Vulnerabilities > Golang > GO > High

DATE CVE VULNERABILITY TITLE RISK
2019-09-30 CVE-2019-16276 HTTP Request Smuggling vulnerability in multiple products
Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.
7.5
2019-03-08 CVE-2019-9634 Uncontrolled Search Path Element vulnerability in Golang GO
Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection.
local
low complexity
golang CWE-427
7.8
2019-01-24 CVE-2019-6486 Allocation of Resources Without Limits or Throttling vulnerability in multiple products
Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.
network
low complexity
golang debian opensuse CWE-770
8.2
2018-12-14 CVE-2018-16875 Improper Certificate Validation vulnerability in multiple products
The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service.
network
low complexity
golang opensuse CWE-295
7.5
2018-12-14 CVE-2018-16874 Improper Input Validation vulnerability in multiple products
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters).
network
high complexity
golang opensuse suse debian CWE-20
8.1
2018-12-14 CVE-2018-16873 Improper Input Validation vulnerability in multiple products
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly.
network
high complexity
golang opensuse suse debian CWE-20
8.1
2018-02-16 CVE-2018-7187 OS Command Injection vulnerability in multiple products
The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
network
low complexity
golang debian CWE-78
8.8
2018-02-07 CVE-2018-6574 Code Injection vulnerability in multiple products
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
local
low complexity
golang debian redhat CWE-94
7.8
2017-10-05 CVE-2017-1000098 Uncontrolled File Descriptor Consumption vulnerability in Golang GO
The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit.
network
low complexity
golang CWE-769
7.5
2017-10-05 CVE-2017-1000097 Improper Certificate Validation vulnerability in Golang GO
On Darwin, user's trust preferences for root certificates were not honored.
network
low complexity
golang CWE-295
7.5