1.18	Not in release	Fixed	Fixed	Fixed	Fixed
golang-1.6	Not in release	Not in release	Not in release	Not in release	Needs evaluation
golang-1.8	Not in release	Not in release	Not in release	Needs evaluation	Not in release
golang-1.9	Not in release	Not in release	Not in release	Needs evaluation	Not in release

CVE-2022-30629

Medium priority

Some fixes available 10 of 13

Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

8 affected packages

golang-1.11, golang-1.13, golang-1.15, golang-1.16, golang-1.17...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
golang-1.11	—	—	—	—	—
golang-1.13	Not in release	Fixed	Fixed	Fixed	Fixed
golang-1.15	—	—	—	—	—
golang-1.16	Not in release	Not in release	Fixed	Fixed	Ignored
golang-1.17	Not in release	Vulnerable	—	—	—
golang-1.18	Not in release	Fixed	Fixed	Fixed	Fixed
golang-1.7	—	—	—	—	—
golang-1.8	—	—	—	Not affected	—

Export to JSON

Results by page: