7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-39213

GHSA ID

GHSA-xhmf-mmv2-4hhx

EPSS Score

0.37567%

CWE

CWE-125

Published

9/16/2022

Updated

2/15/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-39213

CVE-2022-39213: Go-CVSS has Out-of-bounds Read vulnerability in ParseVector function

Impact

When a full CVSS v2.0 vector string is parsed using ParseVector, an Out-of-Bounds Read is possible due to a lack of tests. The Go module will then panic.

Patches

The problem is patched in tag v0.4.0, by the commit d9d478ff0c13b8b09ace030db9262f3c2fe031f4.

Workarounds

The only way to avoid it is by parsing CVSS v2.0 vector strings that does not have all attributes defined (e.g. AV:N/AC:L/Au:N/C:P/I:P/A:C/E:U/RL:OF/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:M).

References

N/A

CPE v2.3

As stated in SECURITY.md, the CPE v2.3 to refer to this Go module is cpe:2.3:a:pandatix:go_cvss:*:*:*:*:*:*:*:*. The entry has already been requested to the NVD CPE dictionnary.

Exploit example

package main

import (
	"log"

	gocvss20 "github.com/pandatix/go-cvss/20"
)

func main() {
	_, err := gocvss20.ParseVector("AV:N/AC:L/Au:N/C:P/I:P/A:C/E:U/RL:OF/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:M")
	if err != nil {
		log.Fatal(err)
	}
}

When ran, the following trace is returned.

panic: runtime error: index out of range [3] with length 3

goroutine 1 [running]:
github.com/pandatix/go-cvss/20.ParseVector({0x4aed6c?, 0x0?})
        /home/lucas/go/pkg/mod/github.com/pandatix/go-cvss@v0.2.0/20/cvss20.go:54 +0x578
main.main()
        /media/lucas/HDD-K/Documents/cve-2022-xxxxx/main.go:10 +0x25
exit status 2

For more information

If you have any questions or comments about this advisory:

Open an issue in pandatix/go-cvss
Email me at lucastesson@protonmail.com

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-39213

GHSA ID

GHSA-xhmf-mmv2-4hhx

EPSS Score

0.37567%

CWE

CWE-125

Published

9/16/2022

Updated

2/15/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/pandatix/go-cvss	go	>= 0.2.0, < 0.4.0	0.4.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability manifests in the ParseVector function as shown in the panic trace and commit diff analysis. The pre-patch code split the vector into parts and iterated through metric groups using nested slices (slcs). When processing a full 14-component vector, the loop would increment 'slci' beyond the length of the 'slcs' array (length=3, index=3), causing an out-of-bounds read. The patched commit introduced a fixed 'order' array and added a bounds check ('if slci == 4') to prevent this. The exploit example directly triggers this code path, confirming the function's vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t W**n * *ull *VSS v*.* v**tor strin* is p*rs** usin* `P*rs*V**tor`, *n Out-o*-*oun*s R*** is possi*l* *u* to * l**k o* t*sts. T** *o mo*ul* will t**n p*ni*. ### P*t***s T** pro*l*m is p*t**** in t** `v*.*.*`, *y t** *ommit `***************

Reasoning

T** vuln*r**ility m*ni**sts in t** `P*rs*V**tor` *un*tion *s s*own in t** p*ni* tr*** *n* *ommit *i** *n*lysis. T** pr*-p*t** *o** split t** v**tor into p*rts *n* it*r*t** t*rou** m*tri* *roups usin* n*st** sli**s (`sl*s`). W**n pro**ssin* * *ull **-

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-39213: Go-CVSS has Out-of-bounds Read vulnerability in ParseVector function

Impact

Patches

Workarounds

References

CPE v2.3

Exploit example

For more information

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI