CVE Vulnerabilities

CVE-2020-29510

Published: Dec 14, 2020 | Modified: Jan 30, 2021
CVSS 3.x
5.6
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS 2.x
6.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
5.6 LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Ubuntu
MEDIUM

The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.

Affected Software

Name Vendor Start Version End Version
Go Golang * 1.15 (including)
Golang Ubuntu trusty *
Golang-1.10 Ubuntu bionic *
Golang-1.10 Ubuntu trusty *
Golang-1.10 Ubuntu xenial *
Golang-1.13 Ubuntu bionic *
Golang-1.13 Ubuntu groovy *
Golang-1.13 Ubuntu hirsute *
Golang-1.13 Ubuntu impish *
Golang-1.13 Ubuntu kinetic *
Golang-1.13 Ubuntu xenial *
Golang-1.14 Ubuntu groovy *
Golang-1.14 Ubuntu hirsute *
Golang-1.15 Ubuntu groovy *
Golang-1.15 Ubuntu hirsute *
Golang-1.15 Ubuntu impish *
Golang-1.6 Ubuntu trusty *
Golang-1.6 Ubuntu xenial *
Golang-1.8 Ubuntu bionic *
Golang-1.9 Ubuntu bionic *

References