CVE-2022-24921 : regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.

regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.

Published 2022-03-05 20:15:08

Updated 2023-04-20 00:15:08

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2022-24921

Probability of exploitation activity in the next 30 days: 0.19%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 56 % EPSS Score History EPSS FAQ

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Assigned by: nvd@nist.gov (Primary)

https://lists.debian.org/debian-lts-announce/2022/04/msg00017.html

[SECURITY] [DLA 2985-1] golang-1.7 security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html

[SECURITY] [DLA 3395-1] golang-1.11 security update

CVEs referencing this url
https://security.gentoo.org/glsa/202208-02

Go: Multiple Vulnerabilities (GLSA 202208-02) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://groups.google.com/g/golang-announce/c/RP1hfrBYVuk

[security] Go 1.17.8 and Go 1.16.15 are released
Issue Tracking;Mailing List;Release Notes;Third Party Advisory
https://security.netapp.com/advisory/ntap-20220325-0010/

CVE-2022-24921 Golang Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2022/04/msg00018.html

[SECURITY] [DLA 2986-1] golang-1.8 security update
Mailing List;Third Party Advisory

CVEs referencing this url

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Netapp » Astra Trident » Version: N/A
cpe:2.3:a:netapp:astra_trident:-:*:*:*:*:*:*:*
Matching versions
Golang » GO
Versions from including (>=) 1.17 and before (<) 1.17.8
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Matching versions
Golang » GO
Versions before (<) 1.16.15
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Matching versions