data/reports/GO-2020-0014.yaml - vulndb - Git at Google

 id: GO-2020-0014
 modules:
     - module: golang.org/x/net
       versions:
         - fixed: 0.0.0-20190125091013-d26f9f9a57f3
       vulnerable_at: 0.0.0-20190125002852-4b62a64f59f7
       packages:
         - package: golang.org/x/net/html
           symbols:
             - inSelectIM
             - inSelectInTableIM
           derived_symbols:
             - Parse
             - ParseFragment
 summary: Infinite loop due to improper handling of "select" tags in golang.org/x/net/html
 description: |-
     html.Parse does not properly handle "select" tags, which can lead to an infinite
     loop. If parsing user supplied input, this may be used as a denial of service
     vector.
 published: 2021-04-14T20:04:52Z
 cves:
     - CVE-2018-17846
 ghsas:
     - GHSA-vfw5-hrgq-h5wf
 credits:
     - '@tr3ee'
 references:
     - fix: https://go-review.googlesource.com/c/137275
     - fix: https://go.googlesource.com/net/+/d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf
     - report: https://go.dev/issue/27842
	id: GO-2020-0014
	modules:
	- module: golang.org/x/net
	versions:
	- fixed: 0.0.0-20190125091013-d26f9f9a57f3
	vulnerable_at: 0.0.0-20190125002852-4b62a64f59f7
	packages:
	- package: golang.org/x/net/html
	symbols:
	- inSelectIM
	- inSelectInTableIM
	derived_symbols:
	- Parse
	- ParseFragment
	summary: Infinite loop due to improper handling of "select" tags in golang.org/x/net/html
	description: \|-
	html.Parse does not properly handle "select" tags, which can lead to an infinite
	loop. If parsing user supplied input, this may be used as a denial of service
	vector.
	published: 2021-04-14T20:04:52Z
	cves:
	- CVE-2018-17846
	ghsas:
	- GHSA-vfw5-hrgq-h5wf
	credits:
	- '@tr3ee'
	references:
	- fix: https://go-review.googlesource.com/c/137275
	- fix: https://go.googlesource.com/net/+/d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf
	- report: https://go.dev/issue/27842