CVE-2020-16845

Name of the Vulnerable Software and Affected Versions Go versions 1.13.0 through 1.13.14 Go versions 1.14.0 through 1.14.6

Description The issue is related to an infinite read loop in the ReadUvarint and ReadVarint functions in the encoding/binary package. This can occur when these functions are given invalid inputs, causing them to read an unlimited number of bytes before returning an error. This can lead to processing more input than expected, particularly when reading directly from a network. The exploitation of this issue can allow a remote attacker to cause a denial of service.

Recommendations For Go versions 1.13.0 through 1.13.14, update to version 1.13.15 or later. For Go versions 1.14.0 through 1.14.6, update to version 1.14.7 or later. As a temporary workaround, consider restricting the use of the ReadUvarint and ReadVarint functions in the encoding/binary package until a patch is available. Avoid using these functions with untrusted or invalid inputs to minimize the risk of exploitation.