Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Out-of-bounds Read in go-cvss
Vulnerability Description
go-cvss is a Go module to manipulate Common Vulnerability Scoring System (CVSS). In affected versions when a full CVSS v2.0 vector string is parsed using `ParseVector`, an Out-of-Bounds Read is possible due to a lack of tests. The Go module will then panic. The problem is patched in tag `v0.4.0`, by the commit `d9d478ff0c13b8b09ace030db9262f3c2fe031f4`. Users are advised to upgrade. Users unable to upgrade may avoid this issue by parsing only CVSS v2.0 vector strings that do not have all attributes defined (e.g. `AV:N/AC:L/Au:N/C:P/I:P/A:C/E:U/RL:OF/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:M`). As stated in [SECURITY.md](https://github.com/pandatix/go-cvss/blob/master/SECURITY.md), the CPE v2.3 to refer to this Go module is `cpe:2.3:a:pandatix:go_cvss:*:*:*:*:*:*:*:*`. The entry has already been requested to the NVD CPE dictionary.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
跨界内存读
Vulnerability Title
Go-CVSS 缓冲区错误漏洞
Vulnerability Description
Go-CVSS是Lucas TESSON个人开发者的一个低分配 Go 模块。用于操作通用漏洞评分系统 (CVSS)。 Go-CVSS v0.4.0之前版本存在缓冲区错误漏洞,该漏洞源于当使用“ParseVector”解析完整的CVSS v2.0向量字符串时,由于缺乏测试,可能会出现越界读取,然后Go模块会恐慌。
CVSS Information
N/A
Vulnerability Type
N/A