Search CVE reports

11 – 20 of 48 results

Detailed view

Sort by:

CVE-2023-45290

Medium priority

Some fixes available 7 of 24

When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to...

14 affected packages

golang, golang-1.6, golang-1.8, golang-1.9, golang-1.10...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
golang	Not in release	Not in release	Not in release	—
golang-1.6	Not in release	Not in release	Not in release	—
golang-1.8	Not in release	Not in release	Not in release	Needs evaluation
golang-1.9	Not in release	Not in release	Not in release	Needs evaluation
golang-1.10	Not in release	Not in release	Not in release	Needs evaluation
golang-1.13	Not in release	Needs evaluation	Needs evaluation	Needs evaluation
golang-1.14	Not in release	Not in release	Needs evaluation	—
golang-1.16	Not in release	Not in release	Needs evaluation	Needs evaluation
golang-1.17	Not in release	Fixed	Not in release	—
golang-1.18	Not in release	Fixed	Fixed	Fixed
golang-1.19	Not in release	Not in release	Not in release	—
golang-1.20	Not in release	Needs evaluation	Needs evaluation	—
golang-1.21	Not affected	Fixed	Fixed	—
golang-1.22	Not affected	Not affected	Not affected	—

CVE-2023-45289

Medium priority

Some fixes available 2 of 24

When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from...

14 affected packages

golang, golang-1.6, golang-1.8, golang-1.9, golang-1.10...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
golang	Not in release	Not in release	Not in release	—
golang-1.6	Not in release	Not in release	Not in release	—
golang-1.8	Not in release	Not in release	Not in release	Needs evaluation
golang-1.9	Not in release	Not in release	Not in release	Needs evaluation
golang-1.10	Not in release	Not in release	Not in release	Needs evaluation
golang-1.13	Not in release	Needs evaluation	Needs evaluation	Needs evaluation
golang-1.14	Not in release	Not in release	Needs evaluation	—
golang-1.16	Not in release	Not in release	Needs evaluation	Needs evaluation
golang-1.17	Not in release	Needs evaluation	Not in release	—
golang-1.18	Not in release	Needs evaluation	Needs evaluation	Needs evaluation
golang-1.19	Not in release	Not in release	Not in release	—
golang-1.20	Not in release	Needs evaluation	Needs evaluation	—
golang-1.21	Not affected	Fixed	Fixed	—
golang-1.22	Not affected	Not affected	Not affected	—

CVE-2023-45288

Medium priority

Some fixes available 7 of 24

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames...

14 affected packages

golang, golang-1.6, golang-1.8, golang-1.9, golang-1.10...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
golang	Not in release	Not in release	Not in release	—
golang-1.6	Not in release	Not in release	Not in release	—
golang-1.8	Not in release	Not in release	Not in release	Needs evaluation
golang-1.9	Not in release	Not in release	Not in release	Needs evaluation
golang-1.10	Not in release	Not in release	Not in release	Needs evaluation
golang-1.13	Not in release	Needs evaluation	Needs evaluation	Needs evaluation
golang-1.14	Not in release	Not in release	Needs evaluation	—
golang-1.16	Not in release	Not in release	Needs evaluation	Needs evaluation
golang-1.17	Not in release	Fixed	Not in release	—
golang-1.18	Not in release	Fixed	Fixed	Fixed
golang-1.19	Not in release	Not in release	Not in release	—
golang-1.20	Not in release	Needs evaluation	Needs evaluation	—
golang-1.21	Not affected	Fixed	Fixed	—
golang-1.22	Not affected	Not affected	Not affected	—

CVE-2023-45287

Medium priority

Needs evaluation

Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it...

2 affected packages

golang-1.19, golang-1.20

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
golang-1.19	Not in release	Not in release	Not in release	Ignored
golang-1.20	Not in release	Needs evaluation	Needs evaluation	Ignored

CVE-2023-45285

Medium priority

Some fixes available 8 of 9

Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for...

3 affected packages

golang-1.19, golang-1.20, golang-1.21

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
golang-1.19	Not in release	Not in release	Not in release	Ignored
golang-1.20	Not in release	Fixed	Fixed	Ignored
golang-1.21	Not affected	Fixed	Fixed	Ignored

CVE-2023-45284

Medium priority

Needs evaluation

On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3,...

13 affected packages

golang, golang-1.6, golang-1.8, golang-1.9, golang-1.10...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
golang	Not in release	Not in release	Not in release	Ignored
golang-1.6	Not in release	Not in release	Not in release	Not in release
golang-1.8	Not in release	Not in release	Not in release	Needs evaluation
golang-1.9	Not in release	Not in release	Not in release	Needs evaluation
golang-1.10	Not in release	Not in release	Not in release	Needs evaluation
golang-1.13	Not in release	Needs evaluation	Needs evaluation	Needs evaluation
golang-1.14	Not in release	Not in release	Needs evaluation	Not in release
golang-1.16	Not in release	Not in release	Needs evaluation	Needs evaluation
golang-1.17	Not in release	Needs evaluation	Not in release	Not in release
golang-1.18	Not in release	Needs evaluation	Needs evaluation	Needs evaluation
golang-1.19	Not in release	Not in release	Not in release	Not in release
golang-1.20	Not in release	Not affected	Not affected	Not in release
golang-1.21	Not affected	Not affected	Not affected	Not in release

CVE-2023-45283

Medium priority

Needs evaluation

The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to...

13 affected packages

golang, golang-1.6, golang-1.8, golang-1.9, golang-1.10...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
golang	Not in release	Not in release	Not in release	Ignored
golang-1.6	Not in release	Not in release	Not in release	Not in release
golang-1.8	Not in release	Not in release	Not in release	Needs evaluation
golang-1.9	Not in release	Not in release	Not in release	Needs evaluation
golang-1.10	Not in release	Not in release	Not in release	Needs evaluation
golang-1.13	Not in release	Needs evaluation	Needs evaluation	Needs evaluation
golang-1.14	Not in release	Not in release	Needs evaluation	Not in release
golang-1.16	Not in release	Not in release	Needs evaluation	Needs evaluation
golang-1.17	Not in release	Needs evaluation	Not in release	Not in release
golang-1.18	Not in release	Needs evaluation	Needs evaluation	Needs evaluation
golang-1.19	Not in release	Not in release	Not in release	Not in release
golang-1.20	Not in release	Not affected	Not affected	Not in release
golang-1.21	Not affected	Not affected	Not affected	Not in release

CVE-2023-39326

Medium priority

Some fixes available 8 of 9

A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause...

3 affected packages

golang-1.19, golang-1.20, golang-1.21

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
golang-1.19	Not in release	Not in release	Not in release	Ignored
golang-1.20	Not in release	Fixed	Fixed	Ignored
golang-1.21	Not affected	Fixed	Fixed	Ignored

CVE-2023-39325

Medium priority

Some fixes available 13 of 27

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting,...

13 affected packages

golang-1.19, golang-1.20, golang-1.21, golang, golang-1.6...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
golang-1.19	Not in release	Not in release	Not in release	Ignored
golang-1.20	Not in release	Fixed	Fixed	Ignored
golang-1.21	Not affected	Fixed	Fixed	Ignored
golang	Not in release	Not in release	Not in release	Not in release
golang-1.6	Not in release	Not in release	Not in release	Not in release
golang-1.8	Not in release	Not in release	Not in release	Needs evaluation
golang-1.9	Not in release	Not in release	Not in release	Needs evaluation
golang-1.10	Not in release	Not in release	Not in release	Needs evaluation
golang-1.13	Not in release	Needs evaluation	Needs evaluation	Needs evaluation
golang-1.14	Not in release	Not in release	Needs evaluation	Not in release
golang-1.16	Not in release	Not in release	Needs evaluation	Needs evaluation
golang-1.17	Not in release	Fixed	Not in release	Not in release
golang-1.18	Not in release	Fixed	Fixed	Fixed

CVE-2023-39323

Medium priority

Some fixes available 13 of 14

Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code...

5 affected packages

golang-1.19, golang-1.20, golang-1.21, golang-1.18, golang-1.17

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
golang-1.19	Not in release	Not in release	Not in release	Ignored
golang-1.20	Not in release	Fixed	Fixed	Ignored
golang-1.21	Not affected	Fixed	Fixed	Ignored
golang-1.18	Not in release	Fixed	Fixed	Fixed
golang-1.17	Not in release	Fixed	Not in release	—

Export to JSON

Results by page: