CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
92.4%
Issue Overview:
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String. A denial of service vulnerability was found in the golang.org/x/text library. A library or application must use one of the vulnerable functions, such as unicode.Transform, transform.String, or transform.Byte, to be susceptible to this vulnerability. If an attacker is able to supply specific characters or strings to the vulnerable application, there is the potential to cause an infinite loop to occur using more memory, resulting in a denial of service. (CVE-2020-14040)
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs. (CVE-2020-16845)
Affected Packages:
golang
Issue Correction:
Run yum update golang to update your system.
New Packages:
i686:
golang-1.13.15-1.59.amzn1.i686
golang-bin-1.13.15-1.59.amzn1.i686
noarch:
golang-docs-1.13.15-1.59.amzn1.noarch
golang-tests-1.13.15-1.59.amzn1.noarch
golang-misc-1.13.15-1.59.amzn1.noarch
golang-src-1.13.15-1.59.amzn1.noarch
src:
golang-1.13.15-1.59.amzn1.src
x86_64:
golang-bin-1.13.15-1.59.amzn1.x86_64
golang-1.13.15-1.59.amzn1.x86_64
golang-race-1.13.15-1.59.amzn1.x86_64
Red Hat: CVE-2020-14040, CVE-2020-16845
Mitre: CVE-2020-14040, CVE-2020-16845
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 1 | i686 | golang | < 1.13.15-1.59.amzn1 | golang-1.13.15-1.59.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | golang-bin | < 1.13.15-1.59.amzn1 | golang-bin-1.13.15-1.59.amzn1.i686.rpm |
Amazon Linux | 1 | noarch | golang-docs | < 1.13.15-1.59.amzn1 | golang-docs-1.13.15-1.59.amzn1.noarch.rpm |
Amazon Linux | 1 | noarch | golang-tests | < 1.13.15-1.59.amzn1 | golang-tests-1.13.15-1.59.amzn1.noarch.rpm |
Amazon Linux | 1 | noarch | golang-misc | < 1.13.15-1.59.amzn1 | golang-misc-1.13.15-1.59.amzn1.noarch.rpm |
Amazon Linux | 1 | noarch | golang-src | < 1.13.15-1.59.amzn1 | golang-src-1.13.15-1.59.amzn1.noarch.rpm |
Amazon Linux | 1 | x86_64 | golang-bin | < 1.13.15-1.59.amzn1 | golang-bin-1.13.15-1.59.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | golang | < 1.13.15-1.59.amzn1 | golang-1.13.15-1.59.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | golang-race | < 1.13.15-1.59.amzn1 | golang-race-1.13.15-1.59.amzn1.x86_64.rpm |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
92.4%