ID CVE-2020-14040
Summary The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
References
Vulnerable Configurations
  • cpe:2.3:a:golang:text:0.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:golang:text:0.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:golang:text:0.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:golang:text:0.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:golang:text:0.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:golang:text:0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:golang:text:0.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:golang:text:0.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:golang:text:0.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:golang:text:0.3.2:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 18-11-2020 - 14:44)
Impact:
Exploitability:
CWE CWE-835
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
redhat via4
rpms
  • ior-0:1.1.6-1.el8
  • kiali-0:v1.12.10.redhat2-1.el7
  • servicemesh-0:1.1.6-1.el8
  • servicemesh-citadel-0:1.1.6-1.el8
  • servicemesh-cni-0:1.1.6-1.el8
  • servicemesh-galley-0:1.1.6-1.el8
  • servicemesh-grafana-0:6.4.3-13.el8
  • servicemesh-grafana-prometheus-0:6.4.3-13.el8
  • servicemesh-istioctl-0:1.1.6-1.el8
  • servicemesh-mixc-0:1.1.6-1.el8
  • servicemesh-mixs-0:1.1.6-1.el8
  • servicemesh-operator-0:1.1.6-2.el8
  • servicemesh-pilot-agent-0:1.1.6-1.el8
  • servicemesh-pilot-discovery-0:1.1.6-1.el8
  • servicemesh-prometheus-0:2.14.0-14.el8
  • servicemesh-sidecar-injector-0:1.1.6-1.el8
  • delve-0:1.3.2-3.module+el8.2.0+5581+896cb53e
  • delve-debuginfo-0:1.3.2-3.module+el8.2.0+5581+896cb53e
  • delve-debugsource-0:1.3.2-3.module+el8.2.0+5581+896cb53e
  • go-toolset-0:1.13.15-1.module+el8.2.0+7662+fa98b974
  • golang-0:1.13.15-1.module+el8.2.0+7662+fa98b974
  • golang-bin-0:1.13.15-1.module+el8.2.0+7662+fa98b974
  • golang-docs-0:1.13.15-1.module+el8.2.0+7662+fa98b974
  • golang-misc-0:1.13.15-1.module+el8.2.0+7662+fa98b974
  • golang-race-0:1.13.15-1.module+el8.2.0+7662+fa98b974
  • golang-src-0:1.13.15-1.module+el8.2.0+7662+fa98b974
  • golang-tests-0:1.13.15-1.module+el8.2.0+7662+fa98b974
refmap via4
fedora FEDORA-2020-a55f130272
misc https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0
Last major update 18-11-2020 - 14:44
Published 17-06-2020 - 20:15
Last modified 18-11-2020 - 14:44
Back to Top