Fluid Attacks Database

Description

x/net/html Vulnerable to DoS During HTML Parsing The html package (aka x/net/html) through 2018-09-25 in Go mishandles <table><math><select><mi><select></table>, leading to an infinite loop during an html.Parse call because inSelectIM and inSelectInTableIM do not comply with a specification.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	golang.org/x/net	>=0 <0.0.0-20190125091013-d26f9f9a57f3	0.0.0-20190125091013-d26f9f9a57f3

Aliases

1. CVE-2018-178462. NVD-2018-178463. OSV-2018-178464. GCVE-2018-17846

References

1. https://github.com/golang/go/issues/278422. https://go-review.googlesource.com/c/1372753. https://go.dev/issue/278424. https://go.googlesource.com/net/+/d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf5. https://lists.fedoraproject.org/archives/list/[email protected]/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHON6. https://lists.fedoraproject.org/archives/list/[email protected]/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBK7. https://pkg.go.dev/vuln/GO-2020-0014