Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.
AnalysisAI
A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Technical ContextAI
A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service. Affected products include: Golang Go. Version information: before 1.17.13.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and there
Critical certificate validation bypass in Go crypto/tls during session resumption. If ClientCAs or RootCAs fields are mu
net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization by
The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import pa
The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allow
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) c
Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection. Rated high severity (CVS
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command executi
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query p
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable param
Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite h
Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today