blob: f73953904784aa8f1293d036e47c3a33fa8c006a [file] [log] [blame]
id: GO-2022-0197
modules:
- module: golang.org/x/net
versions:
- fixed: 0.0.0-20190125002852-4b62a64f59f7
vulnerable_at: 0.0.0-20190119204137-ed066c81e75e
packages:
- package: golang.org/x/net/html
symbols:
- nodeStack.contains
derived_symbols:
- Parse
- ParseFragment
summary: Panic when parsing certain inputs in golang.org/x/net/html
description: |-
The Parse function can panic on some invalid inputs.
For example, the Parse function panics on the input
"<svg><template><desc><t><svg></template>".
published: 2022-07-01T20:15:19Z
cves:
- CVE-2018-17847
- CVE-2018-17848
ghsas:
- GHSA-4r78-hx75-jjj2
- GHSA-mv93-wvcp-7m7r
credits:
- '@tr3ee'
references:
- fix: https://go.dev/cl/159397
- fix: https://go.googlesource.com/net/+/4b62a64f59f73840b9ab79204c94fee61cd1ba2c
- report: https://go.dev/issue/27846
review_status: REVIEWED