CVE-2022-30633

{"id": "CVE-2022-30633", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-08-10T20:15:42.210", "references": [{"url": "https://go.dev/cl/417061", "tags": ["Patch", "Vendor Advisory"], "source": "security@golang.org"}, {"url": "https://go.dev/issue/53611", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "security@golang.org"}, {"url": "https://go.googlesource.com/go/+/c4c1993fd2a5b26fe45c09592af6d3388a3b2e08", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "source": "security@golang.org"}, {"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@golang.org"}, {"url": "https://pkg.go.dev/vuln/GO-2022-0523", "tags": ["Vendor Advisory"], "source": "security@golang.org"}, {"url": "https://go.dev/cl/417061", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://go.dev/issue/53611", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://go.googlesource.com/go/+/c4c1993fd2a5b26fe45c09592af6d3388a3b2e08", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE", "tags": ["Mailing List", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://pkg.go.dev/vuln/GO-2022-0523", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-674"}]}], "descriptions": [{"lang": "en", "value": "Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag."}, {"lang": "es", "value": "Una recursi\u00f3n no controlada en Unmarshal en encoding/xml versiones anteriores a Go 1.17.12 y Go 1.18.4 permite a un atacante causar un p\u00e1nico debido al agotamiento de la pila por medio de unmarshal de un documento XML en una estructura Go que presenta un campo anidado que usa la etiqueta de campo 'any'"}], "lastModified": "2024-11-21T07:03:04.227", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "646881F6-A299-4D92-A1F3-E95959FA426F", "versionEndExcluding": "1.17.12"}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FE088A2D-7894-4A48-887C-36DD727A7BEB", "versionEndExcluding": "1.18.4", "versionStartIncluding": "1.18.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@golang.org"}