Ubuntu update for golang-1.13
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 20 |
| CVE-ID | CVE-2022-29526 CVE-2022-30630 CVE-2022-1705 CVE-2022-1962 CVE-2022-27664 CVE-2022-28131 CVE-2022-30631 CVE-2022-30632 CVE-2022-30633 CVE-2022-30635 CVE-2022-32189 CVE-2022-41715 CVE-2022-41717 CVE-2023-24534 CVE-2023-24537 CVE-2022-2879 CVE-2022-2880 CVE-2022-30629 CVE-2022-32148 CVE-2023-24538 |
| CWE-ID | CWE-264 CWE-400 CWE-444 CWE-20 CWE-770 CWE-835 CWE-399 CWE-330 CWE-254 CWE-94 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #13 is available. |
| Vulnerable software Subscribe |
Ubuntu Operating systems & Components / Operating system golang-1.16-src (Ubuntu package) Operating systems & Components / Operating system package or component golang-1.16-go (Ubuntu package) Operating systems & Components / Operating system package or component golang-1.16 (Ubuntu package) Operating systems & Components / Operating system package or component golang-1.13-src (Ubuntu package) Operating systems & Components / Operating system package or component golang-1.13-go (Ubuntu package) Operating systems & Components / Operating system package or component golang-1.13 (Ubuntu package) Operating systems & Components / Operating system package or component |
| Vendor | Canonical Ltd. |
Security Bulletin
This security bulletin contains information about 20 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU63173
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-29526
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to the Faccessat function can incorrectly report that a file is accessible, when called with a non-zero flags parameter. An attacker can bypass implemented security restrictions.
Update the affected package golang-1.13 to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.04
golang-1.16-src (Ubuntu package): before Ubuntu Pro
golang-1.16-go (Ubuntu package): before Ubuntu Pro
golang-1.16 (Ubuntu package): before Ubuntu Pro
golang-1.13-src (Ubuntu package): before Ubuntu Pro
golang-1.13-go (Ubuntu package): before Ubuntu Pro
golang-1.13 (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6038-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Resource exhaustion
EUVDB-ID: #VU66063
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-30630
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when calling Glob on a path that contains a large number of path separators. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationUpdate the affected package golang-1.13 to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.04
golang-1.16-src (Ubuntu package): before Ubuntu Pro
golang-1.16-go (Ubuntu package): before Ubuntu Pro
golang-1.16 (Ubuntu package): before Ubuntu Pro
golang-1.13-src (Ubuntu package): before Ubuntu Pro
golang-1.13-go (Ubuntu package): before Ubuntu Pro
golang-1.13 (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6038-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Inconsistent interpretation of HTTP requests
EUVDB-ID: #VU66064
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-1705
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of Transfer-Encoding headers in HTTP/1 responses. A remote attacker can send a specially crafted HTTP/1 response to the client and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
MitigationUpdate the affected package golang-1.13 to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.04
golang-1.16-src (Ubuntu package): before Ubuntu Pro
golang-1.16-go (Ubuntu package): before Ubuntu Pro
golang-1.16 (Ubuntu package): before Ubuntu Pro
golang-1.13-src (Ubuntu package): before Ubuntu Pro
golang-1.13-go (Ubuntu package): before Ubuntu Pro
golang-1.13 (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6038-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Resource exhaustion
EUVDB-ID: #VU66065
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-1962
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in go/parser. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationUpdate the affected package golang-1.13 to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.04
golang-1.16-src (Ubuntu package): before Ubuntu Pro
golang-1.16-go (Ubuntu package): before Ubuntu Pro
golang-1.16 (Ubuntu package): before Ubuntu Pro
golang-1.13-src (Ubuntu package): before Ubuntu Pro
golang-1.13-go (Ubuntu package): before Ubuntu Pro
golang-1.13 (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6038-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU67396
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-27664
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationUpdate the affected package golang-1.13 to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.04
golang-1.16-src (Ubuntu package): before Ubuntu Pro
golang-1.16-go (Ubuntu package): before Ubuntu Pro
golang-1.16 (Ubuntu package): before Ubuntu Pro
golang-1.13-src (Ubuntu package): before Ubuntu Pro
golang-1.13-go (Ubuntu package): before Ubuntu Pro
golang-1.13 (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6038-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Resource exhaustion
EUVDB-ID: #VU66069
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-28131
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when calling Decoder.Skip when parsing a deeply nested XML document. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationUpdate the affected package golang-1.13 to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.04
golang-1.16-src (Ubuntu package): before Ubuntu Pro
golang-1.16-go (Ubuntu package): before Ubuntu Pro
golang-1.16 (Ubuntu package): before Ubuntu Pro
golang-1.13-src (Ubuntu package): before Ubuntu Pro
golang-1.13-go (Ubuntu package): before Ubuntu Pro
