CVE-2022-39213: CWE-125: Out-of-bounds Read in pandatix go-cvss
go-cvss is a Go module to manipulate Common Vulnerability Scoring System (CVSS). In affected versions when a full CVSS v2.0 vector string is parsed using `ParseVector`, an Out-of-Bounds Read is possible due to a lack of tests. The Go module will then panic. The problem is patched in tag `v0.4.0`, by the commit `d9d478ff0c13b8b09ace030db9262f3c2fe031f4`. Users are advised to upgrade. Users unable to upgrade may avoid this issue by parsing only CVSS v2.0 vector strings that do not have all attributes defined (e.g. `AV:N/AC:L/Au:N/C:P/I:P/A:C/E:U/RL:OF/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:M`). As stated in [SECURITY.md](https://github.com/pandatix/go-cvss/blob/master/SECURITY.md), the CPE v2.3 to refer to this Go module is `cpe:2.3:a:pandatix:go_cvss:*:*:*:*:*:*:*:*`. The entry has already been requested to the NVD CPE dictionary.
AI Analysis
Technical Summary
CVE-2022-39213 is a medium-severity vulnerability identified in the pandatix go-cvss Go module, which is used for parsing and manipulating Common Vulnerability Scoring System (CVSS) vectors. The vulnerability arises specifically when parsing a full CVSS v2.0 vector string using the `ParseVector` function. Due to insufficient bounds checking in the code, an out-of-bounds read (CWE-125) can occur. This results in the Go runtime panicking, which effectively causes a denial of service (DoS) condition within any application or service relying on this module. The issue affects versions of go-cvss from 0.2.0 up to, but not including, 0.4.0. The vulnerability is patched in version 0.4.0 by adding proper validation to prevent out-of-bounds access. Users who cannot upgrade immediately can mitigate the issue by avoiding parsing fully defined CVSS v2.0 vectors and instead only parse partial vectors that do not include all attributes. The vulnerability does not appear to have been exploited in the wild to date. The root cause is a lack of comprehensive input validation and testing when handling complex CVSS vector strings, which leads to unsafe memory access in Go. Since go-cvss is a library, the impact depends on how and where it is integrated, typically in security tools or vulnerability management systems that consume CVSS data.
Potential Impact
The primary impact of this vulnerability is a denial of service due to application panics triggered by malformed or fully defined CVSS v2.0 vectors. For European organizations, especially those relying on security tooling, vulnerability scanners, or risk management platforms that incorporate the go-cvss module, this could lead to service interruptions or failures in vulnerability scoring workflows. This may delay vulnerability assessment and remediation processes, potentially increasing exposure windows to other threats. However, the vulnerability does not directly lead to unauthorized data access or code execution, limiting its impact to availability and operational disruption. Since the vulnerability requires processing specific CVSS vectors, exploitation is contingent on receiving or processing crafted input data. The scope is limited to applications that embed the vulnerable go-cvss versions, which are likely niche but critical components in security ecosystems. Given no known exploits exist, the immediate risk is moderate but should be addressed proactively to maintain operational stability and trust in vulnerability scoring accuracy.
Mitigation Recommendations
1. Upgrade the go-cvss module to version 0.4.0 or later, where the vulnerability is patched. This is the most effective and recommended mitigation. 2. If upgrading is not immediately feasible, implement input validation to restrict CVSS v2.0 vectors to partial vectors that do not include all attributes, thereby avoiding triggering the out-of-bounds read. 3. Add robust error handling around calls to `ParseVector` to gracefully handle panics or exceptions, preventing application crashes. 4. Conduct thorough testing of all CVSS vector inputs in your environment to identify and filter out problematic vectors before parsing. 5. Review and update dependency management and continuous integration pipelines to detect and prevent use of vulnerable versions of go-cvss. 6. Monitor security advisories and vendor updates for any new developments or exploit reports related to this vulnerability. 7. For organizations developing their own security tools, consider contributing patches or improvements to the go-cvss project to enhance input validation and resilience.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland
CVE-2022-39213: CWE-125: Out-of-bounds Read in pandatix go-cvss
Description
go-cvss is a Go module to manipulate Common Vulnerability Scoring System (CVSS). In affected versions when a full CVSS v2.0 vector string is parsed using `ParseVector`, an Out-of-Bounds Read is possible due to a lack of tests. The Go module will then panic. The problem is patched in tag `v0.4.0`, by the commit `d9d478ff0c13b8b09ace030db9262f3c2fe031f4`. Users are advised to upgrade. Users unable to upgrade may avoid this issue by parsing only CVSS v2.0 vector strings that do not have all attributes defined (e.g. `AV:N/AC:L/Au:N/C:P/I:P/A:C/E:U/RL:OF/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:M`). As stated in [SECURITY.md](https://github.com/pandatix/go-cvss/blob/master/SECURITY.md), the CPE v2.3 to refer to this Go module is `cpe:2.3:a:pandatix:go_cvss:*:*:*:*:*:*:*:*`. The entry has already been requested to the NVD CPE dictionary.
