CVE-2021-3115 |
AVG-1481 |
Medium |
No |
Arbitrary command execution |
A security issue was found in Go and fixed in versions 1.15.7 and 1.14.14. The go command may execute arbitrary code at build time when using cgo on... |
CVE-2021-3114 |
AVG-1481 |
Low |
No |
Incorrect calculation |
A security issue was found in Go and fixed in versions 1.15.7 and 1.14.14. The P224() Curve implementation can in rare circumstances generate incorrect... |
CVE-2020-28367 |
AVG-1278 |
High |
Yes |
Arbitrary code execution |
A flaw was found in go before 1.15.5 where the go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on... |
CVE-2020-28366 |
AVG-1278 |
High |
Yes |
Arbitrary code execution |
A flaw was found in go beforer 1.15.5 where the go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get... |
CVE-2020-28362 |
AVG-1278 |
Low |
No |
Denial of service |
A flaw was found in go before 1.15.5 where a number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD)... |
CVE-2020-24553 |
AVG-1215 |
Medium |
Yes |
Cross-site scripting |
In Go versions before 1.15.1 and 1.14.8 if the Content-Type header of a Handler was not explicitly set the net/http/cgi and net/http/fcgi packages would... |
CVE-2019-17596 |
AVG-1051 |
Medium |
Yes |
Denial of service |
Invalid DSA public keys can cause a panic in dsa.Verify. In particular, using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic,... |
CVE-2019-16276 |
AVG-1050 |
High |
Yes |
Access restriction bypass |
net/http (through net/textproto) in Go before 1.12.0 and 1.13.1 used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in... |
CVE-2019-14809 |
AVG-1021 |
Medium |
Yes |
Insufficient validation |
An issue has been found in Go before 1.12.8, where url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes... |
CVE-2019-9514 |
AVG-1021 |
Medium |
Yes |
Denial of service |
An issue has been found in several HTTP/2 implementations, where the attacker opens a number of streams and sends an invalid request over each stream that... |
CVE-2019-9512 |
AVG-1021 |
Medium |
Yes |
Denial of service |
An issue has been found in several HTTP/2 implementations, where the attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal... |
CVE-2019-6486 |
AVG-859 |
Medium |
Yes |
Private key recovery |
Go before versions 1.10.8 and 1.11.5 has a vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves. A remote attacker... |
CVE-2018-16875 |
AVG-835 |
Medium |
Yes |
Denial of service |
The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might... |
CVE-2018-16874 |
AVG-835 |
High |
Yes |
Directory traversal |
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go... |
CVE-2018-16873 |
AVG-835 |
High |
Yes |
Arbitrary command execution |
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path... |
CVE-2018-6574 |
AVG-606 |
High |
Yes |
Arbitrary code execution |
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by... |
CVE-2017-1000098 |
AVG-433 |
High |
Yes |
Denial of service |
The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit.... |
CVE-2017-15041 |
AVG-442 |
High |
Yes |
Arbitrary command execution |
Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that... |