Multiple vulnerabilities in Go programming language



Risk High
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2020-28362
CVE-2020-28367
CVE-2020-28366
CWE-ID CWE-20
CWE-94
Exploitation vector Network
Public exploit N/A
Vulnerable software
Go programming language
Universal components / Libraries / Scripting languages

Vendor Google

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU48480

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-28362

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in a number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD). A remote attacker can pass large input data to the application, specifically as divisor or modulo argument larger than 3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit architectures).

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.0 - 1.15.4

CPE2.3 External links

http://github.com/golang/go/issues/42554
http://github.com/golang/go/commit/84150d0af193a7ccd733b3c7fa5787f43125cd2d


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Code Injection

EUVDB-ID: #VU48479

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-28367

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation at build time when cgo is in use. A remote attacker can trick the victim to build a specially crafted application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.0 - 1.15.4

CPE2.3 External links

http://github.com/golang/go/issues/42558
http://github.com/golang/go/commit/ec06b6d6be568ce1591d91a0ea4f14c190d06605


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Code Injection

EUVDB-ID: #VU48478

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-28366

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation at build time when cgo is in use. A remote attacker can trick the victim into building a specially crafted application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.0 - 1.15.4

CPE2.3 External links

http://github.com/golang/go/issues/42562
http://github.com/golang/go/commit/32159824698a82a174b60a6845e8494ae3243102


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###