reports/GO-2022-0537.yaml - vulndb - Git at Google

 packages:
   - module: std
     package: math/big
     symbols:
       - Float.GobDecode
       - Rat.GobDecode
     versions:
       - fixed: 1.17.13
       - introduced: 1.18.0
         fixed: 1.18.5
     vulnerable_at: 1.18.4
 description: |
     Decoding big.Float and big.Rat types can panic if the encoded message is
     too short, potentially allowing a denial of service.
 credit: '@catenacyber'
 links:
     pr: https://go.dev/cl/417774
     commit: https://go.googlesource.com/go/+/055113ef364337607e3e72ed7d48df67fde6fc66
     context:
       - https://go.dev/issue/53871
       - https://groups.google.com/g/golang-announce/c/YqYYG87xB10
 cve_metadata:
     id: CVE-2022-32189
     cwe: 'CWE 400: Uncontrolled Resource Consumption'
     description: |
         A too-short encoded message can cause a panic in Float.GobDecode and Rat
         GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially
         allowing a denial of service.
	packages:
	- module: std
	package: math/big
	symbols:
	- Float.GobDecode
	- Rat.GobDecode
	versions:
	- fixed: 1.17.13
	- introduced: 1.18.0
	fixed: 1.18.5
	vulnerable_at: 1.18.4
	description: \|
	Decoding big.Float and big.Rat types can panic if the encoded message is
	too short, potentially allowing a denial of service.
	credit: '@catenacyber'
	links:
	pr: https://go.dev/cl/417774
	commit: https://go.googlesource.com/go/+/055113ef364337607e3e72ed7d48df67fde6fc66
	context:
	- https://go.dev/issue/53871
	- https://groups.google.com/g/golang-announce/c/YqYYG87xB10
	cve_metadata:
	id: CVE-2022-32189
	cwe: 'CWE 400: Uncontrolled Resource Consumption'
	description: \|
	A too-short encoded message can cause a panic in Float.GobDecode and Rat
	GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially
	allowing a denial of service.