go1.19 (SUSE:Linux Enterprise Module for Development Tools 15 SP4) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the SUSE:Linux Enterprise Module for Development Tools 15 SP4 package go1.19, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (26)
CVE-2023-29404 — CVSS 9.8 (critical): The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when…
CVE-2023-29405 — CVSS 9.8 (critical): The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when…
CVE-2023-24538 — CVSS 9.8 (critical): Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used…
CVE-2023-24540 — CVSS 9.8 (critical): Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the…
CVE-2023-29402 — CVSS 9.8 (critical): The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program…
CVE-2023-29403 — CVSS 7.8 (high): On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in…
CVE-2022-41720 — CVSS 7.5 (high): On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of…
CVE-2022-41722 — CVSS 7.5 (high): A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path…
CVE-2022-41723 — CVSS 7.5 (high): A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service…
CVE-2022-41724 — CVSS 7.5 (high): Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers…
CVE-2022-41725 — CVSS 7.5 (high): A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with…
CVE-2023-24534 — CVSS 7.5 (high): HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of…
CVE-2023-24536 — CVSS 7.5 (high): Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This…
CVE-2023-24537 — CVSS 7.5 (high): Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite…
CVE-2022-27664 — CVSS 7.5 (high): In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang…
CVE-2022-2879 — CVSS 7.5 (high): Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded…
CVE-2022-2880 — CVSS 7.5 (high): Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by…
CVE-2022-32190 — CVSS 7.5 (high): JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go")…
CVE-2022-41715 — CVSS 7.5 (high): Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed…
CVE-2022-41716 — CVSS 7.5 (high): Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and…
CVE-2023-29400 — CVSS 7.3 (high): Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected…
CVE-2023-24539 — CVSS 7.3 (high): Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions…
CVE-2023-29406 — CVSS 6.5 (medium): The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers…
CVE-2023-24532 — CVSS 5.3 (medium): The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars…
CVE-2022-41717 — CVSS 5.3 (medium): An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP…
CVE-2023-29409 — CVSS 5.3 (medium): Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the…