CVE-2022-32149: golang.org/x/text < 0.3.8 #381

MichaelMcAleer · 2022-11-23T11:19:04Z

golang.org/x/text versions before 0.3.8 are vulnerable to CVE-2022-32149:

An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.

This was flagged in a Whitesource/Mend vulnerability scan. Please update golang.org/x/text in go.mod to a version equal to or higher than 0.3.8.

https://www.cve.org/CVERecord?id=CVE-2022-32149
https://www.mend.io/vulnerability-database/CVE-2022-32149

MShekow · 2023-01-09T06:48:09Z

From looking at the code, I don't understand why golang.org/x/text is needed at all. It is only used in util.go in a function NeuterAccents() which is never called...

MShekow · 2023-04-12T07:54:20Z

Would be great if this could be addressed :)

0x4c6565 · 2023-05-03T07:52:41Z

@MShekow added #391 to address this

MichaelMcAleer mentioned this issue Nov 23, 2022

fix(deps): golang.org/x/crypto, golang.org/x/text #376

Closed

0x4c6565 linked a pull request May 3, 2023 that will close this issue

Remove dead code, bump google.golang.org/api version #391

Open

pjonsson mentioned this issue Jul 31, 2023

Vulnerability of dependency "golang.org/x/text" #394

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2022-32149: golang.org/x/text < 0.3.8 #381

CVE-2022-32149: golang.org/x/text < 0.3.8 #381

MichaelMcAleer commented Nov 23, 2022

MShekow commented Jan 9, 2023

MShekow commented Apr 12, 2023

0x4c6565 commented May 3, 2023

CVE-2022-32149: golang.org/x/text < 0.3.8 #381

CVE-2022-32149: golang.org/x/text < 0.3.8 #381

Comments

MichaelMcAleer commented Nov 23, 2022

MShekow commented Jan 9, 2023

MShekow commented Apr 12, 2023

0x4c6565 commented May 3, 2023