New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2020-14040 (High) detected in multiple libraries #2

Open

mend-for-github-com bot opened this issue Jul 10, 2020 · 0 comments

Labels

security vulnerability

mend-for-github-com bot commented Jul 10, 2020 •

edited

Loading

CVE-2020-14040 - High Severity Vulnerability

Vulnerable Libraries - golang.org/x/text/encoding/unicode-v0.3.2, golang.org/x/text/encoding-v0.3.2, golang.org/x/text/internal/language/compact-v0.3.2, golang.org/x/text/internal/language-v0.3.2, golang.org/x/text/transform-v0.3.2

golang.org/x/text/encoding/unicode-v0.3.2

[mirror] Go text processing support

Dependency Hierarchy:

github.com/packer-community/winrmcp/winrmcp-c76d91c1e7db27b0868c5d09e292bb540616c9a2 (Root Library)
- github.com/masterzen/winrm
  - github.com/christrenkamp/goxpath-c5096ec8773dd9f554971472081ddfbb0782334e
    - github.com/christrenkamp/goxpath/internal/execxp-c5096ec8773dd9f554971472081ddfbb0782334e
      - github.com/christrenkamp/goxpath/tree-c5096ec8773dd9f554971472081ddfbb0782334e
        
        golang.org/x/net/html/charset-627f9648deb96c27737b83199d44bb5c1010cbcf
        
        golang.org/x/text/encoding/htmlindex-v0.3.2
        
        golang.org/x/text/encoding/korean-v0.3.2
        
        golang.org/x/text/encoding-v0.3.2
        
        ❌ golang.org/x/text/encoding/unicode-v0.3.2 (Vulnerable Library)

golang.org/x/text/encoding-v0.3.2

[mirror] Go text processing support

Dependency Hierarchy:

github.com/packer-community/winrmcp/winrmcp-c76d91c1e7db27b0868c5d09e292bb540616c9a2 (Root Library)
- github.com/masterzen/winrm
  - github.com/christrenkamp/goxpath-c5096ec8773dd9f554971472081ddfbb0782334e
    - github.com/christrenkamp/goxpath/internal/execxp-c5096ec8773dd9f554971472081ddfbb0782334e
      - github.com/christrenkamp/goxpath/tree-c5096ec8773dd9f554971472081ddfbb0782334e
        
        golang.org/x/net/html/charset-627f9648deb96c27737b83199d44bb5c1010cbcf
        
        golang.org/x/text/encoding/htmlindex-v0.3.2
        
        golang.org/x/text/encoding/korean-v0.3.2
        
        ❌ golang.org/x/text/encoding-v0.3.2 (Vulnerable Library)

golang.org/x/text/internal/language/compact-v0.3.2

[mirror] Go text processing support

Dependency Hierarchy:

github.com/packer-community/winrmcp/winrmcp-c76d91c1e7db27b0868c5d09e292bb540616c9a2 (Root Library)
- github.com/masterzen/winrm
  - github.com/christrenkamp/goxpath-c5096ec8773dd9f554971472081ddfbb0782334e
    - github.com/christrenkamp/goxpath/internal/execxp-c5096ec8773dd9f554971472081ddfbb0782334e
      - github.com/christrenkamp/goxpath/tree-c5096ec8773dd9f554971472081ddfbb0782334e
        
        golang.org/x/net/html/charset-627f9648deb96c27737b83199d44bb5c1010cbcf
        
        golang.org/x/text/encoding/htmlindex-v0.3.2
        
        golang.org/x/text/encoding/korean-v0.3.2
        
        golang.org/x/text/encoding-v0.3.2
        
        golang.org/x/text/language-v0.3.2
        golang.org/x/text/internal/language-v0.3.2
        ❌ golang.org/x/text/internal/language/compact-v0.3.2 (Vulnerable Library)

golang.org/x/text/internal/language-v0.3.2

[mirror] Go text processing support

Dependency Hierarchy:

github.com/packer-community/winrmcp/winrmcp-c76d91c1e7db27b0868c5d09e292bb540616c9a2 (Root Library)
- github.com/masterzen/winrm
  - github.com/christrenkamp/goxpath-c5096ec8773dd9f554971472081ddfbb0782334e
    - github.com/christrenkamp/goxpath/internal/execxp-c5096ec8773dd9f554971472081ddfbb0782334e
      - github.com/christrenkamp/goxpath/tree-c5096ec8773dd9f554971472081ddfbb0782334e
        
        golang.org/x/net/html/charset-627f9648deb96c27737b83199d44bb5c1010cbcf
        
        golang.org/x/text/encoding/htmlindex-v0.3.2
        
        golang.org/x/text/encoding/korean-v0.3.2
        
        golang.org/x/text/encoding-v0.3.2
        
        golang.org/x/text/language-v0.3.2
        ❌ golang.org/x/text/internal/language-v0.3.2 (Vulnerable Library)

golang.org/x/text/transform-v0.3.2

[mirror] Go text processing support

Dependency Hierarchy:

github.com/hashicorp/hcl-v1.0.0 (Root Library)
- github.com/hashicorp/hcl/v2/hcldec-v2.6.0
  - github.com/zclconf/go-cty/cty/function-v1.5.1
    - github.com/zclconf/go-cty/cty/convert-v1.5.1
      - github.com/zclconf/go-cty/cty-v1.5.1
        
        golang.org/x/text/unicode/norm-v0.3.2
        
        ❌ golang.org/x/text/transform-v0.3.2 (Vulnerable Library)

Found in HEAD commit: e6da2b93014fd481cd513e40af9bcf1ec77c893b

Vulnerability Details

The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

Publish Date: 2020-06-17

URL: CVE-2020-14040

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14040

Release Date: 2020-06-17

Fix Resolution: text - v0.3.3

mend-for-github-com bot added the security vulnerability label

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment