data/reports/GO-2022-0197.yaml - vulndb - Git at Google

 id: GO-2022-0197
 modules:
     - module: golang.org/x/net
       versions:
         - fixed: 0.0.0-20190125002852-4b62a64f59f7
       vulnerable_at: 0.0.0-20190119204137-ed066c81e75e
       packages:
         - package: golang.org/x/net/html
           symbols:
             - nodeStack.contains
           derived_symbols:
             - Parse
             - ParseFragment
 summary: Panic when parsing certain inputs in golang.org/x/net/html
 description: |-
     The Parse function can panic on some invalid inputs.

     For example, the Parse function panics on the input
     "<svg><template><desc><t><svg></template>".
 published: 2022-07-01T20:15:19Z
 cves:
     - CVE-2018-17847
     - CVE-2018-17848
 ghsas:
     - GHSA-4r78-hx75-jjj2
     - GHSA-mv93-wvcp-7m7r
 credits:
     - '@tr3ee'
 references:
     - fix: https://go.dev/cl/159397
     - fix: https://go.googlesource.com/net/+/4b62a64f59f73840b9ab79204c94fee61cd1ba2c
     - report: https://go.dev/issue/27846
	id: GO-2022-0197
	modules:
	- module: golang.org/x/net
	versions:
	- fixed: 0.0.0-20190125002852-4b62a64f59f7
	vulnerable_at: 0.0.0-20190119204137-ed066c81e75e
	packages:
	- package: golang.org/x/net/html
	symbols:
	- nodeStack.contains
	derived_symbols:
	- Parse
	- ParseFragment
	summary: Panic when parsing certain inputs in golang.org/x/net/html
	description: \|-
	The Parse function can panic on some invalid inputs.

	For example, the Parse function panics on the input
	"<svg><template><desc><t><svg></template>".
	published: 2022-07-01T20:15:19Z
	cves:
	- CVE-2018-17847
	- CVE-2018-17848
	ghsas:
	- GHSA-4r78-hx75-jjj2
	- GHSA-mv93-wvcp-7m7r
	credits:
	- '@tr3ee'
	references:
	- fix: https://go.dev/cl/159397
	- fix: https://go.googlesource.com/net/+/4b62a64f59f73840b9ab79204c94fee61cd1ba2c
	- report: https://go.dev/issue/27846