Published: 13/09/2022 Updated: 07/11/2023

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 0

A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. (CVE-2022-1705) A flaw was found in the golang standard library, go/parser. When calling any Parse functions on the Go source code, which contains deeply nested types or declarations, a panic can occur due to stack exhaustion. This issue allows an malicious user to impact system availability. (CVE-2022-1962) In net/http in Go prior to 1.18.6 and 1.19.x prior to 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664) A flaw was found in golang encoding/xml. When calling Decoder.Skip while parsing a deeply nested XML document, a panic can occur due to stack exhaustion and allows an malicious user to impact system availability. (CVE-2022-28131) A flaw was found in the golang standard library, io/fs. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This could allow an malicious user to impact availability. (CVE-2022-30630) A flaw was found in golang. Calling the Reader.Read method on an archive that contains a large number of concatenated 0-length compressed files can cause a panic issue due to stack exhaustion. (CVE-2022-30631) A flaw was found in golang. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This can cause an malicious user to impact availability. (CVE-2022-30632) Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an malicious user to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the any field tag. (CVE-2022-30633) A flaw was found in golang. When calling Decoder.Decode on a message that contains deeply nested structures, a panic can occur due to stack exhaustion and allows an malicious user to impact system availability. (CVE-2022-30635) Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header. (CVE-2022-32148) JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("go.dev", "../go") returns the URL "go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result. (CVE-2022-32190)

Vulnerable Product	Search on Vulmon	Subscribe to Product
golang go 1.19.0

Synopsis Moderate: OpenShift Virtualization 4130 RPMs security and bug fix update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic Red Hat OpenShift Virtualization release 4130 is now available with updates to packages ...

Synopsis Moderate: Migration Toolkit for Containers (MTC) 177 security and bug fix update Type/Severity Security Advisory: Moderate Topic The Migration Toolkit for Containers (MTC) 177 is now availableRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base ...

Synopsis Important: Red Hat OpenShift Service Mesh Containers for 240 Type/Severity Security Advisory: Important Topic Red Hat OpenShift Service Mesh Containers for 240Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed sev ...

Synopsis Moderate: OpenShift Container Platform 41222 packages and security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic Red Hat OpenShift Container Platform release 41222 is now available with updates to pac ...

Synopsis Important: Migration Toolkit for Applications security and bug fix update Type/Severity Security Advisory: Important Topic Migration Toolkit for Applications 610 releaseRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which gives a deta ...

Synopsis Important: OpenShift Container Platform 41144 bug fix and security update Type/Severity Security Advisory: Important Topic Red Hat OpenShift Container Platform release 41144 is now available with updates to packages and images that fix several bugs and add enhancementsThis release includes a security update for Red Hat OpenShift ...

Synopsis Important: OpenShift Container Platform 41248 bug fix and security update Type/Severity Security Advisory: Important Topic Red Hat OpenShift Container Platform release 41248 is now available with updates to packages and images that fix several bugs and add enhancementsThis release includes a security update for Red Hat OpenShift ...

Synopsis Moderate: OpenShift Virtualization 4130 Images security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic Red Hat OpenShift Virtualization release 4130 is now available with updates to packages and images that fix several bugs and add enhancementsRed Hat Product Security has rated this update as ha ...

Synopsis Moderate: OpenShift API for Data Protection (OADP) 111 security and bug fix update Type/Severity Security Advisory: Moderate Topic OpenShift API for Data Protection (OADP) 111 is now availableRed Hat Product Security has rated this update as having a security impactof Moderate A Common Vulnerability Scoring System (CVSS) base s ...

Synopsis Important: Red Hat Ceph Storage 61 Container security and bug fix update Type/Severity Security Advisory: Important Topic A new container image for Red Hat Ceph Storage 61 is now available in the Red Hat Ecosystem CatalogRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability ...

Synopsis Moderate: Secondary Scheduler Operator for Red Hat OpenShift 111 security update Type/Severity Security Advisory: Moderate Topic Secondary Scheduler Operator for Red Hat OpenShift 111Red Hat Product Security has rated this update as having a security impact ofModerate A Common Vulnerability Scoring System (CVSS) base score, whic ...

Synopsis Moderate: Red Hat OpenShift (Logging Subsystem) security update Type/Severity Security Advisory: Moderate Topic An update for Logging Subsystem (560) is now available for Red Hat OpenShift Container PlatformRed Hat Product Security has rated this update as having a security impactof Moderate A Common Vulnerability Scoring System ...

Synopsis Moderate: OpenShift Container Platform 4120 bug fix and security update Type/Severity Security Advisory: Moderate Topic Red Hat OpenShift Container Platform release 4120 is now available withupdates to packages and images that fix several bugs and add enhancementsThis release includes a security update for Red Hat OpenShift Cont ...

Synopsis Important: Red Hat OpenShift Data Foundation 4130 security and bug fix update Type/Severity Security Advisory: Important Topic Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4130 on Red Hat Enterprise Linux 9Red Hat ...

JoinPath and URLJoinPath do not remove / path elements appended to a relative path For example, JoinPath("godev", "/go") returns the URL "godev//go", despite the JoinPath documentation stating that / path elements are removed from the result ...

A flaw was found in golang The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid (CVE-2022-1705) A flaw was found in the golang standard library, go/parser When callin ...

In net/http in Go before 1186 and 119x before 1191, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error (CVE-2022-27664) JoinPath and URLJoinPath do not remove / path elements appended to a relative path For example, JoinPath("godev", "/go") r ...

test-go-container-images During various experiences with container image vulnerability scanners, I've found their accuracy to be well varied Especially when you add Go binaries to the mix This repository contains the sources, configurations, and build scripts for a collection of Go binaries and associated container images intended for testing container vulnerabilit

CWE-22 https://go.dev/cl/423514 https://groups.google.com/g/golang-announce/c/x49AQzIVX-s https://pkg.go.dev/vuln/GO-2022-0988 https://go.dev/issue/54385 https://nvd.nist.gov https://github.com/chair6/test-go-container-images https://access.redhat.com/errata/RHSA-2023:3204 https://access.redhat.com/security/cve/cve-2022-32190 https://alas.aws.amazon.com/AL2022/ALAS-2022-193.html

Get Started

CVE-2022-32190

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect