CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
83.8%
The Go project reports:
The SetString and UnmarshalText methods of math/big.Rat may cause a
panic or an unrecoverable fatal error if passed inputs with very
large exponents.
ReverseProxy in net/http/httputil could be made to forward certain
hop-by-hop headers, including Connection. In case the target of the
ReverseProxy was itself a reverse proxy, this would let an attacker
drop arbitrary headers, including those set by the
ReverseProxy.Director.
The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr
functions in net, and their respective methods on the Resolver type
may return arbitrary values retrieved from DNS which do not follow
the established RFC 1035 rules for domain names. If these names are
used without further sanitization, for instance unsafely included in
HTML, they may allow for injection of unexpected content. Note that
LookupTXT may still return arbitrary values that could require
sanitization before further use.
The NewReader and OpenReader functions in archive/zip can cause a
panic or an unrecoverable fatal error when reading an archive that
claims to contain a large number of files, regardless of its actual
size.
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
83.8%