CVE-2021-38561

golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 68%
Affected Products (NVD)
VendorProductVersion
golangtext
𝑥
< 0.3.7
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-golang-x-text
bookworm
0.7.0-1
fixed
bullseye
no-dsa
buster
postponed
sid
0.16.0-1
fixed
trixie
0.16.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-golang-x-text
bionic
dne
focal
Fixed 0.3.2-4ubuntu0.1
released
impish
ignored
jammy
Fixed 0.3.7-1
released
kinetic
Fixed 0.3.7-1
released
lunar
Fixed 0.3.7-1
released
mantic
Fixed 0.3.7-1
released
noble
Fixed 0.3.7-1
released
trusty
dne
xenial
dne
golang-x-text
bionic
Fixed 0.0~git20170627.0.6353ef0-1ubuntu2.1
released
focal
ignored
impish
dne
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
needed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
buildah
Azure Linux 3.0
0:1.41.4-2.azl3
fixed
cni
Azure Linux 3.0
0:1.1.2-2.azl3
fixed
containernetworking-plugins
Azure Linux 3.0
0:1.6.1-4.azl3
fixed
keda
Azure Linux 3.0
0:2.14.0-1.azl3
fixed
multus
Azure Linux 3.0
0:4.0.2-1.azl3
fixed
podman
Azure Linux 3.0
0:5.6.1-2.azl3
fixed