CVE-2022-41715

EUVD-2022-44891
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
Affected Products (NVD)
VendorProductVersion
golanggo
𝑥
< 1.18.7
golanggo
1.19.0 ≤
𝑥
< 1.19.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-1.15
bullseye
vulnerable
buster
postponed
golang-1.19
bookworm
1.19.8-2
fixed
bullseye
no-dsa
buster
postponed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-1.10
bionic
needs-triage
focal
dne
jammy
dne
lunar
dne
mantic
dne
noble
dne
trusty
needs-triage
xenial
needs-triage
golang-1.13
bionic
needed
focal
needed
jammy
needed
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
needed
golang-1.14
bionic
dne
focal
needed
jammy
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
golang-1.16
bionic
needed
focal
needed
jammy
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
golang-1.17
bionic
dne
focal
dne
jammy
not-affected
trusty
ignored
xenial
ignored
golang-1.18
bionic
Fixed 1.18.1-1ubuntu1~18.04.4
released
focal
Fixed 1.18.1-1ubuntu1~20.04.2
released
jammy
Fixed 1.18.1-1ubuntu1.1
released
lunar
dne
noble
dne
trusty
ignored
xenial
not-affected
golang-1.19
bionic
dne
focal
dne
jammy
dne
kinetic
not-affected
lunar
not-affected
noble
dne
trusty
ignored
xenial
ignored
golang-1.6
bionic
dne
focal
dne
jammy
dne
lunar
dne
mantic
dne
noble
dne
trusty
ignored
xenial
needed
golang-1.8
bionic
needed
focal
dne
jammy
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
golang-1.9
bionic
needed
focal
dne
jammy
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
References
https://go.dev/cl/439356
https://go.dev/issue/55949
https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
https://pkg.go.dev/vuln/GO-2022-1039
https://security.gentoo.org/glsa/202311-09
https://go.dev/cl/439356
https://go.dev/issue/55949
https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
https://pkg.go.dev/vuln/GO-2022-1039
https://security.gentoo.org/glsa/202311-09