| { |
| "schema_version": "1.3.1", |
| "id": "GO-2021-0078", |
| "modified": "0001-01-01T00:00:00Z", |
| "published": "2021-04-14T20:04:52Z", |
| "aliases": [ |
| "CVE-2018-17075", |
| "GHSA-5p4h-3377-7w67" |
| ], |
| "summary": "Panic when parsing malformed HTML in golang.org/x/net/html", |
| "details": "The HTML parser does not properly handle \"in frameset\" insertion mode, and can be made to panic when operating on malformed HTML that contains \u003ctemplate\u003e tags. If operating on user input, this may be a vector for a denial of service attack.", |
| "affected": [ |
| { |
| "package": { |
| "name": "golang.org/x/net", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "0.0.0-20180816102801-aaf60122140d" |
| } |
| ] |
| } |
| ], |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "golang.org/x/net/html", |
| "symbols": [ |
| "Parse", |
| "ParseFragment", |
| "inBodyIM", |
| "inFramesetIM" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "FIX", |
| "url": "https://go.dev/cl/123776" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://go.googlesource.com/net/+/aaf60122140d3fcf75376d319f0554393160eb50" |
| }, |
| { |
| "type": "REPORT", |
| "url": "https://go.dev/issue/27016" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://bugs.chromium.org/p/chromium/issues/detail?id=829668" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://go-review.googlesource.com/c/net/+/94838/9/html/parse.go#1906" |
| } |
| ], |
| "credits": [ |
| { |
| "name": "Kunpei Sakai" |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2021-0078", |
| "review_status": "REVIEWED" |
| } |
| } |