CVE-2018-17846 (High) detected in github.com/go-gitea/gitea-v1.2.3

[dev-mend-for-github-com[bot]]

CVE-2018-17846 - High Severity Vulnerability

Vulnerable Library - github.com/go-gitea/gitea-v1.2.3

Git with a cup of tea, painless self-hosted git service

Dependency Hierarchy: - :x: **github.com/go-gitea/gitea-v1.2.3** (Vulnerable Library)

Found in HEAD commit: 69a84c862836bec3e4be9a461b9e320cda5aeb94

Found in base branch: master

Vulnerability Details

The html package (aka x/net/html) through 2018-09-25 in Go mishandles

$\mathrm{<select></select>}$, leading to an infinite loop during an html.Parse call because inSelectIM and inSelectInTableIM do not comply with a specification.

Publish Date: 2018-10-01

URL: CVE-2018-17846

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-17846

Release Date: 2018-10-01

Fix Resolution: github.com/matishsiao/net/html - 5c9495a32797e34e9bf5ac91e69eb447443b78fd;github.com/pweil-/net/html - 3053e46bf4d836639f474dd738a58070463890e9,5c9495a32797e34e9bf5ac91e69eb447443b78fd,63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/psiphon-labs/net/html - 161cd47e91fd58ac17490ef4d742dc98bb4cf60e,2b459478774d488f63f6b8e8ec2429c502a43dd1;github.com/shekhei/net/html - b1ee7b3fbbb773e8e4b649ade000633fb867ba77,66b3e5ee27f66da79cc3695f293932920e946d87;github.com/alexsaveliev/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/foreversmart/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/suedadam/net/html - fbe893ddcdf0e847ed928b77e4b17ff5ec3b8a32;github.com/fangdingjun/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/crmackay/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/jfcote87/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/chris-ramon/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/johnsto/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/rsms/golang-net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/rainkid/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2,7ad508c2a7acafff7c6c8522d7e6efda5311476c,2a8eb9119c34470d7ecc9fb846e6ae3da2512cdd,3eb064ebfe6b9b907715cf7eeda05c367c55f32d,2e20f33919de098ec28d48d93b0735cc76567f6e,23996681074122163cfa22b185668f84935be9a9,a33e90a7ecf9022ea7e3e42bb05bd5a5cca71f35;github.com/subuk/net/html - 66b3e5ee27f66da79cc3695f293932920e946d87;github.com/hugomfernandes/net/html - 67f25490433376b5f7da086c0b9283fcdeca3a7b,a33e90a7ecf9022ea7e3e42bb05bd5a5cca71f35,6f62f426de90c0ed6a55207b51476115fcb17237,63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/letsencrypt/net/html - 153a6a61520e23dabb758b4a612bff144e5e28eb,1cd7b7179478daf1f19f8b4b4f08106ef411619b,ca657d0bd9d9b4f73523118b59af79e5374b9908,5b4754d96d73efe14f882d2f14ae3d29f7b2a67d,b56b60992857e77db9472023aaef7a33881d130b,8bc62b7ce1723e0e686c39f8fe3c5e8d03c8524c,d8b496d92df37acaa5a038846651d41f7cbe6326,3748d8c2fdc5600797e1200ed7ca82358bbeadeb,947224908606a5aa6af4427c3a2cea51387aa38a;github.com/nodirt/net/html - 66b3e5ee27f66da79cc3695f293932920e946d87,ec18079348e79eb393866e87d402a1a8cc580d7f;github.com/jash16/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/bountylabs/net/html - 2a8eb9119c34470d7ecc9fb846e6ae3da2512cdd,59b0df9b1f7abda5aab0495ee54f408daf182ce7,63ee83b038e98e5716bfdd1a94178718cff506d2,9f8bef6b5998053643dca00058a0938278e882ab,1db34d83398887aa887306d261882f799bee3678,46077d3c5415f800cd8105911d4ed880c1db2138;github.com/suifengrock/golang-net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2,40ad15caf30bbcbd0cb852523ec4dfabc440d37b,5058c78c3627b31e484a81463acd51c7cecc06f3;github.com/petermattis/x-net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/bradleyfalzon/net/html - 1cd7b7179478daf1f19f8b4b4f08106ef411619b,ca657d0bd9d9b4f73523118b59af79e5374b9908,153a6a61520e23dabb758b4a612bff144e5e28eb,5b4754d96d73efe14f882d2f14ae3d29f7b2a67d,b56b60992857e77db9472023aaef7a33881d130b,8bc62b7ce1723e0e686c39f8fe3c5e8d03c8524c;github.com/radioinmyhead/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2,3053e46bf4d836639f474dd738a58070463890e9;github.com/jelmersnoeck/go.net/html - 104dcad90073cd8d1e6828b2af19185b60cf3e29;github.com/jackmiller334/net/html - d96e6bbf425715f2bd00806e45fbbd5a54870397,63ee83b038e98e5716bfdd1a94178718cff506d2,5b76c8047cfbdbe90fdc031267d2144555ad63e3;github.com/owner888/net/html - 66b3e5ee27f66da79cc3695f293932920e946d87;github.com/golang/net/html - 97775bb4655419e5ab44c1f918c5bed052130f1b,161cd47e91fd58ac17490ef4d742dc98bb4cf60e;github.com/cesanta/goxnet/html - 23996681074122163cfa22b185668f84935be9a9,63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/fanatic/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/8090boy/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/niniwzw/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/smithfox/gonet/html - 835a8501270a5b32645da11de6ee20e02f57e10e;github.com/matishsiao/net/html - 67f25490433376b5f7da086c0b9283fcdeca3a7b,8bc62b7ce1723e0e686c39f8fe3c5e8d03c8524c,405a8afa2d839d68dbd0481db63e49356af19650,2e20f33919de098ec28d48d93b0735cc76567f6e;github.com/donovanhide/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2,5b4754d96d73efe14f882d2f14ae3d29f7b2a67d,1cd7b7179478daf1f19f8b4b4f08106ef411619b