blob: 3c045f47e0963a3c415d62e6f74969c61c60865f [file] [log] [blame]
id: GO-2022-1059
modules:
- module: golang.org/x/text
versions:
- fixed: 0.3.8
vulnerable_at: 0.3.7
packages:
- package: golang.org/x/text/language
symbols:
- ParseAcceptLanguage
derived_symbols:
- MatchStrings
summary: |-
Denial of service via crafted Accept-Language header in
golang.org/x/text/language
description: |-
An attacker may cause a denial of service by crafting an Accept-Language header
which ParseAcceptLanguage will take significant time to parse.
ghsas:
- GHSA-69ch-w2m2-3vjp
credits:
- Adam Korczynski (ADA Logics)
- OSS-Fuzz
references:
- report: https://go.dev/issue/56152
- fix: https://go.dev/cl/442235
- web: https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ
cve_metadata:
id: CVE-2022-32149
cwe: 'CWE 400: Uncontrolled Resource Consumption'