CVE-2022-32149: golang.org/x/text < 0.3.8

Question

Issue Asked: November 23, 2022, 11:19 am November 23, 2022, 11:19 am 2022-11-23T11:19:04Z In: spf13/afero

CVE-2022-32149: golang.org/x/text < 0.3.8

golang.org/x/text versions before 0.3.8 are vulnerable to CVE-2022-32149:

An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.

This was flagged in a Whitesource/Mend vulnerability scan. Please update golang.org/x/text in go.mod to a version equal to or higher than 0.3.8.

https://www.cve.org/CVERecord?id=CVE-2022-32149 https://www.mend.io/vulnerability-database/CVE-2022-32149

MShekow · Answer 1 · 2023-01-09T06:48:09Z

From looking at the code, I don't understand why golang.org/x/text is needed at all. It is only used in util.go in a function NeuterAccents() which is never called...

spf13/afero

CVE-2022-32149: golang.org/x/text < 0.3.8

1 Comments

Repository Languages