CVE-2022-32149

SOURCE - github

Summary

The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design. Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers. The parser cannot be easily rewritten to fix this behavior for various reasons. Instead the solution implemented in this CL is to limit the total complexity of tags passed into ParseAcceptLanguage by limiting the number of dashes in the string to 1000. This should be more than enough for the majority of real world use cases, where the number of tags being sent is likely to be in the single digits. ### Specific Go Packages Affected golang.org/x/text/language

EPSS Score: 0.00176 (0.546)

Common Weakness Enumeration (CWE)

SOURCE - nist

Missing Release of Resource after Effective Lifetime

SOURCE - github

Missing Release of Resource after Effective Lifetime

SOURCE - gitlab

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Missing Release of Resource after Effective Lifetime

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

SOURCE - redhat

Inefficient Algorithmic Complexity


Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in