Fluid Attacks Database

Description

golang.org/x/net/html Infinite Loop vulnerability Go through 1.15.12 and 1.16.x through 1.16.4 has a golang.org/x/net/html infinite loop via crafted ParseFragment input.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	golang-golang-x-net	>=0 <1:0.0+git20210119.5f4716e+dfsg-4	1:0.0+git20210119.5f4716e+dfsg-4
debian 12	golang-golang-x-net	>=0 <1:0.0+git20210119.5f4716e+dfsg-4	1:0.0+git20210119.5f4716e+dfsg-4
go	golang.org/x/net	>=0 <0.0.0-20210520170846-37e1c6afe023	0.0.0-20210520170846-37e1c6afe023
go	golang.org/x/net/html	>=0 <0.0.0-20210520170846-37e1c6afe023	0.0.0-20210520170846-37e1c6afe023
debian 11	golang-golang-x-net	>=0 <1:0.0+git20210119.5f4716e+dfsg-4	1:0.0+git20210119.5f4716e+dfsg-4
debian 14	golang-golang-x-net	>=0 <1:0.0+git20210119.5f4716e+dfsg-4	1:0.0+git20210119.5f4716e+dfsg-4
rpm rhel7	golang	-	-

Aliases

1. CVE-2021-331942. NVD-2021-331943. OSV-DEBIAN-2021-331944. OSV-2021-331945. GHSA-83g2-8m93-v3w76. GCVE-2021-331947. SECURITY-TRACKER-CVE-2021-33194

References

1. https://github.com/golang/net/commit/37e1c6afe02340126705deced573a85ab75209d72. https://go.dev/cl/3110903. https://go.dev/issue/462884. https://go.googlesource.com/net/+/37e1c6afe02340126705deced573a85ab75209d75. https://groups.google.com/g/golang-announce/c/wPunbCPkWUg6. https://lists.fedoraproject.org/archives/list/[email protected]/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM7. https://pkg.go.dev/vuln/GO-2021-02388. https://lists.fedoraproject.org/archives/list/[email protected]/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/