CVE-2018-17075

HIGH

Go html package <2018-07-13 - Panic

Title source: llm

Description

The html package (aka x/net/html) before 2018-07-13 in Go mishandles "in frameset" insertion mode, leading to a "panic: runtime error" for html.Parse of <template><object>, <template><applet>, or <template><marquee>. This is related to HTMLTreeBuilder.cpp in WebKit.

References (5)

Core 5

Core References

Patch, Third Party Advisory x_refsource_misc

https://github.com/golang/net/commit/aaf60122140d3fcf75376d319f0554393160eb50

View Patch ZIP pw:eip

Exploit, Third Party Advisory x_refsource_misc

https://bugs.chromium.org/p/chromium/issues/detail?id=829668

Exploit, Third Party Advisory x_refsource_misc

https://github.com/golang/go/issues/27016

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHON/

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBK/

Scores

CVSS v3 7.5

EPSS 0.0075

EPSS Percentile 73.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-476

Status published

Products (4)

fedoraproject/fedora 28

fedoraproject/fedora 29

golang/net < 2018-07-12

x/net 0 - 0.0.0-20180816102801-aaf60122140dGo

Published Sep 16, 2018

Tracked Since Feb 18, 2026