JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190)

  - Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker     to cause a panic due to stack exhaustion via a deeply nested XML document. (CVE-2022-28131)

  - Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to     cause a panic due to stack exhaustion via a path containing a large number of path separators.
    (CVE-2022-30632)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 7 / 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3204 advisory.

    OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container     Platform.

    This advisory contains OpenShift Virtualization 4.13.0 RPMs.

    Security Fix(es):

    * golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)

    * golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags     (CVE-2022-32149)

    * golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190)

    * golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)

    * golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short,     potentially allowing a denial of service (CVE-2022-32189)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Bug Fix(es):

    * 4.13.0 rpms (BZ#2124993)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3613 advisory.

    Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution     designed for on-premise or private cloud deployments.

    This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.22. See the     following advisory for the container images for this release:

    https://access.redhat.com/errata/RHSA-2023:3615

    Security Fix(es):

    * golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)

    * golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)

    * golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)

    * golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags     (CVE-2022-32149)

    * golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190)

    * golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images     when they are available in the appropriate release channel. To check for available updates, use the     OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at     https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:7398 advisory.

    Red Hat OpenShift Container Platform is Red Hat's cloud computing     Kubernetes application platform solution designed for on-premise or private     cloud deployments.

    This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.0. See the following     advisory for the container images for this release:

    https://access.redhat.com/errata/RHSA-2022:7399

    Security Fix(es):

    * go-yaml: Denial of Service in go-yaml (CVE-2021-4235)
    * golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
    * kubernetes: Unauthorized read of Custom Resources (CVE-2022-3162)
    * kube-apiserver: Aggregated API server can cause clients to be redirected (SSRF) (CVE-2022-3172)
    * golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
    * golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
    * golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)
    * golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
    * cri-o: incorrect handling of the supplementary groups (CVE-2022-2995)
    * OpenShift: Missing HTTP Strict Transport Security (CVE-2022-3259)
    * cri-o: Security regression of CVE-2022-27652 (CVE-2022-3466)
    * golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short,     potentially allowing a denial of service (CVE-2022-32189)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images     when they are available in the appropriate release channel. To check for available updates, use the     OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at     https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:7398 advisory.

  - Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume     significant system resources. If parsing user input, this may be used as a denial of service vector.
    (CVE-2021-4235)

  - Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12     and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly     fails to reject the header as invalid. (CVE-2022-1705)

  - In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because     an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

  - Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could     cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics.
    After fix, Reader.Read limits the maximum size of header blocks to 1 MiB. (CVE-2022-2879)

  - Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including     unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy     forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in     the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director     function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse     query parameters continue to forward the original query parameters unchanged. (CVE-2022-2880)

  - Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive     information disclosure or possible data modification if an attacker has direct access to the affected     container where supplementary groups are used to set access permissions and is able to execute a binary     code in that container. (CVE-2022-2995)

  - python-scciclient: missing server certificate verification (CVE-2022-2996)

  - Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker     to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length     compressed files. (CVE-2022-30631)

  - Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom     resources of a different type in the same API group without authorization. Clusters are impacted by this     vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same     API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The     same users are not authorized to read another custom resource in the same API group. (CVE-2022-3162)

  - A security issue was discovered in kube-apiserver that allows an aggregated API server to redirect client     traffic to any URL. This could lead to the client performing unexpected actions as well as forwarding the     client's API server credentials to third parties. (CVE-2022-3172)

  - Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by     calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the     X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For     header. (CVE-2022-32148)

  - A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go     before 1.17.13 and 1.18.5, potentially allowing a denial of service. (CVE-2022-32189)

  - JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example,     JoinPath(https://go.dev, ../go) returns the URL https://go.dev/../go, despite the JoinPath     documentation stating that ../ path elements are removed from the result. (CVE-2022-32190)

  - Openshift 4.9 does not use HTTP Strict Transport Security (HSTS) which may allow man-in-the-middle (MITM)     attacks. (CVE-2022-3259)

  - The version of cri-o as released for Red Hat OpenShift Container Platform 4.9.48, 4.10.31, and 4.11.6 via     RHBA-2022:6316, RHBA-2022:6257, and RHBA-2022:6658, respectively, included an incorrect version of cri-o     missing the fix for CVE-2022-27652, which was previously fixed in OCP 4.9.41 and 4.10.12 via     RHBA-2022:5433 and RHSA-2022:1600. This issue could allow an attacker with access to programs with     inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. For     more details, see https://access.redhat.com/security/cve/CVE-2022-27652. (CVE-2022-3466)

  - Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion     or denial of service. The parsed regexp representation is linear in the size of the input, but in some     cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger     amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular     expressions whose representation would use more space than that are rejected. Normal use of regular     expressions is unaffected. (CVE-2022-41715)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3613 advisory.

