Miggo Logo

CVE-2020-29244: dhowden tag panic due to out-of-bounds read

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.61902%
Published
5/24/2022
Updated
5/20/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/dhowden/taggo< 0.0.0-20201120070457-d52dcb253c630.0.0-20201120070457-d52dcb253c63

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. Commit diffs explicitly show bounds check fixes in readAtomData (mp4.go) and three ID3v2 frame handlers (id3v2frames.go).
  2. Issue #79 directly references readTextWithDescrFrame panics.
  3. CWE-129 mapping confirms improper array index validation patterns in these functions.
  4. Go vulnerability report (GO-2021-0097) lists ReadID3v2Tags and ReadFrom as affected symbols, which depend on the vulnerable frame parsing functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*u* to improp*r *oun*s ****kin*, * num**r o* m*t*o*s in **ow**n t** ***or* *.*.*-**************-************ **n tri***r * p*ni* *u* to *tt*mpt** out-o*-*oun*s r***s. I* t** p**k*** is us** to p*rs* us*r suppli** input, t*is m*y ** us** *s * v**tor *

Reasoning

*. *ommit *i**s *xpli*itly s*ow *oun*s ****k *ix*s in r****tom**t* (mp*.*o) *n* t*r** I**v* *r*m* **n*l*rs (i**v**r*m*s.*o). *. Issu* #** *ir**tly r***r*n**s r***T*xtWit***s*r*r*m* p*ni*s. *. *W*-*** m*ppin* *on*irms improp*r *rr*y in**x v*li**tion p