| Description: | Summary:
The remote host is missing an update for the 'golang-1.18' package(s) announced via the USN-7109-1 advisory.
Vulnerability Insight:
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2
streams. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-41723)
Marten Seemann discovered that Go did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2022-41724)
Ameya Darshan and Jakob Ackermann discovered that Go did not properly
validate the amount of memory and disk files ReadForm can consume. An
attacker could possibly use this issue to cause a panic resulting in a
denial of service. (CVE-2022-41725)
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables. An attacker could possibly use this issue to run
arbitrary commands. (CVE-2023-24531)
Jakob Ackermann discovered that Go incorrectly handled multipart
forms. An attacker could possibly use this issue to consume an excessive
amount of resources, resulting in a denial of service. (CVE-2023-24536)
Juho Nurminen discovered that Go incorrectly handled certain special
characters in directory or file paths. An attacker could possibly use
this issue to inject code into the resulting binaries. (CVE-2023-29402)
Vincent Dehors discovered that Go incorrectly handled permission bits.
An attacker could possibly use this issue to read or write files with
elevated privileges. (CVE-2023-29403)
Juho Nurminen discovered that Go incorrectly handled certain compiler
directives. An attacker could possibly use this issue to execute arbitrary
code. (CVE-2023-29404)
Juho Nurminen discovered that Go incorrectly handled certain crafted
arguments. An attacker could possibly use this issue to execute arbitrary
code at build time. (CVE-2023-29405)
Bartek Nowotarski discovered that Go incorrectly validated the contents of
host headers. A remote attacker could possibly use this issue to inject
additional headers or entire requests. (CVE-2023-29406)
Takeshi Kaneko discovered that Go did not properly handle comments and
special tags in the script context of html/template module. An attacker
could possibly use this issue to inject Javascript code and perform a
cross-site scripting attack. (CVE-2023-39318, CVE-2023-39319)
It was discovered that Go did not properly validate the '//go:cgo_'
directives during compilation. An attacker could possibly use this issue
to inject arbitrary code during compile time. (CVE-2023-39323)
It was discovered that Go did not limit the number of simultaneously
executing handler goroutines in the net/http module. An attacker could
possibly use this issue to cause a panic resulting in a denial of service.
(CVE-2023-39325)
Bartek Nowotarski was discovered that the Go net/http module did not
properly handle the requests when request's headers exceed MaxHeaderBytes.
An attacker could possibly use this issue to cause a panic resulting into
a denial of service. ... [Please see the references for more information on the vulnerabilities]
Affected Software/OS:
'golang-1.18' package(s) on Ubuntu 16.04, Ubuntu 18.04, Ubuntu 20.04, Ubuntu 22.04.
Solution:
Please install the updated package(s).
CVSS Score:
10.0
CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
|
