data/reports/GO-2020-0014.yaml - vulndb - Git at Google

 modules:
   - module: golang.org/x/net
     versions:
       - fixed: 0.0.0-20190125091013-d26f9f9a57f3
     vulnerable_at: 0.0.0-20190125002852-4b62a64f59f7
     packages:
       - package: golang.org/x/net/html
         symbols:
           - inSelectIM
           - inSelectInTableIM
         derived_symbols:
           - Parse
           - ParseFragment
 description: |
     html.Parse does not properly handle "select" tags, which can lead
     to an infinite loop. If parsing user supplied input, this may be used
     as a denial of service vector.
 published: 2021-04-14T20:04:52Z
 cves:
   - CVE-2018-17846
 credit: '@tr3ee'
 references:
   - fix: https://go-review.googlesource.com/c/137275
   - fix: https://go.googlesource.com/net/+/d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf
   - report: https://go.dev/issue/27842
	modules:
	- module: golang.org/x/net
	versions:
	- fixed: 0.0.0-20190125091013-d26f9f9a57f3
	vulnerable_at: 0.0.0-20190125002852-4b62a64f59f7
	packages:
	- package: golang.org/x/net/html
	symbols:
	- inSelectIM
	- inSelectInTableIM
	derived_symbols:
	- Parse
	- ParseFragment
	description: \|
	html.Parse does not properly handle "select" tags, which can lead
	to an infinite loop. If parsing user supplied input, this may be used
	as a denial of service vector.
	published: 2021-04-14T20:04:52Z
	cves:
	- CVE-2018-17846
	credit: '@tr3ee'
	references:
	- fix: https://go-review.googlesource.com/c/137275
	- fix: https://go.googlesource.com/net/+/d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf
	- report: https://go.dev/issue/27842