CVE-2020-14040 (High) detected in github.com/golang/text-v0.3.2, github.com/golang/text/transform-v0.3.2

## CVE-2020-14040 - High Severity Vulnerability
<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/vulnerability_details.png' width=19 height=20> Vulnerable Libraries - github.com/golang/text-v0.3.2, github.com/golang/text/transform-v0.3.2</summary>


<details><summary>github.com/golang/text-v0.3.2</summary>

[mirror] Go text processing support


Dependency Hierarchy:
 - gopkg.in/couchbase/gocb.v1-v1.6.1 (Root Library)
 - gopkg.in/couchbase/gocbcore.v7-v7.1.13
 - golang.org/x/net/http2-ca1201d0de80cfde86cb01aea620983605dfe99b
 - golang.org/x/net/http/httpguts-ca1201d0de80cfde86cb01aea620983605dfe99b
 - golang.org/x/net/idna-ca1201d0de80cfde86cb01aea620983605dfe99b
 - github.com/golang/text/secure/bidirule-v0.3.2
 - github.com/golang/text/unicode/bidi-v0.3.2
 - github.com/golang/text/unicode/rangetable-v0.3.2
 - :x: **github.com/golang/text-v0.3.2** (Vulnerable Library)
</details>
<details><summary>github.com/golang/text/transform-v0.3.2</summary>

[mirror] Go text processing support


Dependency Hierarchy:
 - go.mongodb.org/mongo-driver/mongo-v1.0.3 (Root Library)
 - go.mongodb.org/mongo-driver/x/mongo/driver/topology-v1.0.3
 - go.mongodb.org/mongo-driver/x/mongo/driver/auth-v1.0.3
 - github.com/xdg/scram-7eeb5667e42c09cb51bf7b7c28aea8c56767da90
 - github.com/xdg/stringprep-v1.0.3
 - github.com/golang/text-v0.3.2
 - :x: **github.com/golang/text/transform-v0.3.2** (Vulnerable Library)
</details>

Found in base branch: master

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/high_vul.png' width=19 height=20> Vulnerability Details</summary>
 
 
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

Publish Date: 2020-06-17
URL: <a href=https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-14040>CVE-2020-14040</a>

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/cvss3.png' width=19 height=20> CVSS 3 Score Details (7.5)</summary>


Base Score Metrics:
- Exploitability Metrics:
 - Attack Vector: Network
 - Attack Complexity: Low
 - Privileges Required: None
 - User Interaction: None
 - Scope: Unchanged
- Impact Metrics:
 - Confidentiality Impact: None
 - Integrity Impact: None
 - Availability Impact: High

For more information on CVSS3 Scores, click <a href="https://www.first.org/cvss/calculator/3.0">here</a>.

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/suggested_fix.png' width=19 height=20> Suggested Fix</summary>


Type: Upgrade version
Origin: <a href="https://osv.dev/vulnerability/GO-2020-0015">https://osv.dev/vulnerability/GO-2020-0015</a>
Release Date: 2020-06-17
Fix Resolution: v0.3.3


</details>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2020-14040 (High) detected in github.com/golang/text-v0.3.2, github.com/golang/text/transform-v0.3.2 #339

CVE-2020-14040 - High Severity Vulnerability

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CVE-2020-14040 (High) detected in github.com/golang/text-v0.3.2, github.com/golang/text/transform-v0.3.2 #339

Description

CVE-2020-14040 - High Severity Vulnerability

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions