PT-2022-20222 · Google+9 · Go+9

Tatiana

·

Published

2022-07-12

·

Updated

2024-06-15

·

CVE-2022-30633

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions Go versions prior to 1.17.12 Go versions prior to 1.18.4
Description The issue is caused by uncontrolled recursion in the Unmarshal function in encoding/xml. This allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the any field tag.
Recommendations For Go versions prior to 1.17.12, update to version 1.17.12 or later to resolve the issue. For Go versions prior to 1.18.4, update to version 1.18.4 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the any field tag in Go structs until a patch is available.

Fix

Uncontrolled Recursion

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-674

Related Identifiers

ALSA-2022:5775
ALSA-2022:5799
ALSA-2022:7519
ALSA-2022:7529
ALSA-2022:8057
ALSA-2023:2758
ALSA-2023:2802
ALT-PU-2022-2310
ALT-PU-2022-2316
ALT-PU-2022-2873
ALT-PU-2023-1205
AZL-10536
AZL-79040
BIT-GOLANG-2022-30633
CESA-2022_5775
CESA-2022_7519
CESA-2022_7529
CESA-2023_2758
CESA-2023_2802
CVE-2022-30633
GO-2022-0523
MGASA-2022-0262
OESA-2022-1783
OPENSUSE-SU-2022_2671-1
OPENSUSE-SU-2022_2672-1
OPENSUSE-SU-2024:12189-1
OPENSUSE-SU-2024:12190-1
RHSA-2022:5775
RHSA-2022:5799
RHSA-2022:5866
RHSA-2022:6042
RHSA-2022:6113
RHSA-2022:7519
RHSA-2022:7529
RHSA-2022:8057
RHSA-2022_5775
RHSA-2022_5799
RHSA-2022_7519
RHSA-2022_7529
RHSA-2022_8057
RHSA-2023:0407
RHSA-2023:2758
RHSA-2023:2802
RHSA-2023_2758
RHSA-2023_2802
RLSA-2022:5775
RLSA-2022:5799
RLSA-2022:7519
RLSA-2022:7529
RLSA-2022:8057
SUSE-SU-2022:2671-1
SUSE-SU-2022:2672-1
SUSE-SU-2023:2312-1
USN-6038-1
USN-6038-2

Affected Products

Alt Linux
Almalinux
Centos
Debian
Go
Linuxmint
Red Hat
Rocky Linux
Suse
Ubuntu