Miggo Logo

CVE-2020-29243: dhowden tag panic due to out-of-bounds read

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.61902%
Published
5/24/2022
Updated
5/20/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/dhowden/taggo< 0.0.0-20201120070457-d52dcb253c630.0.0-20201120070457-d52dcb253c63

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. Commit a922134 explicitly fixes readAPICFrame by adding buffer length checks and mimeDataSplit validation.
  2. Commit 6b18201 adds a length guard to readPICFrame.
  3. Commit 4b595ed corrects readAtomData's bounds check from 3 to 4 bytes.
  4. Issue #80 and CVE description directly reference panics in these frame-parsing functions when processing malformed input. The patches address the root cause (CWE-129) through added bounds checks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*u* to improp*r *oun*s ****kin*, * num**r o* m*t*o*s in **ow**n t** ***or* *.*.*-**************-************ **n tri***r * p*ni* vi* `r****PI**r*m*` *u* to *tt*mpt** out-o*-*oun*s r***s. I* t** p**k*** is us** to p*rs* us*r suppli** input, t*is m*y *

Reasoning

*. *ommit ******* *xpli*itly *ix*s r****PI**r*m* *y ***in* *u***r l*n*t* ****ks *n* mim***t*Split v*li**tion. *. *ommit ******* ***s * l*n*t* *u*r* to r***PI**r*m*. *. *ommit ******* *orr**ts r****tom**t*'s *oun*s ****k *rom * to * *yt*s. *. Issu* #*