Skip to main content

CVE-2022-39213: CWE-125: Out-of-bounds Read in pandatix go-cvss

Medium
Published: Thu Sep 15 2022 (09/15/2022, 21:45:12 UTC)
Source: CVE
Vendor/Project: pandatix
Product: go-cvss

Description

go-cvss is a Go module to manipulate Common Vulnerability Scoring System (CVSS). In affected versions when a full CVSS v2.0 vector string is parsed using `ParseVector`, an Out-of-Bounds Read is possible due to a lack of tests. The Go module will then panic. The problem is patched in tag `v0.4.0`, by the commit `d9d478ff0c13b8b09ace030db9262f3c2fe031f4`. Users are advised to upgrade. Users unable to upgrade may avoid this issue by parsing only CVSS v2.0 vector strings that do not have all attributes defined (e.g. `AV:N/AC:L/Au:N/C:P/I:P/A:C/E:U/RL:OF/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:M`). As stated in [SECURITY.md](https://github.com/pandatix/go-cvss/blob/master/SECURITY.md), the CPE v2.3 to refer to this Go module is `cpe:2.3:a:pandatix:go_cvss:*:*:*:*:*:*:*:*`. The entry has already been requested to the NVD CPE dictionary.

AI-Powered Analysis

AILast updated: 06/21/2025, 23:31:38 UTC

Technical Analysis

CVE-2022-39213 is a medium-severity vulnerability identified in the pandatix go-cvss Go module, which is used for parsing and manipulating Common Vulnerability Scoring System (CVSS) vectors. The vulnerability arises specifically when parsing a full CVSS v2.0 vector string using the `ParseVector` function. Due to insufficient bounds checking in the code, an out-of-bounds read (CWE-125) can occur. This results in the Go runtime panicking, which effectively causes a denial of service (DoS) condition within any application or service relying on this module. The issue affects versions of go-cvss from 0.2.0 up to, but not including, 0.4.0. The vulnerability is patched in version 0.4.0 by adding proper validation to prevent out-of-bounds access. Users who cannot upgrade immediately can mitigate the issue by avoiding parsing fully defined CVSS v2.0 vectors and instead only parse partial vectors that do not include all attributes. The vulnerability does not appear to have been exploited in the wild to date. The root cause is a lack of comprehensive input validation and testing when handling complex CVSS vector strings, which leads to unsafe memory access in Go. Since go-cvss is a library, the impact depends on how and where it is integrated, typically in security tools or vulnerability management systems that consume CVSS data.

Potential Impact

The primary impact of this vulnerability is a denial of service due to application panics triggered by malformed or fully defined CVSS v2.0 vectors. For European organizations, especially those relying on security tooling, vulnerability scanners, or risk management platforms that incorporate the go-cvss module, this could lead to service interruptions or failures in vulnerability scoring workflows. This may delay vulnerability assessment and remediation processes, potentially increasing exposure windows to other threats. However, the vulnerability does not directly lead to unauthorized data access or code execution, limiting its impact to availability and operational disruption. Since the vulnerability requires processing specific CVSS vectors, exploitation is contingent on receiving or processing crafted input data. The scope is limited to applications that embed the vulnerable go-cvss versions, which are likely niche but critical components in security ecosystems. Given no known exploits exist, the immediate risk is moderate but should be addressed proactively to maintain operational stability and trust in vulnerability scoring accuracy.

Mitigation Recommendations

1. Upgrade the go-cvss module to version 0.4.0 or later, where the vulnerability is patched. This is the most effective and recommended mitigation. 2. If upgrading is not immediately feasible, implement input validation to restrict CVSS v2.0 vectors to partial vectors that do not include all attributes, thereby avoiding triggering the out-of-bounds read. 3. Add robust error handling around calls to `ParseVector` to gracefully handle panics or exceptions, preventing application crashes. 4. Conduct thorough testing of all CVSS vector inputs in your environment to identify and filter out problematic vectors before parsing. 5. Review and update dependency management and continuous integration pipelines to detect and prevent use of vulnerable versions of go-cvss. 6. Monitor security advisories and vendor updates for any new developments or exploit reports related to this vulnerability. 7. For organizations developing their own security tools, consider contributing patches or improvements to the go-cvss project to enhance input validation and resilience.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2022-09-02T00:00:00.000Z
Cisa Enriched
true

Threat ID: 682d9849c4522896dcbf698d

Added to database: 5/21/2025, 9:09:29 AM

Last enriched: 6/21/2025, 11:31:38 PM

Last updated: 8/16/2025, 3:04:10 PM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats