Sign In

CVE-2022-32149

SOURCE - github

Summary

The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design. Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers. The parser cannot be easily rewritten to fix this behavior for various reasons. Instead the solution implemented in this CL is to limit the total complexity of tags passed into ParseAcceptLanguage by limiting the number of dashes in the string to 1000. This should be more than enough for the majority of real world use cases, where the number of tags being sent is likely to be in the single digits. ### Specific Go Packages Affected golang.org/x/text/language

EPSS Score: 0.00176 (0.544)

Common Weakness Enumeration (CWE)

SOURCE - nist

CWE-772

Missing Release of Resource after Effective Lifetime

SOURCE - github

CWE-772

Missing Release of Resource after Effective Lifetime

SOURCE - gitlab

CWE-1035

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-772

Missing Release of Resource after Effective Lifetime

CWE-937

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

SOURCE - redhat

CWE-407

Inefficient Algorithmic Complexity

Sources (10)

Impacted images

nist

CREATED

UPDATED

SOURCE IDCVE-2022-32149
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-772

CVSS SCORE

7.5high

github

CREATED

UPDATED

SOURCE IDGHSA-69ch-w2m2-3vjp
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-772

CVSS SCORE

7.5high

alpine

CREATED

UPDATED

SOURCE IDCVE-2022-32149
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

debian

CREATED

UPDATED

SOURCE IDCVE-2022-32149
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

ubuntu

CREATED

UPDATED

SOURCE IDCVE-2022-32149
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

7.5medium

golang

CREATED

UPDATED

SOURCE IDGO-2022-1059
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

gitlab

CREATED

UPDATED

SOURCE ID

CVE-2022-32149

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-1035CWE-772CWE-937

CVSS SCORE

7.5high

redhat

CREATED

UPDATED

SOURCE IDCVE-2022-32149
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-407

CVSS SCORE

7.5medium

chainguard

CREATED

UPDATED

SOURCE ID

CVE-2022-32149

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

wolfi

CREATED

UPDATED

SOURCE ID

CVE-2022-32149

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE