Log

CVE-2021-33197 edited at 04 Jun 2021 07:36:35
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Url request injection
Description
+ A security issue has been found in Go before version 1.16.5. ReverseProxy in net/http/httputil could be made to forward certain hop-by-hop headers, including Connection. In case the target of the ReverseProxy was itself a reverse proxy, this would let an attacker drop arbitrary headers, including those set by the ReverseProxy.Director.
References
+ https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI/m/r_EP-NlKBgAJ
+ https://github.com/golang/go/issues/46313
+ https://github.com/golang/go/commit/0410005dc458f23fb15f64354f9a24ca8f2fe044
CVE-2021-33196 edited at 04 Jun 2021 07:34:28
Description
- A security issue has been found in Go. Due to a pre-allocation optimization in zip.NewReader, a malformed archive which indicates it has a significant number of files can cause either a panic or memory exhaustion.
+ A security issue has been found in Go before version 1.16.5. Due to a pre-allocation optimization in zip.NewReader, a malformed archive which indicates it has a significant number of files can cause either a panic or memory exhaustion.
References
+ https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI/m/r_EP-NlKBgAJ
https://github.com/golang/go/issues/46242
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33912
- https://go.googlesource.com/go/+/ea6b0bf4faa91ad43e255a8d480a9e2b0f70dfc1%5E%21/
+ https://github.com/golang/go/commit/895fb1bb6fc0d3c01c5ef7c8cbaf033d1fff9ad7
AVG-2006 edited at 04 Jun 2021 07:32:59
Severity
- Low
+ Medium
CVE-2021-33195 edited at 04 Jun 2021 07:32:59
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Insufficient validation
Description
+ A security issue has been found in Go before version 1.16.5. The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net, and their respective methods on the Resolver type may return arbitrary values retrieved from DNS which do not follow the established RFC 1035 rules for domain names. If these names are used without further sanitization, for instance unsafely included in HTML, they may allow for injection of unexpected content. Note that LookupTXT may still return arbitrary values that could require sanitization before further use.
References
+ https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI/m/r_EP-NlKBgAJ
+ https://github.com/golang/go/issues/46241
+ https://github.com/golang/go/commit/df6a737cc899507d3090e995abd1e1ed1a30cee3
AVG-2006 edited at 04 Jun 2021 07:28:43
Issues
+ CVE-2021-33195
CVE-2021-33196
+ CVE-2021-33197
+ CVE-2021-33198
CVE-2021-33197 created at 04 Jun 2021 07:28:43
Severity
+ Unknown
Remote
+ Unknown
Type
+ Unknown
Description
References
Notes
AVG-2006 edited at 04 Jun 2021 07:28:43
Issues
+ CVE-2021-33195
CVE-2021-33196
+ CVE-2021-33197
+ CVE-2021-33198
CVE-2021-33198 created at 04 Jun 2021 07:28:43
Severity
+ Unknown
Remote
+ Unknown
Type
+ Unknown
Description
References
Notes
AVG-2006 edited at 04 Jun 2021 07:28:43
Issues
+ CVE-2021-33195
CVE-2021-33196
+ CVE-2021-33197
+ CVE-2021-33198
CVE-2021-33195 created at 04 Jun 2021 07:28:43
Severity
+ Unknown
Remote
+ Unknown
Type
+ Unknown
Description
References
Notes
AVG-2031 edited at 03 Jun 2021 20:46:49
Status
- Testing
+ Fixed
AVG-2032 edited at 03 Jun 2021 20:46:49
Status
- Testing
+ Fixed
AVG-2034 edited at 03 Jun 2021 18:53:55
Status
- Testing
+ Fixed
CVE-2021-33815 edited at 03 Jun 2021 17:56:00
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Information disclosure
Description
+ dwa_uncompress in libavcodec/exr.c in FFmpeg 4.4 allows an out-of-bounds array access because dc_count is not strictly checked.
References
+ https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777