golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched.

  - golang: out-of-bounds read in golang.org/x/text/language leads to DoS (CVE-2021-38561)

Note that Nessus has not tested for this issue but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 9 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched.

  - golang: out-of-bounds read in golang.org/x/text/language leads to DoS (CVE-2021-38561)

Note that Nessus has not tested for this issue but has instead relied on the package manager's report that the package is installed.

This plugin has been deprecated as it does not adhere to established standards for this style of check.

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0808 advisory.

  - The go command may execute arbitrary code at build time when using cgo. This may occur when running go     get on a malicious module, or when running any other command which builds untrusted code. This is can by     triggered by linker flags, specified via a #cgo LDFLAGS directive. Flags containing embedded spaces are     mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in     the argument of another flag. This only affects usage of the gccgo compiler. (CVE-2023-29405)

  - When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by     finalizing the operation with a rename from a temporary name to the final target file name.In that rename     operation, it might accidentally *widen* the permissions for the target file, leaving the updated file     accessible to more users than intended. (CVE-2022-32207)

  - decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. (CVE-2022-38900)

  - The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
    (CVE-2022-33987)

  - Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the     name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3. (CVE-2022-37601)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:0407 advisory.

    OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container     Platform.This advisory contains OpenShift Virtualization 4.12.0 RPMs.

    Security Fix(es):

    * golang: net/http: limit growth of header canonicalization cache (CVE-2021-44716)

    * golang: out-of-bounds read in golang.org/x/text/language leads to DoS (CVE-2021-38561)

    * golang: syscall: don't close fd 0 on ForkExec error (CVE-2021-44717)

    * golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)

    * golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)

    * golang: regexp: stack exhaustion via a deeply nested expression (CVE-2022-24921)

    * golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)

    * golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

    * golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

    * golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

    * golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)

    * golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

    * golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)

    * golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5873-1 advisory.

    It was discovered that Go Text incorrectly handled certain encodings. An attacker could possibly use this     issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
    (CVE-2020-14040)

    It was discovered that Go Text incorrectly handled certain BCP 47 language tags. An attacker could     possibly use this issue to cause a denial of service. CVE-2020-28851, CVE-2020-28852 and CVE-2021-38561     affected only Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-28851, CVE-2020-28852, CVE-2021-38561,     CVE-2022-32149)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
199736	RHEL 8 : podman (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
199703	RHEL 9 : podman (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
195780	RHEL 7 : golang (Unpatched Vulnerability) (deprecated)	Nessus	Red Hat Local Security Checks	critical
194928	Splunk Enterprise 8.2.0 < 8.2.12, 9.0.0 < 9.0.6, 9.1.0 < 9.1.1 (SVD-2023-0808)	Nessus	CGI abuses	critical
194211	RHEL 7 / 8 : OpenShift Virtualization 4.12.0 RPMs (RHSA-2023:0407)	Nessus	Red Hat Local Security Checks	medium
171575	Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS : Go Text vulnerabilities (USN-5873-1)	Nessus	Ubuntu Local Security Checks	high

Detections

Analytics

CVE-2021-38561

high

Tenable Plugins

high

high

critical

critical

medium

high