CVE-2022-39213

Name of the Vulnerable Software and Affected Versions go-cvss versions prior to v0.4.0

Description The issue arises when a full CVSS v2.0 vector string is parsed using the ParseVector function, potentially leading to an Out-of-Bounds Read due to a lack of tests, causing the Go module to panic. Users unable to upgrade may avoid this issue by parsing only CVSS v2.0 vector strings that do not have all attributes defined.

Recommendations For versions prior to v0.4.0, upgrade to version v0.4.0 or later to resolve the issue. As a temporary workaround, consider parsing only CVSS v2.0 vector strings that do not have all attributes defined, such as AV:N/AC:L/Au:N/C:P/I:P/A:C/E:U/RL:OF/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:M, until a patch is available.