golang-1.13 (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6038-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Resource exhaustion
EUVDB-ID: #VU66062
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-30631
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in Reader.Read method when handling an archive that contains a large number of concatenated 0-length compressed files. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationUpdate the affected package golang-1.13 to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.04
golang-1.16-src (Ubuntu package): before Ubuntu Pro
golang-1.16-go (Ubuntu package): before Ubuntu Pro
golang-1.16 (Ubuntu package): before Ubuntu Pro
golang-1.13-src (Ubuntu package): before Ubuntu Pro
golang-1.13-go (Ubuntu package): before Ubuntu Pro
golang-1.13 (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6038-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Resource exhaustion
EUVDB-ID: #VU66067
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-30632
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when calling Glob on a path that contains a large number of path separators. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationUpdate the affected package golang-1.13 to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.04
golang-1.16-src (Ubuntu package): before Ubuntu Pro
golang-1.16-go (Ubuntu package): before Ubuntu Pro
golang-1.16 (Ubuntu package): before Ubuntu Pro
golang-1.13-src (Ubuntu package): before Ubuntu Pro
golang-1.13-go (Ubuntu package): before Ubuntu Pro
golang-1.13 (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6038-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Resource exhaustion
EUVDB-ID: #VU66070
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-30633
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when calling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationUpdate the affected package golang-1.13 to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.04
golang-1.16-src (Ubuntu package): before Ubuntu Pro
golang-1.16-go (Ubuntu package): before Ubuntu Pro
golang-1.16 (Ubuntu package): before Ubuntu Pro
golang-1.13-src (Ubuntu package): before Ubuntu Pro
golang-1.13-go (Ubuntu package): before Ubuntu Pro
golang-1.13 (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6038-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Resource exhaustion
EUVDB-ID: #VU66068
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-30635
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when calling Decoder.Decode on a message which contains deeply nested structures. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationUpdate the affected package golang-1.13 to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.04
golang-1.16-src (Ubuntu package): before Ubuntu Pro
golang-1.16-go (Ubuntu package): before Ubuntu Pro
golang-1.16 (Ubuntu package): before Ubuntu Pro
golang-1.13-src (Ubuntu package): before Ubuntu Pro
golang-1.13-go (Ubuntu package): before Ubuntu Pro
golang-1.13 (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6038-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Input validation error
EUVDB-ID: #VU66121
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-32189
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in
Float.GobDecode. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
Update the affected package golang-1.13 to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.04
golang-1.16-src (Ubuntu package): before Ubuntu Pro
golang-1.16-go (Ubuntu package): before Ubuntu Pro
golang-1.16 (Ubuntu package): before Ubuntu Pro
golang-1.13-src (Ubuntu package): before Ubuntu Pro
golang-1.13-go (Ubuntu package): before Ubuntu Pro
golang-1.13 (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6038-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Resource exhaustion
EUVDB-ID: #VU68390
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-41715
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in regexp/syntax when handling regular expressions. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationUpdate the affected package golang-1.13 to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.04
golang-1.16-src (Ubuntu package): before Ubuntu Pro
golang-1.16-go (Ubuntu package): before Ubuntu Pro
golang-1.16 (Ubuntu package): before Ubuntu Pro
golang-1.13-src (Ubuntu package): before Ubuntu Pro
golang-1.13-go (Ubuntu package): before Ubuntu Pro
golang-1.13 (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6038-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Allocation of Resources Without Limits or Throttling
EUVDB-ID: #VU70334
Risk: Medium
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2022-41717
CWE-ID:
CWE-770 - Allocation of Resources Without Limits or Throttling
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to excessive memory growth when handling HTTP/2 server requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
MitigationUpdate the affected package golang-1.13 to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.04
golang-1.16-src (Ubuntu package): before Ubuntu Pro
golang-1.16-go (Ubuntu package): before Ubuntu Pro
golang-1.16 (Ubuntu package): before Ubuntu Pro
golang-1.13-src (Ubuntu package): before Ubuntu Pro
golang-1.13-go (Ubuntu package): before Ubuntu Pro
golang-1.13 (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6038-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
14) Resource exhaustion
EUVDB-ID: #VU74571
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-24534
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when parsing HTTP and MIME headers in net/textproto. A remote attacker can cause an HTTP server to allocate large amounts of memory from a small request and perform a denial of service (DoS) attack.