AI-Powered Analysis
Technical Analysis
CVE-2022-39213 is a medium-severity vulnerability identified in the pandatix go-cvss Go module, which is used for parsing and manipulating Common Vulnerability Scoring System (CVSS) vectors. The vulnerability arises specifically when parsing a full CVSS v2.0 vector string using the `ParseVector` function. Due to insufficient bounds checking in the code, an out-of-bounds read (CWE-125) can occur. This results in the Go runtime panicking, which effectively causes a denial of service (DoS) condition within any application or service relying on this module. The issue affects versions of go-cvss from 0.2.0 up to, but not including, 0.4.0. The vulnerability is patched in version 0.4.0 by adding proper validation to prevent out-of-bounds access. Users who cannot upgrade immediately can mitigate the issue by avoiding parsing fully defined CVSS v2.0 vectors and instead only parse partial vectors that do not include all attributes. The vulnerability does not appear to have been exploited in the wild to date. The root cause is a lack of comprehensive input validation and testing when handling complex CVSS vector strings, which leads to unsafe memory access in Go. Since go-cvss is a library, the impact depends on how and where it is integrated, typically in security tools or vulnerability management systems that consume CVSS data.
Potential Impact
The primary impact of this vulnerability is a denial of service due to application panics triggered by malformed or fully defined CVSS v2.0 vectors. For European organizations, especially those relying on security tooling, vulnerability scanners, or risk management platforms that incorporate the go-cvss module, this could lead to service interruptions or failures in vulnerability scoring workflows. This may delay vulnerability assessment and remediation processes, potentially increasing exposure windows to other threats. However, the vulnerability does not directly lead to unauthorized data access or code execution, limiting its impact to availability and operational disruption. Since the vulnerability requires processing specific CVSS vectors, exploitation is contingent on receiving or processing crafted input data. The scope is limited to applications that embed the vulnerable go-cvss versions, which are likely niche but critical components in security ecosystems. Given no known exploits exist, the immediate risk is moderate but should be addressed proactively to maintain operational stability and trust in vulnerability scoring accuracy.
Mitigation Recommendations
1. Upgrade the go-cvss module to version 0.4.0 or later, where the vulnerability is patched. This is the most effective and recommended mitigation. 2. If upgrading is not immediately feasible, implement input validation to restrict CVSS v2.0 vectors to partial vectors that do not include all attributes, thereby avoiding triggering the out-of-bounds read. 3. Add robust error handling around calls to `ParseVector` to gracefully handle panics or exceptions, preventing application crashes. 4. Conduct thorough testing of all CVSS vector inputs in your environment to identify and filter out problematic vectors before parsing. 5. Review and update dependency management and continuous integration pipelines to detect and prevent use of vulnerable versions of go-cvss. 6. Monitor security advisories and vendor updates for any new developments or exploit reports related to this vulnerability. 7. For organizations developing their own security tools, consider contributing patches or improvements to the go-cvss project to enhance input validation and resilience.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-09-02T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9849c4522896dcbf698d
Added to database: 5/21/2025, 9:09:29 AM
Last enriched: 6/21/2025, 11:31:38 PM
Last updated: 8/16/2025, 3:04:10 PM
Views: 14
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.