Go Vulnerability Database

Data about new vulnerabilities come directly from Go package maintainers or sources such as MITRE and GitHub. Reports are curated by the Go Security team. Learn more at go.dev/security/vuln.

Search

Recent Reports

GO-2024-2744

  • GHSA-x883-2vmg-xwf7
  • Affects: github.com/authelia/authelia/v4
  • Published: Apr 26, 2024

If the file authentication backend is being used, the ewatch option is set to true, the refresh interval is configured to a non-disabled value, and an administrator changes a user's groups, then that user may be able to access resources that their previous groups had access to.

GO-2024-2743

  • CVE-2024-29217, GHSA-cvqr-mwh6-2vc6
  • Affects: github.com/apache/incubator-answer
  • Published: Apr 26, 2024

XSS vulnerability via personal website in github.com/apache/incubator-answer

GO-2024-2730

  • Affects: github.com/gorilla/sessions
  • Published: Apr 17, 2024
  • Modified: Apr 17, 2024

(This report has been withdrawn on the grounds that it generates too many false positives. Session IDs are documented as not being suitable to hold user-provided data.) FilesystemStore does not sanitize the Session.ID value, making it vulnerable to directory traversal attacks. If an attacker has control over the contents of the session ID, this can be exploited to write to arbitrary files in the filesystem. Programs which do not set session IDs explicitly, or which only set session IDs that will not be interpreted by the filesystem, are not vulnerable.

GO-2024-2687

  • CVE-2023-45288, GHSA-4v7x-pqxf-cx7m
  • Affects: net/http, golang.org/x/net
  • Published: Apr 03, 2024
  • Modified: Apr 16, 2024

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

GO-2024-2683

  • CVE-2021-41803, GHSA-hr3v-8cp3-68rf
  • Affects: github.com/hashicorp/consul
  • Published: Apr 05, 2024

HashiCorp Consul does not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC.

View all reports

If you don't see an existing, public Go vulnerability in a publicly importable package in our database, please let us know.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.