Skip to main content

Go

124 CVEs product

Monthly

CVE-2020-29509 Go MEDIUM PATCH This Month

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Go Trident
NVD GitHub
CVSS 3.1
5.6
EPSS
2.1%
CVE-2020-28367 Go HIGH PATCH This Week

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Code Injection Go
NVD
CVSS 3.1
7.5
EPSS
2.4%
CVE-2020-28366 Go HIGH PATCH This Week

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Code Injection Go Fedora Cloud Insights Telegraf Agent +1
NVD
CVSS 3.1
7.5
EPSS
2.2%
CVE-2020-28362 Go HIGH PATCH This Week

Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Go Fedora Cloud Insights Telegraf Agent Trident
NVD
CVSS 3.1
7.5
EPSS
3.8%
CVE-2020-24553 Go MEDIUM POC PATCH This Month

Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Go Fedora Leap Communications Cloud Native Core Policy
NVD
CVSS 3.1
6.1
EPSS
3.6%
CVE-2020-16845 Go HIGH PATCH This Week

Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Go Leap Debian Linux Fedora
NVD
CVSS 3.1
7.5
EPSS
4.7%
CVE-2020-15586 Go MEDIUM PATCH This Month

Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Race Condition Information Disclosure Go Cf Deployment Routing Release +3
NVD
CVSS 3.1
5.9
EPSS
2.9%
CVE-2020-14039 Go MEDIUM PATCH This Month

In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Microsoft Information Disclosure Go Leap
NVD
CVSS 3.1
5.3
EPSS
1.8%
CVE-2020-7919 Go HIGH PATCH This Week

Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Go Debian Linux Fedora Cloud Insights Telegraf
NVD
CVSS 3.1
7.5
EPSS
2.6%
CVE-2020-0601 Go HIGH POC KEV PATCH THREAT This Week

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Microsoft Information Disclosure Windows 10 1507 Windows 10 1607 Windows 10 1709 +10
NVD Exploit-DB
CVSS 3.1
8.1
EPSS
89.4%
CVE-2019-17596 Go HIGH POC PATCH This Week

Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Go Debian Linux Fedora Developer Tools +7
NVD GitHub
CVSS 3.1
7.5
EPSS
4.7%
CVE-2019-16276 Go HIGH PATCH This Week

Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Go Debian Linux Leap +6
NVD GitHub
CVSS 3.1
7.5
EPSS
5.2%
CVE-2019-14809 Go CRITICAL POC PATCH Act Now

net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Google Go Debian Linux
NVD GitHub
CVSS 3.0
9.8
EPSS
8.4%
CVE-2019-11888 CRITICAL PATCH Act Now

Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation Microsoft Go
NVD
CVSS 3.0
9.8
EPSS
2.7%
CVE-2019-9741 MEDIUM POC This Month

An issue was discovered in net/http in Go 1.11.5. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Redis Code Injection Go Debian Linux Fedora +2
NVD GitHub
CVSS 3.1
6.1
EPSS
2.3%
CVE-2019-9634 Go HIGH POC PATCH This Week

Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Microsoft Go
NVD GitHub
CVSS 3.1
7.8
EPSS
3.3%
CVE-2019-6486 Go HIGH PATCH This Week

Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Go Debian Linux Leap
NVD GitHub
CVSS 3.0
8.2
EPSS
4.3%
CVE-2018-16875 Go HIGH PATCH This Week

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Go Leap
NVD
CVSS 3.0
7.5
EPSS
6.3%
CVE-2018-16874 Go HIGH PATCH This Week

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Path Traversal Go Backports Sle Leap +2
NVD
CVSS 3.1
8.1
EPSS
5.0%
CVE-2018-16873 Go HIGH PATCH This Week

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Go Backports Sle Leap Linux Enterprise Server +1
NVD
CVSS 3.1
8.1
EPSS
66.3%
CVE-2018-7187 Go HIGH POC PATCH THREAT This Week

The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Go Debian Linux
NVD GitHub
CVSS 3.1
8.8
EPSS
63.2%
CVE-2018-6574 Go HIGH POC PATCH This Week

Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature,. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Go Debian Linux Enterprise Linux Server +3
NVD GitHub
CVSS 3.0
7.8
EPSS
7.8%
CVE-2015-5740 Go CRITICAL PATCH Act Now

The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request with two. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Go Fedora Enterprise Linux Server +3
NVD GitHub
CVSS 3.0
9.8
EPSS
4.3%
CVE-2015-5739 Go CRITICAL PATCH Act Now

The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 11.9%.

Request Smuggling Information Disclosure Go Fedora Enterprise Linux Server +3
NVD GitHub
CVSS 3.0
9.8
EPSS
11.9%
CVE-2017-15042 Go MEDIUM PATCH This Month

An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Go
NVD GitHub
CVSS 3.0
5.9
EPSS
0.2%
CVE-2017-15041 Go CRITICAL PATCH Act Now

Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go Debian Linux Developer Tools Enterprise Linux Eus +3
NVD GitHub
CVSS 3.1
9.8
EPSS
3.8%
CVE-2017-1000098 Go HIGH PATCH This Week

The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2017-1000097 Go HIGH PATCH This Week

On Darwin, user's trust preferences for root certificates were not honored. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2017-8932 Go MEDIUM PATCH This Month

A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Go Suse Package Hub For Suse Linux Enterprise Fedora Leap
NVD GitHub
CVSS 3.0
5.9
EPSS
1.5%
CVE-2016-5386 Go HIGH PATCH Act Now

The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 45.9%.

