| id: GO-2022-0433 |
| modules: |
| - module: std |
| versions: |
| - fixed: 1.17.9 |
| - introduced: 1.18.0-0 |
| fixed: 1.18.1 |
| vulnerable_at: 1.18.0 |
| packages: |
| - package: encoding/pem |
| symbols: |
| - Decode |
| summary: Stack overflow from a large amount of PEM data in encoding/pem |
| description: |- |
| encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack |
| overflow via a large amount of PEM data. |
| published: 2022-05-20T21:17:25Z |
| cves: |
| - CVE-2022-24675 |
| credits: |
| - Juho Nurminen of Mattermost |
| references: |
| - fix: https://go.dev/cl/399820 |
| - fix: https://go.googlesource.com/go/+/45c3387d777caf28f4b992ad9a6216e3085bb8fe |
| - report: https://go.dev/issue/51853 |
| - web: https://groups.google.com/g/golang-announce/c/oecdBNLOml8 |
| review_status: REVIEWED |