Vulnerability Name:

CVE-2020-14040 (CCN-184313)

Assigned:2020-06-17
Published:2020-06-17
Updated:2020-11-18
Summary:The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-835
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2020-14040

Source: XF
Type: UNKNOWN
golang-cve202014040-dos(184313)

Source: CCN
Type: go GIT Repository
x/text: UTF-16 decoder behaves incorrectly on single-byte input #39491

Source: CCN
Type: Google Groups Web site
Vulnerability in golang.org/x/text/encoding/unicode

Source: MISC
Type: Third Party Advisory
https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0

Source: FEDORA
Type: Third Party Advisory
FEDORA-2020-a55f130272

Source: CCN
Type: IBM Security Bulletin 6471263 (Cloud Pak for Applications)
A vulnerabilty has been found in x/test pacakge before 0.3.3 for Go that could lead to an infinite loop, affecting IBM Cloud Pak for Applications

Source: CCN
Type: IBM Security Bulletin 6599703 (Db2 On Openshift)
Multiple vulnerabilities affect IBM Db2 On Openshift and IBM Db2 and Db2 Warehouse on Cloud Pak for Data

Source: CCN
Type: IBM Security Bulletin 6833266 (CICS TX Standard)
IBM CICS TX Standard is vulnerable to multiple vulnerabilities in Golang Go.

Source: CCN
Type: IBM Security Bulletin 6833268 (CICS TX Advanced)
IBM CICS TX Advanced is vulnerable to multiple vulnerabilities in Golang Go.

Source: CCN
Type: IBM Security Bulletin 6991593 (Edge Application Manager)
Open Source Dependency Vulnerability

Source: CCN
Type: IBM Security Bulletin 6991619 (Edge Application Manager)
Open Source Dependency Vulnerability

Source: CCN
Type: IBM Security Bulletin 6991629 (Edge Application Manager)
Open Source Dependency Vulnerability

Source: CCN
Type: IBM Security Bulletin 7002503 (Cloud Pak for Security)
IBM Cloud Pak for Security includes components with multiple known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 7004655 (Cloud Pak for Security)
IBM Cloud Pak for Security includes components with multiple known vulnerabilities

Vulnerable Configuration:Configuration 1:
  • cpe:/a:golang:text:*:*:*:*:*:*:*:* (Version < 0.3.3)

    • Configuration 2:
  • cpe:/o:fedoraproject:fedora:32:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:cloud_pak_for_applications:4.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_warehouse:3.5:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_warehouse:4.0:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:3.5:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:4.0:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cics_tx:11.1:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:cics_tx:11.1:*:*:*:advanced:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.redhat.rhsa:def:20204694
    P
    		RHSA-2020:4694: container-tools:rhel8 security, bug fix, and enhancement update (Moderate)
    2020-11-04
    oval:com.redhat.rhsa:def:20203665
    P
    		RHSA-2020:3665: go-toolset:rhel8 security update (Moderate)
    2020-09-08
    BACK
    golang text *
    fedoraproject fedora 32
    ibm cloud pak for applications 4.3
    ibm db2 warehouse 3.5 -
    ibm db2 warehouse 4.0 -
    ibm db2 3.5 -
    ibm db2 4.0 -
    ibm cics tx 11.1
    ibm cics tx 11.1
    ibm cloud pak for security 1.10.0.0