forked from nihonium/linux-auth
290 lines
9.2 KiB
Text
290 lines
9.2 KiB
Text
Fetching vulnerabilities from the database...
|
|
|
|
Checking the code against the vulnerabilities...
|
|
|
|
The package pattern matched the following 10 root packages:
|
|
linux-auth/internal/db
|
|
linux-auth/internal/utils
|
|
linux-auth/cmd/add_user
|
|
linux-auth/internal/auth
|
|
linux-auth/internal/config
|
|
linux-auth/internal/ui
|
|
linux-auth/cmd/authapp
|
|
linux-auth/cmd/init_users
|
|
linux-auth/golang-fuzz
|
|
linux-auth/myfuzz
|
|
Govulncheck scanned the following 5 modules and the go1.24.4 standard library:
|
|
linux-auth
|
|
github.com/mattn/go-sqlite3@v1.14.33
|
|
github.com/pelletier/go-toml/v2@v2.2.4
|
|
golang.org/x/sys@v0.39.0
|
|
golang.org/x/term@v0.38.0
|
|
|
|
=== Symbol Results ===
|
|
|
|
Vulnerability #1: GO-2026-4341
|
|
Memory exhaustion in query parameter parsing in net/url
|
|
More info: https://pkg.go.dev/vuln/GO-2026-4341
|
|
Standard library
|
|
Found in: net/url@go1.24.4
|
|
Fixed in: net/url@go1.24.12
|
|
Example traces found:
|
|
#1: internal/db/sqlite.go:32:26: db.Init calls sql.Open, which eventually calls url.ParseQuery
|
|
|
|
Vulnerability #2: GO-2025-3849
|
|
Incorrect results returned from Rows.Scan in database/sql
|
|
More info: https://pkg.go.dev/vuln/GO-2025-3849
|
|
Standard library
|
|
Found in: database/sql@go1.24.4
|
|
Fixed in: database/sql@go1.24.6
|
|
Example traces found:
|
|
#1: internal/db/sqlite.go:89:17: db.GetUser calls sql.Row.Scan
|
|
|
|
=== Package Results ===
|
|
|
|
Vulnerability #1: GO-2026-4864
|
|
TOCTOU permits root escape on Linux via Root.Chmod in os in
|
|
internal/syscall/unix
|
|
More info: https://pkg.go.dev/vuln/GO-2026-4864
|
|
Standard library
|
|
Found in: internal/syscall/unix@go1.24.4
|
|
Fixed in: internal/syscall/unix@go1.25.9
|
|
Platforms: linux
|
|
|
|
Vulnerability #2: GO-2026-4602
|
|
FileInfo can escape from a Root in os
|
|
More info: https://pkg.go.dev/vuln/GO-2026-4602
|
|
Standard library
|
|
Found in: os@go1.24.4
|
|
Fixed in: os@go1.25.8
|
|
|
|
Vulnerability #3: GO-2026-4601
|
|
Incorrect parsing of IPv6 host literals in net/url
|
|
More info: https://pkg.go.dev/vuln/GO-2026-4601
|
|
Standard library
|
|
Found in: net/url@go1.24.4
|
|
Fixed in: net/url@go1.25.8
|
|
|
|
Vulnerability #4: GO-2025-4010
|
|
Insufficient validation of bracketed IPv6 hostnames in net/url
|
|
More info: https://pkg.go.dev/vuln/GO-2025-4010
|
|
Standard library
|
|
Found in: net/url@go1.24.4
|
|
Fixed in: net/url@go1.24.8
|
|
|
|
=== Module Results ===
|
|
|
|
Vulnerability #1: GO-2026-4986
|
|
Quadratic string concatentation in consumeComment in net/mail
|
|
More info: https://pkg.go.dev/vuln/GO-2026-4986
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.25.10
|
|
|
|
Vulnerability #2: GO-2026-4982
|
|
Bypass of meta content URL escaping causes XSS in html/template
|
|
More info: https://pkg.go.dev/vuln/GO-2026-4982
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.25.10
|
|
|
|
Vulnerability #3: GO-2026-4981
|
|
Crash when handling long CNAME response in net
|
|
More info: https://pkg.go.dev/vuln/GO-2026-4981
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.25.10
|
|
|
|
Vulnerability #4: GO-2026-4980
|
|
Escaper bypass leads to XSS in html/template
|
|
More info: https://pkg.go.dev/vuln/GO-2026-4980
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.25.10
|
|
|
|
Vulnerability #5: GO-2026-4977
|
|
Quadratic string concatenation in consumePhrase in net/mail
|
|
More info: https://pkg.go.dev/vuln/GO-2026-4977
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.25.10
|
|
|
|
Vulnerability #6: GO-2026-4976
|
|
ReverseProxy forwards queries with more than urlmaxqueryparams parameters in
|
|
net/http/httputil
|
|
More info: https://pkg.go.dev/vuln/GO-2026-4976
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.25.10
|
|
|
|
Vulnerability #7: GO-2026-4971
|
|
Panic in Dial and LookupPort when handling NUL byte on Windows in net
|
|
More info: https://pkg.go.dev/vuln/GO-2026-4971
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.25.10
|
|
|
|
Vulnerability #8: GO-2026-4947
|
|
Unexpected work during chain building in crypto/x509
|
|
More info: https://pkg.go.dev/vuln/GO-2026-4947
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.25.9
|
|
|
|
Vulnerability #9: GO-2026-4946
|
|
Inefficient policy validation in crypto/x509
|
|
More info: https://pkg.go.dev/vuln/GO-2026-4946
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.25.9
|
|
|
|
Vulnerability #10: GO-2026-4918
|
|
Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in
|
|
net/http/internal/http2 in golang.org/x/net
|
|
More info: https://pkg.go.dev/vuln/GO-2026-4918
