Vulnerability Description
golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Golang | Text | < 0.3.7 |
Related Weaknesses (CWE)
References
- https://deps.dev/advisory/OSV/GO-2021-0113PatchThird Party Advisory
- https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56fMailing ListPatchVendor Advisory
- https://groups.google.com/g/golang-announceMailing ListThird Party Advisory
- https://pkg.go.dev/golang.org/x/text/languageProductVendor Advisory
- https://deps.dev/advisory/OSV/GO-2021-0113PatchThird Party Advisory
- https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56fMailing ListPatchVendor Advisory
- https://groups.google.com/g/golang-announceMailing ListThird Party Advisory
- https://pkg.go.dev/golang.org/x/text/languageProductVendor Advisory
FAQ
What is CVE-2021-38561?
CVE-2021-38561 is a vulnerability with a CVSS score of 7.5 (HIGH). golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, ...
How severe is CVE-2021-38561?
CVE-2021-38561 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-38561?
Check the references section above for vendor advisories and patch information. Affected products include: Golang Text.