Vulnerabilities > CVE-2020-14040 - Infinite Loop vulnerability in multiple products

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

golang

fedoraproject

CWE-835

NVD

Published: 2020-06-17

Updated: 2023-11-07

Summary

The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

Vulnerable Configurations

Part	Description	Count
Application	Golang Golang Text 0.1.0 Golang Text 0.2.0 Golang Text 0.3.0 Golang Text 0.3.1 Golang Text 0.3.2	5
OS	Fedoraproject Fedoraproject Fedora 32	1

Common Weakness Enumeration (CWE)

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References