| Description: | Summary:
The remote host is missing an update for the 'golang-1.20, golang-1.21' package(s) announced via the USN-6574-1 advisory.
Vulnerability Insight:
Takeshi Kaneko discovered that Go did not properly handle comments and
special tags in the script context of html/template module. An attacker
could possibly use this issue to inject Javascript code and perform a cross
site scripting attack. This issue only affected Go 1.20 in Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2023-39318, CVE-2023-39319)
It was discovered that Go did not properly validate the '//go:cgo_'
directives during compilation. An attacker could possibly use this issue to
inject arbitrary code during compile time. (CVE-2023-39323)
It was discovered that Go did not limit the number of simultaneously
executing handler goroutines in the net/http module. An attacker could
possibly use this issue to cause a panic resulting into a denial of service.
(CVE-2023-39325, CVE-2023-44487)
It was discovered that the Go net/http module did not properly validate the
chunk extensions reading from a request or response body. An attacker could
possibly use this issue to read sensitive information. (CVE-2023-39326)
It was discovered that Go did not properly validate the insecure 'git://'
protocol when using go get to fetch a module with the '.git' suffix. An
attacker could possibly use this issue to bypass secure protocol checks.
(CVE-2023-45285)
Affected Software/OS:
'golang-1.20, golang-1.21' package(s) on Ubuntu 20.04, Ubuntu 22.04, Ubuntu 23.04, Ubuntu 23.10.
Solution:
Please install the updated package(s).
CVSS Score:
7.6
CVSS Vector:
AV:N/AC:H/Au:N/C:C/I:C/A:C
|
