data/reports/GO-2021-0238.yaml - vulndb - Git at Google

 id: GO-2021-0238
 modules:
     - module: golang.org/x/net
       versions:
         - fixed: 0.0.0-20210520170846-37e1c6afe023
       vulnerable_at: 0.0.0-20210510120150-4163338589ed
       packages:
         - package: golang.org/x/net/html
           symbols:
             - inHeadIM
           derived_symbols:
             - Parse
             - ParseFragment
             - ParseFragmentWithOptions
             - ParseWithOptions
 summary: Infinite loop when parsing inputs in golang.org/x/net/html
 description: |-
     An attacker can craft an input to ParseFragment that causes it to enter an
     infinite loop and never return.
 published: 2022-02-17T17:33:43Z
 cves:
     - CVE-2021-33194
 ghsas:
     - GHSA-83g2-8m93-v3w7
 credits:
     - OSS-Fuzz (discovery)
     - Andrew Thornton (reporter)
 references:
     - fix: https://go.dev/cl/311090
     - fix: https://go.googlesource.com/net/+/37e1c6afe02340126705deced573a85ab75209d7
     - report: https://go.dev/issue/46288
     - web: https://groups.google.com/g/golang-announce/c/wPunbCPkWUg
	id: GO-2021-0238
	modules:
	- module: golang.org/x/net
	versions:
	- fixed: 0.0.0-20210520170846-37e1c6afe023
	vulnerable_at: 0.0.0-20210510120150-4163338589ed
	packages:
	- package: golang.org/x/net/html
	symbols:
	- inHeadIM
	derived_symbols:
	- Parse
	- ParseFragment
	- ParseFragmentWithOptions
	- ParseWithOptions
	summary: Infinite loop when parsing inputs in golang.org/x/net/html
	description: \|-
	An attacker can craft an input to ParseFragment that causes it to enter an
	infinite loop and never return.
	published: 2022-02-17T17:33:43Z
	cves:
	- CVE-2021-33194
	ghsas:
	- GHSA-83g2-8m93-v3w7
	credits:
	- OSS-Fuzz (discovery)
	- Andrew Thornton (reporter)
	references:
	- fix: https://go.dev/cl/311090
	- fix: https://go.googlesource.com/net/+/37e1c6afe02340126705deced573a85ab75209d7
	- report: https://go.dev/issue/46288
	- web: https://groups.google.com/g/golang-announce/c/wPunbCPkWUg