SB20230820272 - Fedora EPEL 7 update for golang

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20230820272

SB20230820272 - Fedora EPEL 7 update for golang

Published: August 20, 2023

Security Bulletin ID SB20230820272
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Resource exhaustion (CVE-ID: CVE-2022-32149)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to ParseAcceptLanguage does not properly control consumption of internal resources. A remote attacker can send a specially crafted Accept-Language header that will take a significant time to parse and perform a denial of service (DoS) attack.


2) Code Injection (CVE-ID: CVE-2023-29402)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation within the cgo go command when building code that contains directories with newline characters in their names. A remote attacker can pass specially crafted input to the cgo command at build time and potentially compromise the system.

Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).


3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-29403)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists within Go runtime due to application allows to execute setuid/setgid binaries without any restrictions. An attacker with ability to control the application flow can execute arbitrary code on the system with elevated privileges.


4) Code Injection (CVE-ID: CVE-2023-29404)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists within Go runtime when running "go get" on a malicious module, or when running any other
command which builds untrusted code.A remote attacker can inject and execute arbitrary code on the target system at build time when using cgo.

5) Code Injection (CVE-ID: CVE-2023-29405)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists within Go runtime when running "go get" on a malicious module, or when running any other
command which builds untrusted code.A remote attacker can inject and execute arbitrary code on the target system at build time when using cgo.

Remediation

Install update from vendor's website.

References