CVE-2020-29244: dhowden tag panic due to out-of-bounds read
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.61902%
CWE
Published
5/24/2022
Updated
5/20/2024
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/dhowden/tag | go | < 0.0.0-20201120070457-d52dcb253c63 | 0.0.0-20201120070457-d52dcb253c63 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
- Commit diffs explicitly show bounds check fixes in readAtomData (mp4.go) and three ID3v2 frame handlers (id3v2frames.go).
- Issue #79 directly references readTextWithDescrFrame panics.
- CWE-129 mapping confirms improper array index validation patterns in these functions.
- Go vulnerability report (GO-2021-0097) lists ReadID3v2Tags and ReadFrom as affected symbols, which depend on the vulnerable frame parsing functions.