Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02OWNoLXcybTItM3ZqcM4AAvV0
golang.org/x/text/language Denial of service via crafted Accept-Language header
The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design. Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers. The parser cannot be easily rewritten to fix this behavior for various reasons. Instead the solution implemented in this CL is to limit the total complexity of tags passed into ParseAcceptLanguage by limiting the number of dashes in the string to 1000. This should be more than enough for the majority of real world use cases, where the number of tags being sent is likely to be in the single digits.
Specific Go Packages Affected
golang.org/x/text/language
Permalink: https://github.com/advisories/GHSA-69ch-w2m2-3vjpJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02OWNoLXcybTItM3ZqcM4AAvV0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Percentage: 0.00168
EPSS Percentile: 0.53916
Identifiers: GHSA-69ch-w2m2-3vjp, CVE-2022-32149
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-32149
- https://go.dev/cl/442235
- https://go.dev/issue/56152
- https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ
- https://pkg.go.dev/vuln/GO-2022-1059
- https://github.com/golang/go/issues/56152
- https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c
- https://github.com/advisories/GHSA-69ch-w2m2-3vjp
Blast Radius: 40.9
Affected Packages
go:golang.org/x/text
Dependent packages: 113,820Dependent repositories: 280,468
Downloads:
Affected Version Ranges: < 0.3.8
Fixed in: 0.3.8
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7
All unaffected versions: 0.3.8, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.19.0, 0.20.0, 0.21.0