| 2021-03-11 | CVE-2021-27918 | Infinite Loop vulnerability in Golang GO
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. | 7.5 |
| 2021-01-26 | CVE-2021-3115 | Uncontrolled Search Path Element vulnerability in multiple products
Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download). | 7.5 |
| 2021-01-26 | CVE-2021-3114 | Incorrect Calculation vulnerability in multiple products
In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field. | 6.5 |
| 2021-01-11 | CVE-2021-3121 | Improper Validation of Array Index vulnerability in multiple products
An issue was discovered in GoGo Protobuf before 1.3.2. | 8.6 |
| 2021-01-02 | CVE-2020-28852 | Improper Validation of Array Index vulnerability in Golang Text
In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. | 7.5 |
| 2021-01-02 | CVE-2020-28851 | Improper Validation of Array Index vulnerability in Golang GO 1.15.4
In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. | 7.5 |
| 2020-12-17 | CVE-2020-29652 | NULL Pointer Dereference vulnerability in Golang SSH 0.0.02020062221362375B288015Ac9/0.0.020201203163018Be400Aefbc4C
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers. | 7.5 |
| 2020-12-14 | CVE-2020-29511 | The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. | 5.6 |
| 2020-12-14 | CVE-2020-29510 | The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. | 5.6 |
| 2020-12-14 | CVE-2020-29509 | The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. | 5.6 |