CVE-2022-30635

Name
CVE-2022-30635
Description
Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://go.dev/cl/417064
MISC https://go.googlesource.com/go/+/6fa37e98ea4382bf881428ee0c150ce591500eb7
MISC https://pkg.go.dev/vuln/GO-2022-0526
MISC https://go.dev/issue/53615
MISC https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* go >= None < 1.17.12
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* go >= 1.18.0 < 1.18.4

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
go edge-community 1.18.4-r0 None fixed
go 3.22-community 1.18.4-r0 None fixed
go 3.21-community 1.18.4-r0 None fixed
go 3.20-community 1.18.4-r0 None fixed
go 3.19-community 1.18.4-r0 None fixed
go 3.18-community 1.18.4-r0 None fixed
go 3.17-community 1.18.4-r0 None fixed