go1.21 (SUSE:Linux Enterprise Module for Development Tools 15 SP5) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the SUSE:Linux Enterprise Module for Development Tools 15 SP5 package go1.21, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (22)
CVE-2023-39320 — CVSS 9.8 (critical): The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module…
CVE-2024-24790 — CVSS 9.8 (critical): The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses…
CVE-2023-39323 — CVSS 8.1 (high): Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to…
CVE-2023-39325 — CVSS 7.5 (high): A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While…
CVE-2024-24791 — CVSS 7.5 (high): The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a…
CVE-2023-39322 — CVSS 7.5 (high): QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC…
CVE-2023-45283 — CVSS 7.5 (high): The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device…
CVE-2023-45285 — CVSS 7.5 (high): Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is…
CVE-2023-45288 — CVSS 7.5 (high): An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames…
CVE-2024-24784 — CVSS 7.5 (high): The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment…
CVE-2023-45290 — CVSS 6.5 (medium): When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue…
CVE-2024-24787 — CVSS 6.4 (medium): On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of…
CVE-2023-39319 — CVSS 6.1 (medium): The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals…
CVE-2023-39318 — CVSS 6.1 (medium): The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts…
CVE-2024-24783 — CVSS 5.9 (medium): Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic…
CVE-2024-24789 — CVSS 5.5 (medium): The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This…
CVE-2024-24785 — CVSS 5.4 (medium): If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior…
CVE-2023-39326 — CVSS 5.3 (medium): A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from…
CVE-2023-45284 — CVSS 5.3 (medium): On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as…
CVE-2023-45289 — CVSS 4.3 (medium): When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not…