CVE-2022-24921
HIGH7.5EPSS 0.02%Stack exhaustion when compiling deeply nested expressions in regexp
發布日:2022/5/23修改日:2024/5/20
也稱為:BIT-golang-2022-24921GO-2021-0347
描述
On 64-bit platforms, an extremely deeply nested expression can cause regexp.Compile to cause goroutine stack exhaustion, forcing the program to exit. Note this applies to very large expressions, on the order of 2MB.
受影響套件(3)
- Bitnami/golangfrom 0, < 1.16.15, >= 1.17.0, < 1.17.8
- Debian/golang-1.15from 0, < 1.15.15-1~deb11u4
- Go/stdlibfrom 0, < 1.16.15, >= 1.17.0-0, < 1.17.8
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
參考連結(12)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-24921
- PATCHhttps://go.dev/cl/384616
- PATCHhttps://go.googlesource.com/go/+/452f24ae94f38afa3704d4361d91d51218405c0a
- REPORThttps://go.dev/issue/51112
- WEBhttps://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf
- WEBhttps://groups.google.com/g/golang-announce/c/RP1hfrBYVuk
- WEBhttps://lists.debian.org/debian-lts-announce/2022/04/msg00017.html
- WEBhttps://lists.debian.org/debian-lts-announce/2022/04/msg00018.html
- WEBhttps://lists.debian.org/debian-lts-announce/2023/04/msg00021.html
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2022-24921
- WEBhttps://security.gentoo.org/glsa/202208-02
- WEBhttps://security.netapp.com/advisory/ntap-20220325-0010/