CVE-2022-28131

Name

CVE-2022-28131

Description

In Decoder.Skip in encoding/xml in Go before 1.17.12 and 1.18.x before 1.18.4, stack exhaustion and a panic can occur via a deeply nested XML document.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

References

Type	URI
MISC	https://pkg.go.dev/vuln/GO-2022-0521
MISC	https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE
MISC	https://go.googlesource.com/go/+/08c46ed43d80bbb67cb904944ea3417989be4af3
MISC	https://go.dev/issue/53614
MISC	https://go.dev/cl/417062
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/
Mailing List	https://groups.google.com/g/golang-announce
CONFIRM	https://security.netapp.com/advisory/ntap-20221111-0009/

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:golang:go::::::::`	go	>= None	< 1.17.12
`cpe:2.3:a:golang:go::::::::`	go	>= 1.18.0	< 1.18.4

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status