Incorrect Handling of Frameset Insertion Mode in Go's HTML Package
CVE-2018-17075

7.5HIGH

Key Information:

Vendor

Golang

Status
Net
Vendor
CVE Published:
16 September 2018

What is CVE-2018-17075?

The HTML package in Go, specifically the x/net/html module, contains a flaw in handling the "in frameset" insertion mode. Prior to July 13, 2018, certain HTML tags such as , , and could trigger a runtime panic during parsing. This issue raises compatibility concerns with web standards while also relating to components of WebKit, potentially introducing instability in applications reliant on this library.

References

https://github.com/golang/net/commit/aaf60122140d3fcf7537...
x_refsource_MISC
https://bugs.chromium.org/p/chromium/issues/detail?id=829668
x_refsource_MISC
https://github.com/golang/go/issues/27016
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.