Описание
Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.
A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by an infinite loop due to integer overflow when calling any of the Parse functions. By sending a specially crafted input, a remote attacker can cause a denial of service.
Отчет
This vulnerability has been rated Moderate because it allows denial of service condition in Go’s source code parser when processing specially crafted input containing //line directives with excessively large line numbers. Exploitation can cause the parser to enter an infinite loop, consuming CPU resources and rendering services unresponsive. While this issue does not permit code execution or data access, it poses a significant availability impact for systems processing untrusted Go source input.
Меры по смягчению последствий
To mitigate this issue, upgrade Go to version 1.19.8, 1.20.3, or later, where the vulnerability has been addressed.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Custom Metric Autoscaler operator for Red Hat Openshift | custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8 | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/logging-loki-rhel9 | Not affected | ||
| Node HealthCheck Operator | workload-availability/node-healthcheck-rhel8-operator | Affected | ||
| Node Maintenance Operator | workload-availability/node-maintenance-rhel8-operator | Affected | ||
| OpenShift Developer Tools and Services | helm | Affected | ||
| OpenShift Developer Tools and Services | ocp-tools-4/jenkins-rhel8 | Will not fix | ||
| OpenShift Developer Tools and Services | odo | Will not fix | ||
| OpenShift Pipelines | openshift-pipelines-client | Affected | ||
| OpenShift Service Mesh 2 | openshift-golang-builder-container | Will not fix | ||
| Red Hat 3scale API Management Platform 2 | 3scale-operator-container | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.
Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.
Calling any of the Parse functions on Go source code which contains // ...
Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.
EPSS
7.5 High
CVSS3