CVE-2021-38561

CVE-2021-38561

Name

CVE-2021-38561

Description

golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f
MISC	https://groups.google.com/g/golang-announce
CONFIRM	https://deps.dev/advisory/OSV/GO-2021-0113
MISC	https://pkg.go.dev/golang.org/x/text/language

Type

URI

MISC

https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f

MISC

https://groups.google.com/g/golang-announce

CONFIRM

https://deps.dev/advisory/OSV/GO-2021-0113

MISC

https://pkg.go.dev/golang.org/x/text/language

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:golang:text::::::::`	text	>= None	< 0.3.7

CPE URI

Source package

Min version

Max version

cpe:2.3:a:golang:text:*:*:*:*:*:*:*:*

text

>= None

< 0.3.7

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
git-lfs	edge-community	3.1.2-r3	Jakub Jirutka <jakub@jirutka.cz>	fixed
git-lfs	3.22-community	3.1.2-r3	None	fixed
git-lfs	3.21-community	3.1.2-r3	None	fixed
git-lfs	3.20-community	3.1.2-r3	None	fixed
git-lfs	3.19-community	3.1.2-r3	None	fixed
git-lfs	3.18-community	3.1.2-r3	None	fixed
git-lfs	3.17-community	3.1.2-r3	None	fixed

Source package

Branch

Version

Maintainer

Status

git-lfs

edge-community

3.1.2-r3

Jakub Jirutka <jakub@jirutka.cz>

fixed

git-lfs

3.22-community