CVE-2022-30633

CVE-2022-30633

Name

CVE-2022-30633

Description

Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://go.googlesource.com/go/+/c4c1993fd2a5b26fe45c09592af6d3388a3b2e08
MISC	https://go.dev/cl/417061
MISC	https://go.dev/issue/53611
MISC	https://pkg.go.dev/vuln/GO-2022-0523
MISC	https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/

Type

URI

MISC

https://go.googlesource.com/go/+/c4c1993fd2a5b26fe45c09592af6d3388a3b2e08

MISC

https://go.dev/cl/417061

MISC

https://go.dev/issue/53611

MISC

https://pkg.go.dev/vuln/GO-2022-0523

MISC

https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:golang:go::::::::`	go	>= None	< 1.17.12
`cpe:2.3:a:golang:go::::::::`	go	>= 1.18.0	< 1.18.4

CPE URI

Source package

Min version

Max version

cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*

>= None

< 1.17.12

cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*

>= 1.18.0

< 1.18.4

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
go	edge-community	1.18.4-r0	None	fixed
go	edge-community	1.18.1-r0	None	possibly vulnerable
go	edge-community	1.17.8-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
go	edge-community	1.17.7-r0	None	possibly vulnerable
go	edge-community	1.17.6-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
go	edge-community	1.17.3-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
go	edge-community	1.17.2-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
go	edge-community	1.17.1-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
go	edge-community	1.17-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
go	edge-community	1.16.7-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
go	edge-community	1.16.6-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
go	edge-community	1.16.5-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
go	edge-community	1.16.4-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
go	edge-community	1.16.2-r0	None	possibly vulnerable
go	edge-community	1.15.7-r0	None	possibly vulnerable
go	edge-community	1.15.5-r0	None	possibly vulnerable
go	edge-community	1.15.2-r0	None	possibly vulnerable
go	edge-community	1.15-r0	None	possibly vulnerable
go	edge-community	1.14.5-r0	None	possibly vulnerable
go	edge-community	1.13.7-r0	None	possibly vulnerable
go	edge-community	1.13.2-r0	None	possibly vulnerable
go	edge-community	1.13.1-r0	None	possibly vulnerable
go	edge-community	1.12.8-r0	None	possibly vulnerable
go	edge-community	1.11.5-r0	None	possibly vulnerable
go	edge-community	1.9.4-r0	None	possibly vulnerable
go	3.22-community	1.18.4-r0	None	fixed
go	3.22-community	1.18.1-r0	None	possibly vulnerable
go	3.22-community	1.17.8-r0	None	possibly vulnerable
go	3.22-community	1.17.7-r0	None	possibly vulnerable
go	3.22-community	1.17.6-r0	None	possibly vulnerable
go	3.22-community	1.17.3-r0	None	possibly vulnerable
go	3.22-community	1.17.2-r0	None	possibly vulnerable
go	3.22-community	1.17.1-r0	None	possibly vulnerable
go	3.22-community	1.17-r0	None	possibly vulnerable
go	3.22-community	1.16.7-r0	None	possibly vulnerable
go	3.22-community	1.16.6-r0	None	possibly vulnerable
go	3.22-community	1.16.5-r0	None	possibly vulnerable
go	3.22-community	1.16.4-r0	None	possibly vulnerable
go	3.22-community	1.16.2-r0	None	possibly vulnerable
go	3.22-community	1.15.7-r0	None	possibly vulnerable
go	3.22-community	1.15.5-r0	None	possibly vulnerable
go	3.22-community	1.15.2-r0	None	possibly vulnerable
go	3.22-community	1.15-r0	None	possibly vulnerable
go	3.22-community	1.14.5-r0	None	possibly vulnerable
go	3.22-community	1.13.7-r0	None	possibly vulnerable
go	3.22-community	1.13.2-r0	None	possibly vulnerable
go	3.22-community	1.13.1-r0	None	possibly vulnerable
go	3.22-community	1.12.8-r0	None	possibly vulnerable
go	3.22-community	1.11.5-r0	None	possibly vulnerable
go	3.22-community	1.9.4-r0	None	possibly vulnerable
go	3.21-community	1.18.4-r0	None	fixed
go	3.20-community	1.18.4-r0	None	fixed
go	3.19-community	1.18.4-r0	None	fixed
go	3.18-community	1.18.4-r0	None	fixed
go	3.17-community	1.18.4-r0	None	fixed

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages