Filtered by vendor Redhat Subscriptions
Filtered by product Serverless Subscriptions
Total 85 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2022-30631 2 Golang, Redhat 21 Go, Acm, Advanced Cluster Security and 18 more 2024-11-21 7.5 High
Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files.
CVE-2022-30630 2 Golang, Redhat 17 Go, Acm, Application Interconnect and 14 more 2024-11-21 7.5 High
Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.
CVE-2022-30629 2 Golang, Redhat 15 Go, Acm, Ceph Storage and 12 more 2024-11-21 3.1 Low
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
CVE-2022-2880 2 Golang, Redhat 20 Go, Acm, Ceph Storage and 17 more 2024-11-21 7.5 High
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
CVE-2022-2879 2 Golang, Redhat 16 Go, Container Native Virtualization, Devtools and 13 more 2024-11-21 7.5 High
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
CVE-2022-28327 3 Fedoraproject, Golang, Redhat 20 Extra Packages For Enterprise Linux, Fedora, Go and 17 more 2024-11-21 7.5 High
The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.
CVE-2022-28131 4 Fedoraproject, Golang, Netapp and 1 more 16 Fedora, Go, Cloud Insights Telegraf and 13 more 2024-11-21 7.5 High
Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.
CVE-2022-27664 3 Fedoraproject, Golang, Redhat 19 Fedora, Go, Acm and 16 more 2024-11-21 7.5 High
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
CVE-2022-27191 3 Fedoraproject, Golang, Redhat 12 Extra Packages For Enterprise Linux, Fedora, Ssh and 9 more 2024-11-21 7.5 High
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
CVE-2022-24921 4 Debian, Golang, Netapp and 1 more 11 Debian Linux, Go, Astra Trident and 8 more 2024-11-21 7.5 High
regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.
CVE-2022-24675 4 Fedoraproject, Golang, Netapp and 1 more 17 Fedora, Go, Kubernetes Monitoring Operator and 14 more 2024-11-21 7.5 High
encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.
CVE-2022-23806 4 Debian, Golang, Netapp and 1 more 14 Debian Linux, Go, Beegfs Csi Driver and 11 more 2024-11-21 9.1 Critical
Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.
CVE-2022-23773 3 Golang, Netapp, Redhat 12 Go, Beegfs Csi Driver, Cloud Insights Telegraf Agent and 9 more 2024-11-21 7.5 High
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
CVE-2022-23772 4 Debian, Golang, Netapp and 1 more 13 Debian Linux, Go, Beegfs Csi Driver and 10 more 2024-11-21 7.5 High
Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.
CVE-2022-22963 3 Oracle, Redhat, Vmware 29 Banking Branch, Banking Cash Management, Banking Corporate Lending Process Management and 26 more 2024-11-21 9.8 Critical
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
CVE-2022-21698 4 Fedoraproject, Prometheus, Rdo Project and 1 more 17 Extra Packages For Enterprise Linux, Fedora, Client Golang and 14 more 2024-11-21 7.5 High
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.
CVE-2022-1996 3 Fedoraproject, Go-restful Project, Redhat 6 Fedora, Go-restful, Container Native Virtualization and 3 more 2024-11-21 9.1 Critical
Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.
CVE-2022-1962 2 Golang, Redhat 16 Go, Acm, Application Interconnect and 13 more 2024-11-21 5.5 Medium
Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.
CVE-2022-1705 2 Golang, Redhat 22 Go, Acm, Application Interconnect and 19 more 2024-11-21 6.5 Medium
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
CVE-2021-44717 4 Debian, Golang, Opengroup and 1 more 10 Debian Linux, Go, Unix and 7 more 2024-11-21 4.8 Medium
Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion.