CVE-2018-17075 Information

Feb 14, 2021 cve

Description

The html package (aka x/net/html) before 2018-07-13 in Go mishandles \in frameset\ insertion mode leading to a \panic: runtime error\ for html.Parse of templateobject templateapplet or templatemarquee. This is related to HTMLTreeBuilder.cpp in WebKit.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Reference

https://bugs.chromium.org/p/chromium/issues/detail?id=829668 https://github.com/golang/go/issues/27016 https://github.com/golang/net/commit/aaf60122140d3fcf75376d319f0554393160eb50 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHON/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBK/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

HIGH

Base Severity

7.5

Share on: