Search CVE reports

21 – 30 of 58 results

Detailed view

Sort by:

CVE-2024-24787

Medium priority

Not affected

On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.

14 affected packages

golang, golang-1.6, golang-1.8, golang-1.9, golang-1.10...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
golang	Not in release	Not in release	Not in release	—
golang-1.6	Not in release	Not in release	Not in release	—
golang-1.8	Not in release	Not in release	Not in release	Not affected
golang-1.9	Not in release	Not in release	Not in release	Not affected
golang-1.10	Not in release	Not in release	Not in release	Not affected
golang-1.13	Not in release	Not affected	Not affected	Not affected
golang-1.14	Not in release	Not in release	Not affected	—
golang-1.16	Not in release	Not in release	Not affected	Not affected
golang-1.17	Not in release	Not affected	Not in release	—
golang-1.18	Not in release	Not affected	Not affected	Not affected
golang-1.19	Not in release	Not in release	Not in release	—
golang-1.20	Not in release	Not affected	Not affected	—
golang-1.21	Not affected	Not affected	Not affected	—
golang-1.22	Not affected	Not affected	Not affected	—

CVE-2024-24784

Medium priority

Some fixes available 7 of 24

The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by...

14 affected packages

golang, golang-1.6, golang-1.8, golang-1.9, golang-1.10...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
golang	Not in release	Not in release	Not in release	—
golang-1.6	Not in release	Not in release	Not in release	—
golang-1.8	Not in release	Not in release	Not in release	Needs evaluation
golang-1.9	Not in release	Not in release	Not in release	Needs evaluation
golang-1.10	Not in release	Not in release	Not in release	Needs evaluation
golang-1.13	Not in release	Needs evaluation	Needs evaluation	Needs evaluation
golang-1.14	Not in release	Not in release	Needs evaluation	—
golang-1.16	Not in release	Not in release	Needs evaluation	Needs evaluation
golang-1.17	Not in release	Fixed	Not in release	—
golang-1.18	Not in release	Fixed	Fixed	Fixed
golang-1.19	Not in release	Not in release	Not in release	—
golang-1.20	Not in release	Needs evaluation	Needs evaluation	—
golang-1.21	Not affected	Fixed	Fixed	—
golang-1.22	Not affected	Not affected	Not affected	—

CVE-2024-24783

Medium priority

Some fixes available 7 of 24

Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth...

14 affected packages

golang, golang-1.6, golang-1.8, golang-1.9, golang-1.10...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
golang	Not in release	Not in release	Not in release	—
golang-1.6	Not in release	Not in release	Not in release	—
golang-1.8	Not in release	Not in release	Not in release	Needs evaluation
golang-1.9	Not in release	Not in release	Not in release	Needs evaluation
golang-1.10	Not in release	Not in release	Not in release	Needs evaluation
golang-1.13	Not in release	Needs evaluation	Needs evaluation	Needs evaluation
golang-1.14	Not in release	Not in release	Needs evaluation	—
golang-1.16	Not in release	Not in release	Needs evaluation	Needs evaluation
golang-1.17	Not in release	Fixed	Not in release	—
golang-1.18	Not in release	Fixed	Fixed	Fixed
golang-1.19	Not in release	Not in release	Not in release	—
golang-1.20	Not in release	Needs evaluation	Needs evaluation	—
golang-1.21	Not affected	Fixed	Fixed	—
golang-1.22	Not affected	Not affected	Not affected	—

CVE-2023-45290

Medium priority

Some fixes available 7 of 24

When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to...

14 affected packages

golang, golang-1.6, golang-1.8, golang-1.9, golang-1.10...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
golang	Not in release	Not in release	Not in release	—
golang-1.6	Not in release	Not in release	Not in release	—
golang-1.8	Not in release	Not in release	Not in release	Needs evaluation
golang-1.9	Not in release	Not in release	Not in release	Needs evaluation
golang-1.10	Not in release	Not in release	Not in release	Needs evaluation
golang-1.13	Not in release	Needs evaluation	Needs evaluation	Needs evaluation
golang-1.14	Not in release	Not in release	Needs evaluation	—
golang-1.16	Not in release	Not in release	Needs evaluation	Needs evaluation
golang-1.17	Not in release	Fixed	Not in release	—
golang-1.18	Not in release	Fixed	Fixed	Fixed
golang-1.19	Not in release	Not in release	Not in release	—
golang-1.20	Not in release	Needs evaluation	Needs evaluation	—
golang-1.21	Not affected	Fixed	Fixed	—
golang-1.22	Not affected	Not affected	Not affected	—

CVE-2023-45289

Medium priority

Some fixes available 2 of 24

When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from...

14 affected packages

golang, golang-1.6, golang-1.8, golang-1.9, golang-1.10...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
golang	Not in release	Not in release	Not in release	—
golang-1.6	Not in release	Not in release	Not in release	—
golang-1.8	Not in release	Not in release	Not in release	Needs evaluation
golang-1.9	Not in release	Not in release	Not in release	Needs evaluation
golang-1.10	Not in release	Not in release	Not in release	Needs evaluation
golang-1.13	Not in release	Needs evaluation	Needs evaluation	Needs evaluation
golang-1.14	Not in release	Not in release	Needs evaluation	—
golang-1.16	Not in release	Not in release	Needs evaluation	Needs evaluation
golang-1.17	Not in release	Needs evaluation	Not in release	—
golang-1.18	Not in release	Needs evaluation	Needs evaluation	Needs evaluation
golang-1.19	Not in release	Not in release	Not in release	—
golang-1.20	Not in release	Needs evaluation	Needs evaluation	—
golang-1.21	Not affected	Fixed	Fixed	—
golang-1.22	Not affected	Not affected	Not affected	—

CVE-2023-45288

Medium priority

Some fixes available 7 of 24

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames...

14 affected packages

golang, golang-1.6, golang-1.8, golang-1.9, golang-1.10...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
golang	Not in release	Not in release	Not in release	—
golang-1.6	Not in release	Not in release	Not in release	—
golang-1.8	Not in release	Not in release	Not in release	Needs evaluation
golang-1.9	Not in release	Not in release	Not in release	Needs evaluation
golang-1.10	Not in release	Not in release	Not in release	Needs evaluation
golang-1.13	Not in release	Needs evaluation	Needs evaluation	Needs evaluation
golang-1.14	Not in release	Not in release	Needs evaluation	—
golang-1.16	Not in release	Not in release	Needs evaluation	Needs evaluation
golang-1.17	Not in release	Fixed	Not in release	—
golang-1.18	Not in release	Fixed	Fixed	Fixed
golang-1.19	Not in release	Not in release	Not in release	—
golang-1.20	Not in release	Needs evaluation	Needs evaluation	—
golang-1.21	Not affected	Fixed	Fixed	—
golang-1.22	Not affected	Not affected	Not affected	—

CVE-2023-45287

Medium priority

Needs evaluation

Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it...

2 affected packages

golang-1.19, golang-1.20

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
golang-1.19	Not in release	Not in release	Not in release	Ignored
golang-1.20	Not in release	Needs evaluation	Needs evaluation	Ignored

CVE-2023-45285

Medium priority

Some fixes available 8 of 9

Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for...

3 affected packages

golang-1.19, golang-1.20, golang-1.21

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
golang-1.19	Not in release	Not in release	Not in release	Ignored
golang-1.20	Not in release	Fixed	Fixed	Ignored
golang-1.21	Not affected	Fixed	Fixed	Ignored

CVE-2023-45284

Medium priority

Needs evaluation

On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3,...

13 affected packages

golang, golang-1.6, golang-1.8, golang-1.9, golang-1.10...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
golang	Not in release	Not in release	Not in release	Ignored
golang-1.6	Not in release	Not in release	Not in release	Not in release
golang-1.8	Not in release	Not in release	Not in release	Needs evaluation
golang-1.9	Not in release	Not in release	Not in release	Needs evaluation
golang-1.10	Not in release	Not in release	Not in release	Needs evaluation
golang-1.13	Not in release	Needs evaluation	Needs evaluation	Needs evaluation
golang-1.14	Not in release	Not in release	Needs evaluation	Not in release
golang-1.16	Not in release	Not in release	Needs evaluation	Needs evaluation
golang-1.17	Not in release	Needs evaluation	Not in release	Not in release
golang-1.18	Not in release	Needs evaluation	Needs evaluation	Needs evaluation
golang-1.19	Not in release	Not in release	Not in release	Not in release
golang-1.20	Not in release	Not affected	Not affected	Not in release
golang-1.21	Not affected	Not affected	Not affected	Not in release

CVE-2023-45283

Medium priority

Needs evaluation

The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to...

13 affected packages

golang, golang-1.6, golang-1.8, golang-1.9, golang-1.10...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
golang	Not in release	Not in release	Not in release	Ignored
golang-1.6	Not in release	Not in release	Not in release	Not in release
golang-1.8	Not in release	Not in release	Not in release	Needs evaluation
golang-1.9	Not in release	Not in release	Not in release	Needs evaluation
golang-1.10	Not in release	Not in release	Not in release	Needs evaluation
golang-1.13	Not in release	Needs evaluation	Needs evaluation	Needs evaluation
golang-1.14	Not in release	Not in release	Needs evaluation	Not in release
golang-1.16	Not in release	Not in release	Needs evaluation	Needs evaluation
golang-1.17	Not in release	Needs evaluation	Not in release	Not in release
golang-1.18	Not in release	Needs evaluation	Needs evaluation	Needs evaluation
golang-1.19	Not in release	Not in release	Not in release	Not in release
golang-1.20	Not in release	Not affected	Not affected	Not in release
golang-1.21	Not affected	Not affected	Not affected	Not in release

Export to JSON

Results by page: