Описание
Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators.
A flaw was found in golang. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This can cause an attacker to impact availability.
Отчет
The exploitation of this flaw will only result in a denial of service of the application via the application crashing which is why this has been rated as moderate. Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-1325: Improperly Controlled Sequential Memory Allocation vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. Access to the platform is granted only after successful hard token-based multi-factor authentication (MFA) and is governed by least privilege to ensure only authorized users and roles can execute or modify code. Static code analysis and peer reviews enforce strong input validation and error handling, preventing improperly validated inputs from causing system instability, data exposure, or privilege escalation. In the event of successful exploitation, process isolation limits the impact of excessive sequential memory allocation by restricting memory use per process, preventing any single process from exhausting system resources. Finally, the platform uses memory protection mechanisms such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) to reduce the risk of memory allocation-based attacks.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-controller-rhel9 | Affected | ||
| mirror registry for Red Hat OpenShift | mirror-registry-container | Affected | ||
| Node Maintenance Operator | workload-availability/node-maintenance-rhel8-operator | Affected | ||
| OpenShift Developer Tools and Services | helm | Will not fix | ||
| OpenShift Developer Tools and Services | odo | Affected | ||
| OpenShift Pipelines | openshift-pipelines-client | Affected | ||
| Red Hat 3scale API Management Platform 2 | 3scale-operator-container | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/gatekeeper-rhel8-operator | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/subctl-rhel9 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/work-rhel8 | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators.
Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators.
Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and ...
Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators.
EPSS
7.5 High
CVSS3