Filtered by vendor Redhat Subscriptions
Filtered by product Serverless Subscriptions
Total 85 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2021-29923 4 Fedoraproject, Golang, Oracle and 1 more 13 Fedora, Go, Timesten In-memory Database and 10 more 2024-08-03 7.5 High
Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.
CVE-2021-27918 2 Golang, Redhat 4 Go, Enterprise Linux, Openshift Container Storage and 1 more 2024-08-03 7.5 High
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.
CVE-2021-3703 1 Redhat 2 Openshift Serverless, Serverless 2024-08-03 7.5 High
It was found that the CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 have been incorrectly mentioned as fixed in RHSA for Serverless 1.16.0 and Serverless client kn 1.16.0. These have been fixed with Serverless 1.17.0.
CVE-2021-3114 5 Debian, Fedoraproject, Golang and 2 more 13 Debian Linux, Fedora, Go and 10 more 2024-08-03 6.5 Medium
In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field.
CVE-2021-3115 5 Fedoraproject, Golang, Microsoft and 2 more 7 Fedora, Go, Windows and 4 more 2024-08-03 7.5 High
Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).
CVE-2022-41724 2 Golang, Redhat 20 Go, Ansible Automation Platform, Cert Manager and 17 more 2024-08-03 7.5 High
Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).
CVE-2022-41725 2 Golang, Redhat 19 Go, Ansible Automation Platform, Cert Manager and 16 more 2024-08-03 7.5 High
A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, "If stored on disk, the File's underlying concrete type will be an *os.File.". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader.
CVE-2022-41717 3 Fedoraproject, Golang, Redhat 25 Fedora, Go, Http2 and 22 more 2024-08-03 5.3 Medium
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
CVE-2022-41723 2 Golang, Redhat 22 Go, Hpack, Http2 and 19 more 2024-08-03 7.5 High
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
CVE-2022-41715 2 Golang, Redhat 24 Go, Acm, Ceph Storage and 21 more 2024-08-03 7.5 High
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.
CVE-2022-32148 2 Golang, Redhat 19 Go, Acm, Application Interconnect and 16 more 2024-08-03 6.5 Medium
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.
CVE-2022-30632 2 Golang, Redhat 18 Go, Acm, Application Interconnect and 15 more 2024-08-03 7.5 High
Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators.
CVE-2022-30635 2 Golang, Redhat 15 Go, Acm, Ceph Storage and 12 more 2024-08-03 7.5 High
Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
CVE-2022-30631 2 Golang, Redhat 21 Go, Acm, Advanced Cluster Security and 18 more 2024-08-03 7.5 High
Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files.
CVE-2022-30629 2 Golang, Redhat 15 Go, Acm, Ceph Storage and 12 more 2024-08-03 3.1 Low
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
CVE-2022-30633 2 Golang, Redhat 14 Go, Acm, Application Interconnect and 11 more 2024-08-03 7.5 High
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.
CVE-2022-30630 2 Golang, Redhat 17 Go, Acm, Application Interconnect and 14 more 2024-08-03 7.5 High
Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.
CVE-2022-28327 3 Fedoraproject, Golang, Redhat 20 Extra Packages For Enterprise Linux, Fedora, Go and 17 more 2024-08-03 7.5 High
The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.
CVE-2022-28131 4 Fedoraproject, Golang, Netapp and 1 more 16 Fedora, Go, Cloud Insights Telegraf and 13 more 2024-08-03 7.5 High
Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.
CVE-2022-27664 3 Fedoraproject, Golang, Redhat 19 Fedora, Go, Acm and 16 more 2024-08-03 7.5 High
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.