#VU48480 Input validation error in Go programming language


Published: 2020-11-17

Vulnerability identifier: #VU48480

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-28362

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in a number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD). A remote attacker can pass large input data to the application, specifically as divisor or modulo argument larger than 3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit architectures).

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.14 - 1.14.11, 1.15 - 1.15.4, 1.13 - 1.13.15, 1.12 - 1.12.17, 1.11 - 1.11beta3, 1.10 - 1.10.8, 1.1 - 1.1.2, 1.9 - 1.9.7, 1.8 - 1.8.7, 1.7 - 1.7.6, 1.6 - 1.6.4, 1.5 - 1.5.4, 1.4 - 1.4.3, 1.3 - 1.3.3, 1.2 - 1.2.2, 1.0 - 1.0.3


CPE

External links
http://github.com/golang/go/issues/42554
http://github.com/golang/go/commit/84150d0af193a7ccd733b3c7fa5787f43125cd2d


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability