| CVE-2020-24553 |
AVG-1215 |
Medium |
Yes |
Cross-site scripting |
In Go versions before 1.15.1 and 1.14.8 if the Content-Type header of a Handler was not explicitly set the net/http/cgi and net/http/fcgi packages would... |
| CVE-2019-17596 |
AVG-1051 |
Medium |
Yes |
Denial of service |
Invalid DSA public keys can cause a panic in dsa.Verify. In particular, using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic,... |
| CVE-2019-16276 |
AVG-1050 |
High |
Yes |
Access restriction bypass |
net/http (through net/textproto) in Go before 1.12.0 and 1.13.1 used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in... |
| CVE-2019-14809 |
AVG-1021 |
Medium |
Yes |
Insufficient validation |
An issue has been found in Go before 1.12.8, where url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes... |
| CVE-2019-9514 |
AVG-1021 |
Medium |
Yes |
Denial of service |
An issue has been found in several HTTP/2 implementations, where the attacker opens a number of streams and sends an invalid request over each stream that... |
| CVE-2019-9512 |
AVG-1021 |
Medium |
Yes |
Denial of service |
An issue has been found in several HTTP/2 implementations, where the attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal... |
| CVE-2019-6486 |
AVG-859 |
Medium |
Yes |
Private key recovery |
Go before versions 1.10.8 and 1.11.5 has a vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves. A remote attacker... |
| CVE-2018-16875 |
AVG-835 |
Medium |
Yes |
Denial of service |
The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might... |
| CVE-2018-16874 |
AVG-835 |
High |
Yes |
Directory traversal |
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go... |
| CVE-2018-16873 |
AVG-835 |
High |
Yes |
Arbitrary command execution |
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path... |
| CVE-2018-6574 |
AVG-606 |
High |
Yes |
Arbitrary code execution |
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by... |
| CVE-2017-1000098 |
AVG-433 |
High |
Yes |
Denial of service |
The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit.... |
| CVE-2017-15041 |
AVG-442 |
High |
Yes |
Arbitrary command execution |
Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that... |