Input validation error in Go programming language

#VU66121 Input validation error in Go programming language

Published: 2022-08-04

Vulnerability identifier: #VU66121

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-32189

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in
Float.GobDecode. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.18 - 1.18.4, 1.17 - 1.17.12

External links
http://github.com/golang/go/issues/53871
http://github.com/golang/vulndb/issues/537

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Red Hat Ansible Automation Platform 2.4 for RHEL 9

Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management Security Services

Multiple vulnerabilities in IBM QRadar Suite Software

Ubuntu update for golang-1.13

Multiple vulnerabilities in IBM Cloud Pak for Watson AIOps

Multiple vulnerabilities in Watson Machine Learning Accelerator on Cloud Pak for Data

Multiple vulnerabilities in IBM Storage Ceph

Splunk Enterprise update for third-party packages

Fedora EPEL 7 update for golang

Multiple vulnerabilities in Dell PowerProtect Cyber Recovery