+----------------+----------+------+---------+---------+--------------------------+-------------+------------+----------------------------------------------------+-------------------+ | CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION | TRIGGERED FAILURE | +----------------+----------+------+---------+---------+--------------------------+-------------+------------+----------------------------------------------------+-------------------+ | CVE-2021-38297 | critical | 9.80 | go | 1.13.15 | fixed in 1.17.2, 1.16.9 | > 3 months | < 1 hour | Go before 1.16.9 and 1.17.x before 1.17.2 has a | Yes | | | | | | | > 3 months ago | | | Buffer Overflow via large arguments in a function | | | | | | | | | | | invocation from a WASM module, when GOARCH=wasm | | | | | | | | | | | GOOS... | | +----------------+----------+------+---------+---------+--------------------------+-------------+------------+----------------------------------------------------+-------------------+ | CVE-2021-44716 | high | 7.50 | go | 1.13.15 | fixed in 1.17.5, 1.16.12 | 41 days | < 1 hour | net/http in Go before 1.16.12 and 1.17.x before | Yes | | | | | | | 41 days ago | | | 1.17.5 allows uncontrolled memory consumption | | | | | | | | | | | in the header canonicalization cache via HTTP/2 | | | | | | | | | | | requests... | | +----------------+----------+------+---------+---------+--------------------------+-------------+------------+----------------------------------------------------+-------------------+ | CVE-2021-41772 | high | 7.50 | go | 1.13.15 | fixed in 1.17.3, 1.16.10 | > 3 months | < 1 hour | Go before 1.16.10 and 1.17.x before 1.17.3 allows | Yes | | | | | | | > 3 months ago | | | an archive/zip Reader.Open panic via a crafted | | | | | | | | | | | ZIP archive containing an invalid name or an empty | | | | | | | | | | | fi... | | +----------------+----------+------+---------+---------+--------------------------+-------------+------------+----------------------------------------------------+-------------------+ | CVE-2021-41771 | high | 7.50 | go | 1.13.15 | fixed in 1.17.3, 1.16.10 | > 3 months | < 1 hour | ImportedSymbols in debug/macho (for Open or | Yes | | | | | | | > 3 months ago | | | OpenFat) in Go before 1.16.10 and 1.17.x before | | | | | | | | | | | 1.17.3 Accesses a Memory Location After the End of | | | | | | | | | | | a Buffe... | | +----------------+----------+------+---------+---------+--------------------------+-------------+------------+----------------------------------------------------+-------------------+ | CVE-2021-39293 | high | 7.50 | go | 1.13.15 | fixed in 1.17.1, 1.16.8 | 18 days | < 1 hour | In archive/zip in Go before 1.16.8 and 1.17.x | Yes | | | | | | | 18 days ago | | | before 1.17.1, a crafted archive header (falsely | | | | | | | | | | | designating that many files are present) can cause | | | | | | | | | | | a Ne... | | +----------------+----------+------+---------+---------+--------------------------+-------------+------------+----------------------------------------------------+-------------------+ | CVE-2021-33198 | high | 7.50 | go | 1.13.15 | fixed in 1.16.5, 1.15.13 | > 6 months | < 1 hour | In Go before 1.15.13 and 1.16.x before 1.16.5, | Yes | | | | | | | > 6 months ago | | | there can be a panic for a large exponent to the | | | | | | | | | | | math/big.Rat SetString or UnmarshalText method. | | +----------------+----------+------+---------+---------+--------------------------+-------------+------------+----------------------------------------------------+-------------------+ | CVE-2021-33196 | high | 7.50 | go | 1.13.15 | fixed in 1.16.5, 1.15.13 | > 6 months | < 1 hour | In archive/zip in Go before 1.15.13 and 1.16.x | Yes | | | | | | | > 6 months ago | | | before 1.16.5, a crafted file count (in an | | | | | | | | | | | archive\'s header) can cause a NewReader or | | | | | | | | | | | OpenReader panic... | | +----------------+----------+------+---------+---------+--------------------------+-------------+------------+----------------------------------------------------+-------------------+ | CVE-2021-33194 | high | 7.50 | go | 1.13.15 | | > 8 months | < 1 hour | golang.org/x/net before | Yes | | | | | | | | | | v0.0.0-20210520170846-37e1c6afe023 allows | | | | | | | | | | | attackers to cause a denial of service (infinite | | | | | | | | | | | loop) via crafted ParseFragment inp... | | +----------------+----------+------+---------+---------+--------------------------+-------------+------------+----------------------------------------------------+-------------------+ | CVE-2021-29923 | high | 7.50 | go | 1.13.15 | fixed in 1.17 | > 6 months | < 1 hour | Go before 1.17 does not properly consider | Yes | | | | | | | > 6 months ago | | | extraneous zero characters at the beginning of | | | | | | | | | | | an IP address octet, which (in some situations) | | | | | | | | | | | allows attack... | | +----------------+----------+------+---------+---------+--------------------------+-------------+------------+----------------------------------------------------+-------------------+ | CVE-2021-27918 | high | 7.50 | go | 1.13.15 | fixed in 1.16.1, 1.15.9 | > 11 months | < 1 hour | encoding/xml in Go before 1.15.9 and 1.16.x | Yes | | | | | | | > 11 months ago | | | before 1.16.1 has an infinite loop if a custom | | | | | | | | | | | TokenReader (for xml.NewTokenDecoder) returns EOF | | | | | | | | | | | in the mi... | | +----------------+----------+------+---------+---------+--------------------------+-------------+------------+----------------------------------------------------+-------------------+ | CVE-2020-28367 | high | 7.50 | go | 1.13.15 | fixed in 1.15.5, 1.14.12 | > 1 years | < 1 hour | Go before 1.14.12 and 1.15.x before 1.15.5 allows | Yes | | | | | | | > 1 years ago | | | Argument Injection. | | +----------------+----------+------+---------+---------+--------------------------+-------------+------------+----------------------------------------------------+-------------------+ | CVE-2020-28366 | high | 7.50 | go | 1.13.15 | fixed in 1.15.5, 1.14.12 | > 1 years | < 1 hour | Go before 1.14.12 and 1.15.x before 1.15.5 allows | Yes | | | | | | | > 1 years ago | | | Code Injection. | | +----------------+----------+------+---------+---------+--------------------------+-------------+------------+----------------------------------------------------+-------------------+ | CVE-2020-28362 | high | 7.50 | go | 1.13.15 | fixed in 1.15.4, 1.14.12 | > 1 years | < 1 hour | Go before 1.14.12 and 1.15.x before 1.15.4 allows | Yes | | | | | | | > 1 years ago | | | Denial of Service. | | +----------------+----------+------+---------+---------+--------------------------+-------------+------------+----------------------------------------------------+-------------------+ | CVE-2021-33195 | high | 7.30 | go | 1.13.15 | fixed in 1.16.5, 1.15.13 | > 6 months | < 1 hour | Go before 1.15.13 and 1.16.x before 1.16.5 has | Yes | | | | | | | > 6 months ago | | | functions for DNS lookups that do not validate | | | | | | | | | | | replies from DNS servers, and thus a return value | | | | | | | | | | | may co... | | +----------------+----------+------+---------+---------+--------------------------+-------------+------------+----------------------------------------------------+-------------------+ | CVE-2021-34558 | medium | 6.50 | go | 1.13.15 | | > 7 months | < 1 hour | The crypto/tls package of Go through 1.16.5 does | No | | | | | | | | | | not properly assert that the type of public key | | | | | | | | | | | in an X.509 certificate matches the expected type | | | | | | | | | | | whe... | | +----------------+----------+------+---------+---------+--------------------------+-------------+------------+----------------------------------------------------+-------------------+ | CVE-2021-3114 | medium | 6.50 | go | 1.13.15 | fixed in 1.15.7, 1.14.14 | > 1 years | < 1 hour | In Go before 1.14.14 and 1.15.x before 1.15.7, | No | | | | | | | > 1 years ago | | | crypto/elliptic/p224.go can generate incorrect | | | | | | | | | | | outputs, related to an underflow of the lowest | | | | | | | | | | | limb duri... | | +----------------+----------+------+---------+---------+--------------------------+-------------+------------+----------------------------------------------------+-------------------+ | CVE-2020-24553 | medium | 6.10 | go | 1.13.15 | fixed in 1.15.1, 1.14.8 | > 1 years | < 1 hour | Go before 1.14.8 and 1.15.x before 1.15.1 allows | No | | | | | | | > 1 years ago | | | XSS because text/html is the default for CGI/FCGI | | | | | | | | | | | handlers that lack a Content-Type header. | | +----------------+----------+------+---------+---------+--------------------------+-------------+------------+----------------------------------------------------+-------------------+ | CVE-2021-36221 | medium | 5.90 | go | 1.13.15 | fixed in 1.16.7, 1.15.15 | > 6 months | < 1 hour | Go before 1.15.15 and 1.16.x before 1.16.7 | No | | | | | | | > 6 months ago | | | has a race condition that can lead to a | | | | | | | | | | | net/http/httputil ReverseProxy panic upon an | | | | | | | | | | | ErrAbortHandler abort. | | +----------------+----------+------+---------+---------+--------------------------+-------------+------------+----------------------------------------------------+-------------------+ | CVE-2021-31525 | medium | 5.90 | go | 1.13.15 | fixed in 1.16.4, 1.15.12 | > 8 months | < 1 hour | net/http in Go before 1.15.12 and 1.16.x before | No | | | | | | | > 8 months ago | | | 1.16.4 allows remote attackers to cause a | | | | | | | | | | | denial of service (panic) via a large header to | | | | | | | | | | | ReadRequest ... | | +----------------+----------+------+---------+---------+--------------------------+-------------+------------+----------------------------------------------------+-------------------+ | CVE-2020-29510 | medium | 5.60 | go | 1.13.15 | | > 1 years | < 1 hour | The encoding/xml package in Go versions 1.15 and | No | | | | | | | | | | earlier does not correctly preserve the semantics | | | | | | | | | | | of directives during tokenization round-trips, | | | | | | | | | | | whic... | | +----------------+----------+------+---------+---------+--------------------------+-------------+------------+----------------------------------------------------+-------------------+ | CVE-2021-33197 | medium | 5.30 | go | 1.13.15 | fixed in 1.16.5, 1.15.13 | > 6 months | < 1 hour | In Go before 1.15.13 and 1.16.x before 1.16.5, | No | | | | | | | > 6 months ago | | | some configurations of ReverseProxy (from | | | | | | | | | | | net/http/httputil) result in a situation where an | | | | | | | | | | | attacker is... | | +----------------+----------+------+---------+---------+--------------------------+-------------+------------+----------------------------------------------------+-------------------+ Vulnerabilities found for image total - 21, critical - 1, high - 13, medium - 7, low - 0 Vulnerability threshold check results: FAIL Scan failed due to vulnerability policy violations: Default - Alert all / Block High - Critical, 14 vulnerabilities, [critical:1 high:13]