#VU68779 Improper Validation of Array Index in Go Text - CVE-2020-28851


Vulnerability identifier: #VU68779

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-28851, CVE-2020-28852

CWE-ID: CWE-129

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Go Text
Universal components / Libraries / Libraries used by multiple products

Vendor: Go

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper validation of array index in language.ParseAcceptLanguage while processing a BCP 47 tag. A remote attacker can send a specially crafted HTTP request containing a malformed HTTP Accept-Language header and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Go Text: 0.1.0 - 0.3.5

External links
https://github.com/golang/go/issues/42536
https://security.netapp.com/advisory/ntap-20210212-0004/
https://github.com/golang/go/issues/42535

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Watson Machine Learning Accelerator on Cloud Pak for Data
Multiple vulnerabilities in IBM Storage Fusion
Splunk Enterprise update for third-party packages
Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)
Improper validation of array index in IBM CICS TX Standard
Improper validation of array index in IBM CICS TX Advanced
Ubuntu update for golang-golang-x-text
Multiple vulnerabilities in Migration Toolkit for Containers (MTC)
Red Hat Enterprise Linux 9 update for podman
Anolis OS update for git-lfs