afero icon indicating copy to clipboard operation
afero copied to clipboard

Published 20 hours ago verified publisher icon spf13

CVE-2022-32149: golang.org/x/text < 0.3.8

Open MichaelMcAleer opened this issue 2 years ago • 3 comments

golang.org/x/text versions before 0.3.8 are vulnerable to CVE-2022-32149:

An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.

This was flagged in a Whitesource/Mend vulnerability scan. Please update golang.org/x/text in go.mod to a version equal to or higher than 0.3.8.

https://www.cve.org/CVERecord?id=CVE-2022-32149 https://www.mend.io/vulnerability-database/CVE-2022-32149

MichaelMcAleer avatar Nov 23 '22 11:11 MichaelMcAleer

From looking at the code, I don't understand why golang.org/x/text is needed at all. It is only used in util.go in a function NeuterAccents() which is never called...

MShekow avatar Jan 09 '23 06:01 MShekow

Would be great if this could be addressed :)

MShekow avatar Apr 12 '23 07:04 MShekow

@MShekow added https://github.com/spf13/afero/pull/391 to address this

0x4c6565 avatar May 03 '23 07:05 0x4c6565