Vulnerabilities > Golang
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-02-16 | CVE-2018-7187 | OS Command Injection vulnerability in multiple products The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site. | 8.8 |
| 2018-02-07 | CVE-2018-6574 | Code Injection vulnerability in multiple products Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked. | 7.8 |
| 2017-10-18 | CVE-2015-5740 | HTTP Request Smuggling vulnerability in multiple products The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request with two Content-length headers. | 9.8 |
| 2017-10-18 | CVE-2015-5739 | HTTP Request Smuggling vulnerability in multiple products The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content Length" instead of "Content-Length." | 9.8 |
| 2017-10-05 | CVE-2017-15042 | Cleartext Transmission of Sensitive Information vulnerability in Golang GO An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. | 5.9 |
| 2017-10-05 | CVE-2017-15041 | Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. | 9.8 |
| 2017-10-05 | CVE-2017-1000098 | Uncontrolled File Descriptor Consumption vulnerability in Golang GO The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. | 7.5 |
| 2017-10-05 | CVE-2017-1000097 | Improper Certificate Validation vulnerability in Golang GO On Darwin, user's trust preferences for root certificates were not honored. | 7.5 |
| 2017-07-06 | CVE-2017-8932 | Incorrect Calculation vulnerability in multiple products A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. | 5.9 |
| 2017-04-04 | CVE-2017-3204 | Unspecified vulnerability in Golang Crypto The Go SSH library (x/crypto/ssh) by default does not verify host keys, facilitating man-in-the-middle attacks. | 8.1 |