Authentication Bypass Fedora Linux Enterprise Linux Server Enterprise Linux Server Aus +2
NVD
CVSS 3.1
8.1
EPSS
45.9%
CVE-2016-3959 Go HIGH PATCH This Week

The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Leap Go Fedora
NVD
CVSS 3.0
7.5
EPSS
2.5%
CVE-2016-3958 Go HIGH PATCH This Week

Untrusted search path vulnerability in Go before 1.5.4 and 1.6.x before 1.6.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, related to use. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Privilege Escalation Microsoft Go
NVD GitHub
CVSS 3.1
7.8
EPSS
0.2%
CVE-2015-8618 Go HIGH PATCH This Week

The Int.Exp Montgomery code in the math/big library in Go 1.5.x before 1.5.3 mishandles carry propagation and produces incorrect output, which makes it easier for attackers to obtain private RSA keys. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Leap Go
NVD GitHub
CVSS 3.0
7.5
EPSS
0.7%
CVE-2014-7189 Go MEDIUM PATCH This Month

crpyto/tls in Go 1.1 before 1.3.2, when SessionTicketsDisabled is enabled, allows man-in-the-middle attackers to spoof clients via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Privilege Escalation Go
NVD
CVSS 2.0
4.3
EPSS
0.3%
EPSS 2% CVSS 5.6
MEDIUM PATCH This Month

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Go Trident
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Code Injection Go
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Code Injection Go +3
NVD
EPSS 4% CVSS 7.5
HIGH PATCH This Week

Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Go Fedora +2
NVD
EPSS 4% CVSS 6.1
MEDIUM POC PATCH This Month

Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Go Fedora +2
NVD
EPSS 5% CVSS 7.5
HIGH PATCH This Week

Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Go Leap +2
NVD
EPSS 3% CVSS 5.9
MEDIUM PATCH This Month

Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Race Condition Information Disclosure Go +5
NVD
EPSS 2% CVSS 5.3
MEDIUM PATCH This Month

In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Microsoft Information Disclosure Go +1
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Go Debian Linux +2
NVD
EPSS 89% CVSS 8.1
HIGH POC KEV PATCH THREAT This Week

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Microsoft Information Disclosure Windows 10 1507 +12
NVD Exploit-DB
EPSS 5% CVSS 7.5
HIGH POC PATCH This Week

Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Go Debian Linux +9
NVD GitHub
EPSS 5% CVSS 7.5
HIGH PATCH This Week

Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Go +8
NVD GitHub
EPSS 8% CVSS 9.8
CRITICAL POC PATCH Act Now

net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Google Go +1
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation Microsoft Go
NVD
EPSS 2% CVSS 6.1
MEDIUM POC This Month

An issue was discovered in net/http in Go 1.11.5. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Redis Code Injection Go +4
NVD GitHub
EPSS 3% CVSS 7.8
HIGH POC PATCH This Week

Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Microsoft Go
NVD GitHub
EPSS 4% CVSS 8.2
HIGH PATCH This Week

Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Go Debian Linux +1
NVD GitHub
EPSS 6% CVSS 7.5
HIGH PATCH This Week

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Go Leap
NVD
EPSS 5% CVSS 8.1
HIGH PATCH This Week

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Path Traversal Go +4
NVD
EPSS 66% CVSS 8.1
HIGH PATCH This Week

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Go Backports Sle +3
NVD
EPSS 63% CVSS 8.8
HIGH POC PATCH THREAT This Week

The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Go Debian Linux
NVD GitHub
EPSS 8% CVSS 7.8
HIGH POC PATCH This Week

Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature,. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Go +5
NVD GitHub
EPSS 4% CVSS 9.8
CRITICAL PATCH Act Now

The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request with two. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Go +5
NVD GitHub
EPSS 12% CVSS 9.8
CRITICAL PATCH Act Now

The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 11.9%.

Request Smuggling Information Disclosure Go +5
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Go
NVD GitHub
EPSS 4% CVSS 9.8
CRITICAL PATCH Act Now

Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go Debian Linux +5
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

On Darwin, user's trust preferences for root certificates were not honored. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Go Suse Package Hub For Suse Linux Enterprise +2
NVD GitHub
EPSS 46% CVSS 8.1
HIGH PATCH Act Now

The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 45.9%.

Authentication Bypass Fedora Linux +4
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Leap Go +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Untrusted search path vulnerability in Go before 1.5.4 and 1.6.x before 1.6.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, related to use. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Privilege Escalation Microsoft Go
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The Int.Exp Montgomery code in the math/big library in Go 1.5.x before 1.5.3 mishandles carry propagation and produces incorrect output, which makes it easier for attackers to obtain private RSA keys. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Leap Go
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

crpyto/tls in Go 1.1 before 1.3.2, when SessionTicketsDisabled is enabled, allows man-in-the-middle attackers to spoof clients via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Privilege Escalation Go
NVD
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy