Search CVE reports
1 – 10 of 13 results
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing,...
7 affected packages
golang-golang-x-net, google-guest-agent, containerd, golang-golang-x-net-dev, adsys...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang-golang-x-net | Needs evaluation | Needs evaluation | Not in release | Not in release |
| google-guest-agent | Not affected | Not affected | Not affected | Not affected |
| containerd | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| golang-golang-x-net-dev | Not in release | Not in release | Needs evaluation | Needs evaluation |
| adsys | Needs evaluation | Needs evaluation | Needs evaluation | — |
| juju-core | — | — | — | — |
| lxd | — | — | Needs evaluation | Needs evaluation |
Some fixes available 11 of 13
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
7 affected packages
lxd, adsys, golang-golang-x-net, golang-golang-x-net-dev, juju-core...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| lxd | Not in release | Not in release | Not affected | Not affected |
| adsys | Fixed | Fixed | Fixed | — |
| golang-golang-x-net | Fixed | Fixed | Not in release | — |
| golang-golang-x-net-dev | Not in release | Not in release | Fixed | Fixed |
| juju-core | Not in release | Not in release | Not in release | — |
| containerd | Not affected | Not affected | Not affected | Not affected |
| google-guest-agent | Not affected | Not affected | Not affected | Not affected |
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
4 affected packages
golang-golang-x-net, google-guest-agent, containerd, golang-golang-x-net-dev
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang-golang-x-net | Needs evaluation | Needs evaluation | Not in release | Ignored |
| google-guest-agent | Not affected | Not affected | Not affected | Not affected |
| containerd | Not affected | Not affected | Not affected | Not affected |
| golang-golang-x-net-dev | Not in release | Not in release | Needs evaluation | Needs evaluation |
Some fixes available 16 of 33
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
14 affected packages
golang-1.10, golang-1.13, golang-1.18, golang-golang-x-net, google-guest-agent...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang-1.10 | — | Not in release | Not in release | Vulnerable |
| golang-1.13 | Not in release | Fixed | Fixed | Fixed |
| golang-1.18 | Not in release | Fixed | Fixed | Fixed |
| golang-golang-x-net | Not affected | Vulnerable | Not in release | Not in release |
| google-guest-agent | Fixed | Fixed | Fixed | Needs evaluation |
| containerd | Not affected | Not affected | Not affected | Not affected |
| golang-golang-x-net-dev | Not in release | Not in release | Needs evaluation | Needs evaluation |
| golang-1.14 | — | Not in release | Vulnerable | Not in release |
| golang-1.16 | — | Not in release | Fixed | Fixed |
| golang-1.17 | — | Vulnerable | Not in release | Not in release |
| golang-1.6 | — | Not in release | Not in release | Not in release |
| golang-1.8 | — | Not in release | Not in release | Vulnerable |
| golang-1.9 | — | Not in release | Not in release | Vulnerable |
| golang | — | Not in release | Not in release | Not in release |
Some fixes available 6 of 22
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
8 affected packages
golang-golang-x-net, google-guest-agent, golang-1.17, golang-1.11, golang-1.8...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang-golang-x-net | Not affected | Not affected | Not in release | Not in release |
| google-guest-agent | Fixed | Fixed | Fixed | Vulnerable |
| golang-1.17 | Not in release | Vulnerable | Not in release | Not in release |
| golang-1.11 | Not in release | Not in release | Not in release | Not in release |
| golang-1.8 | Not in release | Not in release | Not in release | Vulnerable |
| golang-1.7 | Not in release | Not in release | Not in release | Not in release |
| golang-golang-x-net-dev | Not in release | Not in release | Vulnerable | Vulnerable |
| golang-1.15 | — | — | Not in release | Not in release |
golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
3 affected packages
golang-golang-x-net, google-guest-agent, golang-golang-x-net-dev
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang-golang-x-net | Needs evaluation | Needs evaluation | Not in release | Not in release |
| google-guest-agent | Not affected | Not affected | Not affected | Not affected |
| golang-golang-x-net-dev | Not in release | Not in release | Needs evaluation | Needs evaluation |
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some...
6 affected packages
golang-golang-x-net, google-guest-agent, golang-1.16, golang-1.11, golang-golang-x-net-dev, golang-1.15
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang-golang-x-net | Not affected | Not affected | Not in release | Not in release |
| google-guest-agent | Not affected | Not affected | Not affected | Not affected |
| golang-1.16 | Not in release | Not in release | Needs evaluation | Needs evaluation |
| golang-1.11 | Not in release | Not in release | Not in release | Not in release |
| golang-golang-x-net-dev | Not in release | Not in release | Needs evaluation | Needs evaluation |
| golang-1.15 | — | — | Not in release | Not in release |
The html package (aka x/net/html) through 2018-09-25 in Go mishandles <math><template><mn><b></template>, leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM,...
2 affected packages
golang-go.net-dev, golang-golang-x-net-dev
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang-go.net-dev | — | — | — | Not in release |
| golang-golang-x-net-dev | — | — | — | Not affected |
The html package (aka x/net/html) through 2018-09-25 in Go mishandles <svg><template><desc><t><svg></template>, leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in node.go, called...
2 affected packages
golang-go.net-dev, golang-golang-x-net-dev
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang-go.net-dev | — | — | — | Not in release |
| golang-golang-x-net-dev | — | — | — | Not affected |
The html package (aka x/net/html) through 2018-09-25 in Go mishandles <table><math><select><mi><select></table>, leading to an infinite loop during an html.Parse call because inSelectIM and inSelectInTableIM do not comply with a...
2 affected packages
golang-go.net-dev, golang-golang-x-net-dev
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang-go.net-dev | Not in release | Not in release | Not in release | Not in release |
| golang-golang-x-net-dev | Not in release | Not in release | Vulnerable | Vulnerable |