MitigationUpdate the affected package golang-1.13 to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.04
golang-1.16-src (Ubuntu package): before Ubuntu Pro
golang-1.16-go (Ubuntu package): before Ubuntu Pro
golang-1.16 (Ubuntu package): before Ubuntu Pro
golang-1.13-src (Ubuntu package): before Ubuntu Pro
golang-1.13-go (Ubuntu package): before Ubuntu Pro
golang-1.13 (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6038-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Infinite loop
EUVDB-ID: #VU74573
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-24537
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when calling any of the Parse functions on Go source code which contains //line directives with very large line numbers. A remote attacker can consume all available system resources and cause denial of service conditions.
MitigationUpdate the affected package golang-1.13 to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.04
golang-1.16-src (Ubuntu package): before Ubuntu Pro
golang-1.16-go (Ubuntu package): before Ubuntu Pro
golang-1.16 (Ubuntu package): before Ubuntu Pro
golang-1.13-src (Ubuntu package): before Ubuntu Pro
golang-1.13-go (Ubuntu package): before Ubuntu Pro
golang-1.13 (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6038-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Resource management error
EUVDB-ID: #VU68387
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-2879
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to absent limits on the maximum size of file headers within the Reader.Read method in archive/tar. A remote attacker can pass a specially crafted file to the application and perform a denial of service (DoS) attack.
MitigationUpdate the affected package golang-1.13 to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.04
golang-1.16-src (Ubuntu package): before Ubuntu Pro
golang-1.16-go (Ubuntu package): before Ubuntu Pro
golang-1.16 (Ubuntu package): before Ubuntu Pro
golang-1.13-src (Ubuntu package): before Ubuntu Pro
golang-1.13-go (Ubuntu package): before Ubuntu Pro
golang-1.13 (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6038-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Input validation error
EUVDB-ID: #VU68389
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-2880
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform parameter smuggling attacks.
The vulnerability exists due to incorrect handling of requests forwarded by ReverseProxy in net/http/httputil. A remote attacker can supply specially crafted parameters that cannot be parsed and are rejected by net/http and force the application to include these parameters into the forwarding request. As a result, a remote attacker can smuggle potentially dangerous HTTP parameters into the request.
Update the affected package golang-1.13 to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.04
golang-1.16-src (Ubuntu package): before Ubuntu Pro
golang-1.16-go (Ubuntu package): before Ubuntu Pro
golang-1.16 (Ubuntu package): before Ubuntu Pro
golang-1.13-src (Ubuntu package): before Ubuntu Pro
golang-1.13-go (Ubuntu package): before Ubuntu Pro
golang-1.13 (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6038-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Use of insufficiently random values
EUVDB-ID: #VU66122
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-30629
CWE-ID:
CWE-330 - Use of Insufficiently Random Values
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker gain access to sensitive information.
The vulnerability exists in crypto/tls implementation when generating TLS tickets age. The newSessionTicketMsgTLS13.ageAdd is always set to "0" instead of a random value.
Update the affected package golang-1.13 to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.04
golang-1.16-src (Ubuntu package): before Ubuntu Pro
golang-1.16-go (Ubuntu package): before Ubuntu Pro
golang-1.16 (Ubuntu package): before Ubuntu Pro
golang-1.13-src (Ubuntu package): before Ubuntu Pro
golang-1.13-go (Ubuntu package): before Ubuntu Pro
golang-1.13 (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6038-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Security features bypass
EUVDB-ID: #VU66066
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-32148
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to unexpected behavior of httputil.ReverseProxy.ServeHTTP. When the method is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation.
Update the affected package golang-1.13 to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.04
golang-1.16-src (Ubuntu package): before Ubuntu Pro
golang-1.16-go (Ubuntu package): before Ubuntu Pro
golang-1.16 (Ubuntu package): before Ubuntu Pro
golang-1.13-src (Ubuntu package): before Ubuntu Pro
golang-1.13-go (Ubuntu package): before Ubuntu Pro
golang-1.13 (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6038-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Code Injection
EUVDB-ID: #VU74574
Risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-24538
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in html/template when handling JavaScript templates that contain backticks in code. If a template contains a Go template action within a JavaScript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary JavaScript code into the Go template.
MitigationUpdate the affected package golang-1.13 to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.04
golang-1.16-src (Ubuntu package): before Ubuntu Pro
golang-1.16-go (Ubuntu package): before Ubuntu Pro
golang-1.16 (Ubuntu package): before Ubuntu Pro
golang-1.13-src (Ubuntu package): before Ubuntu Pro
golang-1.13-go (Ubuntu package): before Ubuntu Pro
golang-1.13 (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6038-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
