CVE-2021-27918

Aliases:GO-2021-0234BIT-golang-2021-27918

Advisory lineage Upstream: 0 Downstream: 11

Downstream

DEBIAN-CVE-2021-27918 MGASA-2021-0369 OPENSUSE-SU-2021:0480-1 OPENSUSE-SU-2024:10808-1 OPENSUSE-SU-2024:10809-1 RHSA-2021:2704

Modified

Published: 10 Mar 2021, 23:54

Last modified:03 Aug 2024, 21:33

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (nvd)

EPSS Score

0.03% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

10 Mar 2021, 23:54

Published

Vulnerability first disclosed

03 Aug 2024, 21:33

Last Modified

Vulnerability information updated

Description

encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 0.03%• Percentile: 7%

Techniques & Countermeasures

CWE-835•Loop with Unreachable Exit Condition ('Infinite Loop')
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Affected Systems

golang•go
< 1.15.9 | ≥ 1.16.0, < 1.16.1
Go•stdlib
≥ 1.16.0-0, < 1.16.1