blob: b78747fb44944100a4b69f494f59a07c57043632 [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2021-0142",
"modified": "0001-01-01T00:00:00Z",
"published": "2022-07-01T20:11:09Z",
"aliases": [
"CVE-2020-16845",
"GHSA-q6gq-997w-f55g"
],
"summary": "Unbounded read from invalid inputs in encoding/binary",
"details": "ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs.\n\nCertain invalid inputs to ReadUvarint or ReadVarint can cause these functions to read an unlimited number of bytes from the ByteReader parameter before returning an error. This can lead to processing more input than expected when the caller is reading directly from a network and depends on ReadUvarint or ReadVarint only consuming a small, bounded number of bytes, even from invalid inputs.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.13.15"
},
{
"introduced": "1.14.0-0"
},
{
"fixed": "1.14.7"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "encoding/binary",
"symbols": [
"ReadUvarint",
"ReadVarint"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/247120"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/027d7241ce050d197e7fabea3d541ffbe3487258"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/40618"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/NyPIaucMgXo"
}
],
"credits": [
{
"name": "Diederik Loerakker"
},
{
"name": "Jonny Rhea"
},
{
"name": "Raúl Kripalani"
},
{
"name": "Preston Van Loon"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0142",
"review_status": "REVIEWED"
}
}