Описание
golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.
A flaw was found in golang. The language package for go language can panic due to an out-of-bounds read when an incorrectly formatted language tag is being parsed. This flaw allows an attacker to cause applications using this package to parse untrusted input data to crash, leading to a denial of service of the affected component.
Отчет
This flaw may be triggered only by accepting untrusted user input to the vulnerable golang's library. The overall DoS attack vector depends directly on how the library's input is exposed by the consuming application, thus Red Hat rates impact as Moderate. In Red Hat Advanced Cluster Management for Kubernetes (RHACM) 2.5 version, the registration-operator, lighthouse-coredns, lighthouse-agent, gatekeeper-operator, and discovery-operator components are affected by this flaw, but the rest of the components are using an already patched version and are unaffected. For 2.4 and previous versions of Red Hat Advanced Cluster Management for Kubernetes (RHACM), most of the components are affected.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch-proxy-rhel8 | Not affected | ||
| Migration Toolkit for Containers | rhmtc/openshift-migration-controller-rhel8 | Not affected | ||
| Migration Toolkit for Containers | rhmtc/openshift-migration-velero-restic-restore-helper-rhel8 | Not affected | ||
| Migration Toolkit for Containers | rhmtc/openshift-migration-velero-rhel8 | Not affected | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-must-gather-api-rhel8 | Not affected | ||
| OpenShift API for Data Protection | oadp/oadp-velero-restic-restore-helper-rhel8 | Not affected | ||
| OpenShift API for Data Protection | oadp/oadp-velero-rhel8 | Not affected | ||
| OpenShift Developer Tools and Services | odo | Fix deferred | ||
| OpenShift Service Mesh 2.0 | servicemesh | Affected | ||
| OpenShift Service Mesh 2.0 | servicemesh-cni | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.
golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.
golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic ...
golang.org/x/text/language Out-of-bounds Read vulnerability
EPSS
7.5 High
CVSS3