Vulnerabilities > Golang > GO > High
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2019-01-24 | CVE-2019-6486 | Allocation of Resources Without Limits or Throttling vulnerability in multiple products Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks. | 8.2 |
2018-12-14 | CVE-2018-16875 | Improper Certificate Validation vulnerability in multiple products The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. | 7.5 |
2018-12-14 | CVE-2018-16874 | Improper Input Validation vulnerability in multiple products In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). | 8.1 |
2018-12-14 | CVE-2018-16873 | Improper Input Validation vulnerability in multiple products In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. | 8.1 |
2018-02-07 | CVE-2018-6574 | Code Injection vulnerability in multiple products Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked. | 7.8 |
2017-10-18 | CVE-2015-5740 | HTTP Request Smuggling vulnerability in multiple products The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request with two Content-length headers. | 7.5 |
2017-10-18 | CVE-2015-5739 | HTTP Request Smuggling vulnerability in multiple products The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content Length" instead of "Content-Length." | 7.5 |
2017-10-05 | CVE-2017-15041 | Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. | 7.5 |
2017-10-05 | CVE-2017-1000098 | Uncontrolled File Descriptor Consumption vulnerability in Golang GO The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. | 7.5 |
2017-10-05 | CVE-2017-1000097 | Improper Certificate Validation vulnerability in Golang GO On Darwin, user's trust preferences for root certificates were not honored. | 7.5 |