[GO-2022-0523] Stack exhaustion when unmarshaling certain documents in encoding/xml

Severity High

Affected Packages 2

Fixed Packages 2

CVEs 1

Unmarshaling an XML document into a Go struct which has a nested field that uses
the 'any' field tag can panic due to stack exhaustion.

Package	Affected Version
pkg:golang/encoding/xml	>= 1.18.3, < 1.17.12
pkg:golang/encoding/xml	>= 1.18.3, < 1.18.4

Package	Fixed Version
pkg:golang/encoding/xml	= 1.17.12
pkg:golang/encoding/xml	= 1.18.4

ID

GO-2022-0523

Severity

high

Severity from

CVE-2022-30633

URL

https://pkg.go.dev/vuln/GO-2022-0523

Published

2022-08-12T17:19:52
(2 years ago)

Modified

2024-07-17T19:54:18
(2 months ago)

Other Advisories

Type	Package URL	Namespace	Name / Product	Version
Fixed	pkg:golang/encoding/xml	encoding	xml	= 1.17.12
Affected	pkg:golang/encoding/xml	encoding	xml	>= 1.18.3 < 1.17.12
Fixed	pkg:golang/encoding/xml	encoding	xml	= 1.18.4
Affected	pkg:golang/encoding/xml	encoding	xml	>= 1.18.3 < 1.18.4

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date