CVE-2021-38561

CVSS V2 None CVSS V3 None

Description

golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.

Overview

CVE ID
CVE-2021-38561

Assigner
cve@mitre.org

Vulnerability Status
Analyzed

Published Version
2022-12-26T06:15:10

Last Modified Date
2023-01-05T04:52:36

Weakness Enumerations

CWE	URL
CWE-125	http://cwe.mitre.org/data/definitions/125.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version Start	Version End
cpe:2.3:a:golang:text::::::::	1	OR		0.3.7

References

Reference URL	Reference Tags
https://deps.dev/advisory/OSV/GO-2021-0113
https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f
https://groups.google.com/g/golang-announce
https://pkg.go.dev/golang.org/x/text/language

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2021-38561
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38561

History

Created	Old Value	New Value	Data Type	Notes
2022-12-26 06:16:08				Added to TrackCVE
2022-12-27 14:15:50		2022-12-27T13:48:11	CVE Modified Date	updated
2022-12-27 14:15:50	Received	Awaiting Analysis	Vulnerability Status	updated
2023-01-03 15:15:02	Awaiting Analysis	Undergoing Analysis	Vulnerability Status	updated
2023-01-05 05:15:19		2023-01-05T04:52:36	CVE Modified Date	updated
2023-01-05 05:15:19	Undergoing Analysis	Analyzed	Vulnerability Status	updated
2023-01-05 05:15:19			Weakness Enumeration	new
2023-01-05 05:15:20			CPE Information	updated