HTML Parsing Flaw in Go's HTML Package Affects Multiple Products
CVE-2018-17847

7.5HIGH

Key Information:

Vendor

Golang

Status
Net
Vendor
CVE Published:
1 October 2018

What is CVE-2018-17847?

The html package in Go, specifically through version 2018-09-25, contains a flaw that mishandles certain HTML elements including , , , and . This mismanagement leads to a runtime error, causing a 'panic: runtime error' when parsing HTML. The issue arises during an html.Parse call, particularly when elements are removed from the node stack, resulting in an index out of range condition. This vulnerability could disrupt the normal functioning of applications relying on the proper parsing of HTML content.

References

https://github.com/golang/go/issues/27846
x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.