CVE-2020-28852 (High) detected in github.com/golang/text-v0.3.2, github.com/golang/text/internal/language-v0.3.2 #336

mend-for-github-com · 2021-01-06T01:00:26Z

CVE-2020-28852 - High Severity Vulnerability

Vulnerable Libraries - github.com/golang/text-v0.3.2, github.com/golang/text/internal/language-v0.3.2

github.com/golang/text-v0.3.2

[mirror] Go text processing support

Dependency Hierarchy:

gopkg.in/couchbase/gocb.v1-v1.6.1 (Root Library)
- gopkg.in/couchbase/gocbcore.v7-v7.1.13
  - golang.org/x/net/http2-ca1201d0de80cfde86cb01aea620983605dfe99b
    - golang.org/x/net/http/httpguts-ca1201d0de80cfde86cb01aea620983605dfe99b
      - golang.org/x/net/idna-ca1201d0de80cfde86cb01aea620983605dfe99b
        
        github.com/golang/text/secure/bidirule-v0.3.2
        
        github.com/golang/text/unicode/bidi-v0.3.2
        
        github.com/golang/text/unicode/rangetable-v0.3.2
        
        ❌ github.com/golang/text-v0.3.2 (Vulnerable Library)

github.com/golang/text/internal/language-v0.3.2

[mirror] Go text processing support

Dependency Hierarchy:

gopkg.in/couchbase/gocb.v1-v1.6.1 (Root Library)
- gopkg.in/couchbase/gocbcore.v7-v7.1.13
  - golang.org/x/net/http2-ca1201d0de80cfde86cb01aea620983605dfe99b
    - golang.org/x/net/http/httpguts-ca1201d0de80cfde86cb01aea620983605dfe99b
      - golang.org/x/net/idna-ca1201d0de80cfde86cb01aea620983605dfe99b
        
        github.com/golang/text/secure/bidirule-v0.3.2
        
        github.com/golang/text/unicode/bidi-v0.3.2
        
        github.com/golang/text/unicode/rangetable-v0.3.2
        
        github.com/golang/text-v0.3.2
        
        ❌ github.com/golang/text/internal/language-v0.3.2 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)

Publish Date: 2021-01-02

URL: CVE-2020-28852

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-28852

Release Date: 2021-01-02

Fix Resolution: golang-golang-x-text-dev - 0.3.5-1,0.3.5-1

mend-for-github-com bot added the security vulnerability Security vulnerability detected by WhiteSource label Jan 6, 2021

mend-for-github-com bot changed the title ~~CVE-2020-28852 (Medium) detected in github.com/golang/text/internal/language-v0.3.2~~ CVE-2020-28852 (High) detected in github.com/golang/text/internal/language-v0.3.2 Apr 21, 2021

mend-for-github-com bot changed the title ~~CVE-2020-28852 (High) detected in github.com/golang/text/internal/language-v0.3.2~~ CVE-2020-28852 (High) detected in github.com/golang/text-v0.3.2, github.com/golang/text/internal/language-v0.3.2 Apr 12, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2020-28852 (High) detected in github.com/golang/text-v0.3.2, github.com/golang/text/internal/language-v0.3.2 #336

CVE-2020-28852 (High) detected in github.com/golang/text-v0.3.2, github.com/golang/text/internal/language-v0.3.2 #336

mend-for-github-com bot commented Jan 6, 2021 •

edited

Loading

CVE-2020-28852 (High) detected in github.com/golang/text-v0.3.2, github.com/golang/text/internal/language-v0.3.2 #336

CVE-2020-28852 (High) detected in github.com/golang/text-v0.3.2, github.com/golang/text/internal/language-v0.3.2 #336

Comments

mend-for-github-com bot commented Jan 6, 2021 • edited Loading

CVE-2020-28852 - High Severity Vulnerability

mend-for-github-com bot commented Jan 6, 2021 •

edited

Loading