This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Golang First view 2018-12-14
Product Go Last view 2020-09-02
Version 1.11.0 Type Application
Update beta3  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:golang:go

Activity : Overall

Related : CVE

  Date Alert Description
6.1 2020-09-02 CVE-2020-24553

Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.

7.5 2020-08-06 CVE-2020-16845

Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.

5.9 2020-07-17 CVE-2020-15586

Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.

5.3 2020-07-17 CVE-2020-14039

In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete.

7.5 2020-03-16 CVE-2020-7919

Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.

7.5 2019-10-24 CVE-2019-17596

Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.

7.5 2019-09-30 CVE-2019-16276

Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.

9.8 2019-08-13 CVE-2019-14809

net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.

9.8 2019-05-13 CVE-2019-11888

Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges.

7.8 2019-03-08 CVE-2019-9634

Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection.

8.2 2019-01-24 CVE-2019-6486

Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.

7.5 2018-12-14 CVE-2018-16875

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.

8.1 2018-12-14 CVE-2018-16874

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.

8.1 2018-12-14 CVE-2018-16873

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running "go get -u".

CWE : Common Weakness Enumeration

%idName
25% (3) CWE-295 Certificate Issues
8% (1) CWE-770 Allocation of Resources Without Limits or Throttling
8% (1) CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggli...
8% (1) CWE-436 Interpretation Conflict
8% (1) CWE-427 Uncontrolled Search Path Element
8% (1) CWE-362 Race Condition
8% (1) CWE-269 Improper Privilege Management
8% (1) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
8% (1) CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path ...
8% (1) CWE-20 Improper Input Validation

Snort® IPS/IDS

Date Description
2019-05-14 Go binary bll-load exploit attempt
RuleID : 49786 - Type : FILE-OTHER - Revision : 1
2019-05-14 Go binary dll-load exploit attempt
RuleID : 49785 - Type : FILE-OTHER - Revision : 1
2019-05-14 Go binary dll-load exploit attempt
RuleID : 49784 - Type : FILE-OTHER - Revision : 1
2019-05-14 Go binary dll-load exploit attempt
RuleID : 49783 - Type : FILE-OTHER - Revision : 1
2019-05-14 Go binary dll-load exploit attempt
RuleID : 49782 - Type : FILE-OTHER - Revision : 1
2019-05-14 Go binary dll-load exploit attempt
RuleID : 49781 - Type : FILE-OTHER - Revision : 1

Nessus® Vulnerability Scanner

id Description
2019-01-11 Name: The remote Fedora host is missing a security update.
File: fedora_2019-1198005e1f.nasl - Type: ACT_GATHER_INFO
2019-01-11 Name: The remote Fedora host is missing a security update.
File: fedora_2019-c424e3bb72.nasl - Type: ACT_GATHER_INFO
2018-12-24 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201812-09.nasl - Type: ACT_GATHER_INFO
2018-12-17 Name: The remote Amazon Linux AMI host is missing a security update.
File: ala_ALAS-2018-1130.nasl - Type: ACT_GATHER_INFO