Описание
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.
An infinite loop vulnerability was found in golang. If an application defines a custom token parser initializing with xml.NewTokenDecoder it is possible for the parsing loop to never return. An attacker could potentially craft a malicious XML document which has an XML element with EOF within it, causing the parsing application to endlessly loop, resulting in a Denial of Service (DoS).
Отчет
OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM), Red Hat OpenShift Jaeger (RHOSJ) and OpenShift Virtualization all bundle vulnerable versions of the golang standard library (stdlib). However, no component within each product utilizes the function xml.NewTokenDecoder which is a requirement to be vulnerable. Hence, all affected components are marked as "Will not fix". Additionally no OCP container has been listed, as nearly all available containers are compiled with an affected version of Go, but do not utilize the function xml.NewTokenDecoder. Red Hat Ceph Storage (RHCS), Red Hat Gluster Storage 3 and OpenShift Container Storage 4 also bundles a vulnerable version of golang standard library 'encoding/xml', but does not utilize the function xml.NewTokenDecoder, and hence this issue has been rated as having a security impact of Low.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Distributed Tracing Jaeger 1 | distributed-tracing/jaeger-all-in-one-rhel8 | Will not fix | ||
| Distributed Tracing Jaeger 1 | distributed-tracing/jaeger-collector-rhel8 | Will not fix | ||
| Distributed Tracing Jaeger 1 | distributed-tracing/jaeger-rhel8-operator | Will not fix | ||
| OpenShift Serverless | knative-eventing | Will not fix | ||
| OpenShift Serverless | knative-serving | Will not fix | ||
| OpenShift Service Mesh 2.0 | servicemesh | Will not fix | ||
| OpenShift Service Mesh 2.0 | servicemesh-grafana | Will not fix | ||
| OpenShift Service Mesh 2.0 | servicemesh-operator | Will not fix | ||
| OpenShift Service Mesh 2.0 | servicemesh-prometheus | Will not fix | ||
| Red Hat Ceph Storage 2 | golang | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infin ...
EPSS
7.5 High
CVSS3