#VU45699 Infinite loop


Published: 2020-08-14

Vulnerability identifier: #VU45699

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-16845

CWE-ID: CWE-835

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in "ReadUvarint" and "ReadVarint" in "encoding/binary". A remote attacker can consume all available system resources and cause denial of service conditions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.13 - 1.13.14, 1.14 - 1.14.6


CPE

External links
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00021.html
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00028.html
http://groups.google.com/forum/#!topic/golang-announce/_ulYYcIWg3Q
http://groups.google.com/forum/#!topic/golang-announce/NyPIaucMgXo


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability