SB2023040668 - Multiple vulnerabilities in Go programming language
Published: April 6, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Code Injection (CVE-ID: CVE-2023-24538)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in html/template when handling JavaScript templates that contain backticks in code. If a template contains a Go template action within a JavaScript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary JavaScript code into the Go template.
2) Infinite loop (CVE-ID: CVE-2023-24537)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when calling any of the Parse functions on Go source code which contains //line directives with very large line numbers. A remote attacker can consume all available system resources and cause denial of service conditions.
3) Resource management error (CVE-ID: CVE-2023-24536)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within mime/multipart and net/textproto components when parsing multipart forms. A remote attacker can pass specially crafted request to the application and perform a denial of service (DoS) attack.
4) Resource exhaustion (CVE-ID: CVE-2023-24534)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when parsing HTTP and MIME headers in net/textproto. A remote attacker can cause an HTTP server to allocate large amounts of memory from a small request and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://go.dev/cl/482079
- https://pkg.go.dev/vuln/GO-2023-1703
- https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8
- https://go.dev/issue/59234
- https://go.dev/cl/482078
- https://go.dev/issue/59180
- https://pkg.go.dev/vuln/GO-2023-1702
- https://go.dev/cl/482077
- https://go.dev/cl/482076
- https://go.dev/cl/482075
- https://go.dev/issue/59153
- https://pkg.go.dev/vuln/GO-2023-1705
- https://go.dev/issue/58975
- https://pkg.go.dev/vuln/GO-2023-1704
- https://go.dev/cl/481994