Base Score

HIGH7.5

CVE-2022-24921

regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.

VectorNETWORK

Published Bycve@mitre.org

Published DateMar 05, 2022, 20:15

Weakness Type (CWE):CWE-674

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

HIGH

References

https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf
https://groups.google.com/g/golang-announce/c/RP1hfrBYVuk
https://lists.debian.org/debian-lts-announce/2022/04/msg00017.html
https://lists.debian.org/debian-lts-announce/2022/04/msg00018.html
https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html
https://security.gentoo.org/glsa/202208-02
https://security.netapp.com/advisory/ntap-20220325-0010/

Base Score

HIGH7.5

Weakness Type (CWE):CWE-674

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

HIGH