Search CVE reports
1 – 10 of 12 results
Some fixes available 9 of 18
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the...
3 affected packages
golang-google-protobuf, google-guest-agent, google-osconfig-agent
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
---|---|---|---|---|
golang-google-protobuf | Needs evaluation | Needs evaluation | Not in release | — |
google-guest-agent | Fixed | Fixed | Fixed | Needs evaluation |
google-osconfig-agent | Fixed | Fixed | Needs evaluation | Needs evaluation |
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
4 affected packages
containerd, golang-golang-x-net, golang-golang-x-net-dev, google-guest-agent
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
---|---|---|---|---|
containerd | Not affected | Not affected | Not affected | Not affected |
golang-golang-x-net | Needs evaluation | Needs evaluation | Not in release | Ignored |
golang-golang-x-net-dev | Not in release | Not in release | Needs evaluation | Needs evaluation |
google-guest-agent | Not affected | Not affected | Not affected | Not affected |
Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.
4 affected packages
golang-github-golang-protobuf-1-3, golang-github-golang-protobuf-1-5, golang-goprotobuf, google-guest-agent
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
---|---|---|---|---|
golang-github-golang-protobuf-1-3 | Needs evaluation | Not in release | Not in release | Ignored |
golang-github-golang-protobuf-1-5 | Needs evaluation | Not in release | Not in release | Ignored |
golang-goprotobuf | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
google-guest-agent | Not affected | Not affected | Not affected | Not affected |
Some fixes available 10 of 29
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
16 affected packages
containerd, golang, golang-1.10, golang-1.13, golang-1.14...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
---|---|---|---|---|
containerd | Not affected | Not affected | Not affected | Not affected |
golang | Not in release | Not in release | Not in release | Not in release |
golang-1.10 | Not in release | Not in release | Not in release | Vulnerable |
golang-1.13 | Not in release | Vulnerable | Vulnerable | Vulnerable |
golang-1.14 | Not in release | Not in release | Vulnerable | Not in release |
golang-1.16 | Not in release | Not in release | Vulnerable | Vulnerable |
golang-1.17 | Not in release | Fixed | Not in release | Not in release |
golang-1.18 | Not in release | Fixed | Fixed | Fixed |
golang-1.19 | Not in release | Not in release | Not in release | Not in release |
golang-1.20 | Not in release | Not affected | Not affected | Not in release |
golang-1.21 | Not affected | Not affected | Not affected | Not in release |
golang-1.6 | Not in release | Not in release | Not in release | Not in release |
golang-1.8 | Not in release | Not in release | Not in release | Vulnerable |
golang-1.9 | Not in release | Not in release | Not in release | Vulnerable |
golang-golang-x-net | Not affected | Vulnerable | Not in release | Not in release |
google-guest-agent | Fixed | Fixed | Fixed | Vulnerable |
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead...
2 affected packages
golang-golang-x-net, google-guest-agent
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
---|---|---|---|---|
golang-golang-x-net | — | Not affected | Not in release | Not in release |
google-guest-agent | — | Not affected | Not affected | Not affected |
Some fixes available 15 of 32
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
14 affected packages
containerd, golang, golang-1.10, golang-1.13, golang-1.14...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
---|---|---|---|---|
containerd | Not affected | Not affected | Not affected | Not affected |
golang | — | Not in release | Not in release | Not in release |
golang-1.10 | — | Not in release | Not in release | Vulnerable |
golang-1.13 | Not in release | Fixed | Fixed | Fixed |
golang-1.14 | — | Not in release | Vulnerable | Not in release |
golang-1.16 | — | Not in release | Fixed | Fixed |
golang-1.17 | — | Vulnerable | Not in release | Not in release |
golang-1.18 | Not in release | Fixed | Fixed | Fixed |
golang-1.6 | — | Not in release | Not in release | Not in release |
golang-1.8 | — | Not in release | Not in release | Vulnerable |
golang-1.9 | — | Not in release | Not in release | Vulnerable |
golang-golang-x-net | Not affected | Vulnerable | Not in release | Not in release |
golang-golang-x-net-dev | Not in release | Not in release | Needs evaluation | Needs evaluation |
google-guest-agent | Fixed | Fixed | Fixed | Needs evaluation |
** DISPUTED ** service_windows.go in the kardianos service package for Go omits quoting that is sometimes needed for execution of a Windows service executable from the intended directory. NOTE: this finding could not be reproduced...
2 affected packages
golang-github-kardianos-service, google-guest-agent
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
---|---|---|---|---|
golang-github-kardianos-service | — | Not affected | Not affected | Not in release |
google-guest-agent | — | Not affected | Not affected | Not affected |
Some fixes available 5 of 21
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
8 affected packages
golang-1.11, golang-1.15, golang-1.17, golang-1.7, golang-1.8...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
---|---|---|---|---|
golang-1.11 | Not in release | Not in release | Not in release | Not in release |
golang-1.15 | — | — | Not in release | Not in release |
golang-1.17 | Not in release | Vulnerable | Not in release | Not in release |
golang-1.7 | Not in release | Not in release | Not in release | Not in release |
golang-1.8 | Not in release | Not in release | Not in release | Vulnerable |
golang-golang-x-net | Not affected | Not affected | Not in release | Not in release |
golang-golang-x-net-dev | Not in release | Not in release | Vulnerable | Vulnerable |
google-guest-agent | Fixed | Fixed | Fixed | Vulnerable |
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some...
6 affected packages
golang-1.11, golang-1.15, golang-1.16, golang-golang-x-net, golang-golang-x-net-dev, google-guest-agent
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
---|---|---|---|---|
golang-1.11 | Not in release | Not in release | Not in release | Not in release |
golang-1.15 | — | — | Not in release | Not in release |
golang-1.16 | Not in release | Not in release | Needs evaluation | Needs evaluation |
golang-golang-x-net | Not affected | Not affected | Not in release | Not in release |
golang-golang-x-net-dev | Not in release | Not in release | Needs evaluation | Needs evaluation |
google-guest-agent | Not affected | Not affected | Not affected | Not affected |
golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
3 affected packages
golang-golang-x-net, golang-golang-x-net-dev, google-guest-agent
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
---|---|---|---|---|
golang-golang-x-net | Needs evaluation | Needs evaluation | Not in release | Not in release |
golang-golang-x-net-dev | Not in release | Not in release | Needs evaluation | Needs evaluation |
google-guest-agent | Not affected | Not affected | Not affected | Not affected |