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.25.10
|
|
|
|
Vulnerability #11: GO-2026-4870
|
|
Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection
|
|
retention and DoS in crypto/tls
|
|
More info: https://pkg.go.dev/vuln/GO-2026-4870
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.25.9
|
|
|
|
Vulnerability #12: GO-2026-4869
|
|
Unbounded allocation for old GNU sparse in archive/tar
|
|
More info: https://pkg.go.dev/vuln/GO-2026-4869
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.25.9
|
|
|
|
Vulnerability #13: GO-2026-4865
|
|
JsBraceDepth Context Tracking Bugs (XSS) in html/template
|
|
More info: https://pkg.go.dev/vuln/GO-2026-4865
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.25.9
|
|
|
|
Vulnerability #14: GO-2026-4603
|
|
URLs in meta content attribute actions are not escaped in html/template
|
|
More info: https://pkg.go.dev/vuln/GO-2026-4603
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.25.8
|
|
|
|
Vulnerability #15: GO-2026-4342
|
|
Excessive CPU consumption when building archive index in archive/zip
|
|
More info: https://pkg.go.dev/vuln/GO-2026-4342
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.24.12
|
|
|
|
Vulnerability #16: GO-2026-4340
|
|
Handshake messages may be processed at the incorrect encryption level in
|
|
crypto/tls
|
|
More info: https://pkg.go.dev/vuln/GO-2026-4340
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.24.12
|
|
|
|
Vulnerability #17: GO-2026-4337
|
|
Unexpected session resumption in crypto/tls
|
|
More info: https://pkg.go.dev/vuln/GO-2026-4337
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.24.13
|
|
|
|
Vulnerability #18: GO-2025-4175
|
|
Improper application of excluded DNS name constraints when verifying
|
|
wildcard names in crypto/x509
|
|
More info: https://pkg.go.dev/vuln/GO-2025-4175
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.24.11
|
|
|
|
Vulnerability #19: GO-2025-4155
|
|
Excessive resource consumption when printing error string for host
|
|
certificate validation in crypto/x509
|
|
More info: https://pkg.go.dev/vuln/GO-2025-4155
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.24.11
|
|
|
|
Vulnerability #20: GO-2025-4015
|
|
Excessive CPU consumption in Reader.ReadResponse in net/textproto
|
|
More info: https://pkg.go.dev/vuln/GO-2025-4015
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.24.8
|
|
|
|
Vulnerability #21: GO-2025-4014
|
|
Unbounded allocation when parsing GNU sparse map in archive/tar
|
|
More info: https://pkg.go.dev/vuln/GO-2025-4014
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.24.8
|
|
|
|
Vulnerability #22: GO-2025-4013
|
|
Panic when validating certificates with DSA public keys in crypto/x509
|
|
More info: https://pkg.go.dev/vuln/GO-2025-4013
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.24.8
|
|
|
|
Vulnerability #23: GO-2025-4012
|
|
Lack of limit when parsing cookies can cause memory exhaustion in net/http
|
|
More info: https://pkg.go.dev/vuln/GO-2025-4012
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.24.8
|
|
|
|
Vulnerability #24: GO-2025-4011
|
|
Parsing DER payload can cause memory exhaustion in encoding/asn1
|
|
More info: https://pkg.go.dev/vuln/GO-2025-4011
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.24.8
|
|
|
|
Vulnerability #25: GO-2025-4009
|
|
Quadratic complexity when parsing some invalid inputs in encoding/pem
|
|
More info: https://pkg.go.dev/vuln/GO-2025-4009
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.24.8
|
|
|
|
Vulnerability #26: GO-2025-4008
|
|
ALPN negotiation error contains attacker controlled information in
|
|
crypto/tls
|
|
More info: https://pkg.go.dev/vuln/GO-2025-4008
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.24.8
|
|
|
|
Vulnerability #27: GO-2025-4007
|
|
Quadratic complexity when checking name constraints in crypto/x509
|
|
More info: https://pkg.go.dev/vuln/GO-2025-4007
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.24.9
|
|
|
|
Vulnerability #28: GO-2025-4006
|
|
Excessive CPU consumption in ParseAddress in net/mail
|
|
More info: https://pkg.go.dev/vuln/GO-2025-4006
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.24.8
|
|
|
|
Vulnerability #29: GO-2025-3956
|
|
Unexpected paths returned from LookPath in os/exec
|
|
More info: https://pkg.go.dev/vuln/GO-2025-3956
|
|
Standard library
|
|
Found in: stdlib@go1.24.4
|
|
Fixed in: stdlib@go1.24.6
|
|
|
|
Your code is affected by 2 vulnerabilities from the Go standard library.
|
|
This scan also found 4 vulnerabilities in packages you import and 29
|
|
vulnerabilities in modules you require, but your code doesn't appear to call
|
|
these vulnerabilities.
|