Miggo Logo

CVE-2018-17847: golang.org/x/net/html has Improper Restriction of Operations within the Bounds of a Memory Buffer

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.75005%
Published
5/13/2022
Updated
5/20/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
golang.org/x/netgo< 0.0.0-20190125002852-4b62a64f59f70.0.0-20190125002852-4b62a64f59f7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key functions:

  1. (*nodeStack).contains in node.go failed to distinguish namespaces, allowing invalid stack states. The commit 4b62a64 explicitly fixes this by adding namespace checks.
  2. (*parser).clearActiveFormattingElements in parse.go directly interacts with the stack and triggered the panic via 'pop' after relying on the faulty 'contains' logic. The stack trace in the issue (#27846) and CVE description both implicate this function as the panic entry point. Both functions are necessary to reproduce the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *tml p**k*** (*k* `x/n*t/*tml`) t*rou** ****-**-** in *o mis**n*l*s `<sv*><t*mpl*t*><**s*><t><sv*></t*mpl*t*>`, l***in* to * `p*ni*: runtim* *rror` (in**x out o* r*n**) in `(*no**St**k).pop` in no**.*o, **ll** *rom `(*p*rs*r).*l**r**tiv**orm*ttin

Reasoning

T** vuln*r**ility st*ms *rom two k*y *un*tions: *. (*no**St**k).*ont*ins in no**.*o **il** to *istin*uis* n*m*sp***s, *llowin* inv*li* st**k st*t*s. T** *ommit ******* *xpli*itly *ix*s t*is *y ***in* n*m*sp*** ****ks. *. (*p*rs*r).*l**r**tiv**orm*tt