blob: fa225a172964062fdfd71e4f83ded1a2e54a8983 [file] [log] [blame]
id: GO-2020-0014
modules:
- module: golang.org/x/net
versions:
- fixed: 0.0.0-20190125091013-d26f9f9a57f3
vulnerable_at: 0.0.0-20190125002852-4b62a64f59f7
packages:
- package: golang.org/x/net/html
symbols:
- inSelectIM
- inSelectInTableIM
derived_symbols:
- Parse
- ParseFragment
summary: Infinite loop due to improper handling of "select" tags in golang.org/x/net/html
description: |-
html.Parse does not properly handle "select" tags, which can lead to an infinite
loop. If parsing user supplied input, this may be used as a denial of service
vector.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2018-17846
ghsas:
- GHSA-vfw5-hrgq-h5wf
credits:
- '@tr3ee'
references:
- fix: https://go-review.googlesource.com/c/137275
- fix: https://go.googlesource.com/net/+/d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf
- report: https://go.dev/issue/27842
review_status: REVIEWED