  - In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because     an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

  - Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could     cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics.
    After fix, Reader.Read limits the maximum size of header blocks to 1 MiB. (CVE-2022-2879)

  - Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including     unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy     forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in     the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director     function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse     query parameters continue to forward the original query parameters unchanged. (CVE-2022-2880)

  - An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage     will take significant time to parse. (CVE-2022-32149)

  - JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example,     JoinPath(https://go.dev, ../go) returns the URL https://go.dev/../go, despite the JoinPath     documentation stating that ../ path elements are removed from the result. (CVE-2022-32190)

  - Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion     or denial of service. The parsed regexp representation is linear in the size of the input, but in some     cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger     amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular     expressions whose representation would use more space than that are rejected. Normal use of regular     expressions is unaffected. (CVE-2022-41715)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-048 advisory.

  - In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's     header) can cause a NewReader or OpenReader panic. (CVE-2021-33196)

  - Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function     invocation from a WASM module, when GOARCH=wasm GOOS=js is used. (CVE-2021-38297)

  - ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3     Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.
    (CVE-2021-41771)

  - Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP     archive containing an invalid name or an empty filename field. (CVE-2021-41772)

  - net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the     header canonicalization cache via HTTP/2 requests. (CVE-2021-44716)

  - Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or     unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-     descriptor exhaustion. (CVE-2021-44717)

  - Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12     and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly     fails to reject the header as invalid. (CVE-2022-1705)

  - Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an     attacker to cause a panic due to stack exhaustion via deeply nested types or declarations. (CVE-2022-1962)

  - Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to     Uncontrolled Memory Consumption. (CVE-2022-23772)

  - cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to     be version tags. This can lead to incorrect access control if an actor is supposed to be able to create     branches but not tags. (CVE-2022-23773)

  - Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return     true in situations with a big.Int value that is not a valid field element. (CVE-2022-23806)

  - encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount     of PEM data. (CVE-2022-24675)

  - regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested     expression. (CVE-2022-24921)

  - The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to     crash a server in certain circumstances involving AddHostKey. (CVE-2022-27191)

  - In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because     an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

  - Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker     to cause a panic due to stack exhaustion via a deeply nested XML document. (CVE-2022-28131)

  - The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic     via long scalar input. (CVE-2022-28327)

  - Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could     cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics.
    After fix, Reader.Read limits the maximum size of header blocks to 1 MiB. (CVE-2022-2879)

  - Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero     flags parameter, the Faccessat function could incorrectly report that a file is accessible.
    (CVE-2022-29526)

  - Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3     allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket     ages during session resumption. (CVE-2022-30629)

  - Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a     panic due to stack exhaustion via a path which contains a large number of path separators.
    (CVE-2022-30630)

  - Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker     to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length     compressed files. (CVE-2022-30631)

  - Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to     cause a panic due to stack exhaustion via a path containing a large number of path separators.
    (CVE-2022-30632)

  - Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to     cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a     nested field that uses the 'any' field tag. (CVE-2022-30633)

  - Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an     attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
    (CVE-2022-30635)

  - Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by     calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the     X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For     header. (CVE-2022-32148)

  - A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go     before 1.17.13 and 1.18.5, potentially allowing a denial of service. (CVE-2022-32189)

  - JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example,     JoinPath(https://go.dev, ../go) returns the URL https://go.dev/../go, despite the JoinPath     documentation stating that ../ path elements are removed from the result. (CVE-2022-32190)

  - Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion     or denial of service. The parsed regexp representation is linear in the size of the input, but in some     cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger     amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular     expressions whose representation would use more space than that are rejected. Normal use of regular     expressions is unaffected. (CVE-2022-41715)

  - Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows.
    In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not     properly checked for. A malicious environment variable value can exploit this behavior to set a value for     a different environment variable. For example, the environment variable string A=B\x00C=D sets the     variables A=B and C=D. (CVE-2022-41716)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-18908 advisory.

    - Addresses CVE-2021-34558
    - Include patch to fix CVE-2019-9741
    - Fixes CVE-2019-6486
    - Fixes CVE-2018-16873, CVE-2018-16874, CVE-2018-16875
    - Fix CVE-2017-15041 and CVE-2017-15042
    - Resolves: bz1357602 - CVE-2016-5386
    - Resolves: bz1324344 - CVE-2016-3959
    - resolves bz1293451, CVE-2015-8618

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-24267 advisory.

  - Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an     attacker to cause a panic due to stack exhaustion via deeply nested types or declarations. (CVE-2022-1962)

  - Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including     unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy     forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in     the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director     function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse     query parameters continue to forward the original query parameters unchanged. (CVE-2022-2880)

  - Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could     cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics.
    After fix, Reader.Read limits the maximum size of header blocks to 1 MiB. (CVE-2022-2879)

  - Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker     to cause a panic due to stack exhaustion via a deeply nested XML document. (CVE-2022-28131)

  - Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion     or denial of service. The parsed regexp representation is linear in the size of the input, but in some     cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger     amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular     expressions whose representation would use more space than that are rejected. Normal use of regular     expressions is unaffected. (CVE-2022-41715)

  - Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to     cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a     nested field that uses the 'any' field tag. (CVE-2022-30633)

  - In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because     an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

  - Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12     and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly     fails to reject the header as invalid. (CVE-2022-1705)

  - Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker     to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length     compressed files. (CVE-2022-30631)

  - Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by     calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the     X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For     header. (CVE-2022-32148)

  - JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example,     JoinPath(https://go.dev, ../go) returns the URL https://go.dev/../go, despite the JoinPath     documentation stating that ../ path elements are removed from the result. (CVE-2022-32190)

  - A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go     before 1.17.13 and 1.18.5, potentially allowing a denial of service. (CVE-2022-32189)

  - Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a     panic due to stack exhaustion via a path which contains a large number of path separators.
    (CVE-2022-30630)

  - Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to     cause a panic due to stack exhaustion via a path containing a large number of path separators.
    (CVE-2022-30632)

  - Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows.
    In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not     properly checked for. A malicious environment variable value can exploit this behavior to set a value for     a different environment variable. For example, the environment variable string A=B\x00C=D sets the     variables A=B and C=D. (CVE-2022-41716)

  - Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an     attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
    (CVE-2022-30635)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-193 advisory.

  - Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12     and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly     fails to reject the header as invalid. (CVE-2022-1705)

  - Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an     attacker to cause a panic due to stack exhaustion via deeply nested types or declarations. (CVE-2022-1962)

  - In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because     an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

  - In Decoder.Skip in encoding/xml in Go before 1.17.12 and 1.18.x before 1.18.4, stack exhaustion and a     panic can occur via a deeply nested XML document. (CVE-2022-28131)

  - Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a     panic due to stack exhaustion via a path which contains a large number of path separators.
    (CVE-2022-30630)

  - Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker     to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length     compressed files. (CVE-2022-30631)

  - Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to     cause a panic due to stack exhaustion via a path containing a large number of path separators.
    (CVE-2022-30632)

  - Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to     cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a     nested field that uses the 'any' field tag. (CVE-2022-30633)

  - Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an     attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
    (CVE-2022-30635)

  - Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by     calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the     X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For     header. (CVE-2022-32148)

  - JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example,     JoinPath(https://go.dev, ../go) returns the URL https://go.dev/../go, despite the JoinPath     documentation stating that ../ path elements are removed from the result. (CVE-2022-32190)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-144 advisory.

  - In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because     an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

  - JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example,     JoinPath(https://go.dev, ../go) returns the URL https://go.dev/../go, despite the JoinPath     documentation stating that ../ path elements are removed from the result. (CVE-2022-32190)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202209-26 (Go: Multiple Vulnerabilities)

  - In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because     an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

  - JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example,     JoinPath(https://go.dev, ../go) returns the URL https://go.dev/../go, despite the JoinPath     documentation stating that ../ path elements are removed from the result. (CVE-2022-32190)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3326-1 advisory.

  - In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because     an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

  - JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example,     JoinPath(https://go.dev, ../go) returns the URL https://go.dev/../go, despite the JoinPath     documentation stating that ../ path elements are removed from the result. (CVE-2022-32190)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 6fea7103-2ea4-11ed-b403-3dae8ac60d3e advisory.

  - JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example,     JoinPath(https://go.dev, ../go) returns the URL https://go.dev/../go, despite the JoinPath     documentation stating that ../ path elements are removed from the result. (CVE-2022-32190)

  - In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because     an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
199603	RHEL 8 : helm (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
194320	RHEL 7 / 8 / 9 : OpenShift Virtualization 4.13.0 RPMs (RHSA-2023:3204)	Nessus	Red Hat Local Security Checks	high
194228	RHEL 8 / 9 : OpenShift Container Platform 4.12.22 (RHSA-2023:3613)	Nessus	Red Hat Local Security Checks	high
194196	RHEL 8 / 9 : OpenShift Container Platform 4.12.0 (RHSA-2022:7398)	Nessus	Red Hat Local Security Checks	high
189448	RHCOS 4 : OpenShift Container Platform 4.12.0 (RHSA-2022:7398)	Nessus	Red Hat Local Security Checks	high
189414	RHCOS 4 : OpenShift Container Platform 4.12.22 (RHSA-2023:3613)	Nessus	Red Hat Local Security Checks	high
173069	Amazon Linux 2023 : golang, golang-bin, golang-misc (ALAS2023-2023-048)	Nessus	Amazon Linux Local Security Checks	critical
172239	Oracle Linux 8 : ol8addon (ELSA-2023-18908)	Nessus	Oracle Linux Local Security Checks	high
168151	Oracle Linux 8 : ol8addon (ELSA-2022-24267)	Nessus	Oracle Linux Local Security Checks	high
166999	Amazon Linux 2022 : (ALAS2022-2022-193)	Nessus	Amazon Linux Local Security Checks	critical
165576	Amazon Linux 2022 : (ALAS2022-2022-144)	Nessus	Amazon Linux Local Security Checks	high
165543	GLSA-202209-26 : Go: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	high
165305	SUSE SLED15 / SLES15 Security Update : go1.19 (SUSE-SU-2022:3326-1)	Nessus	SuSE Local Security Checks	high
164814	FreeBSD : go -- multiple vulnerabilities (6fea7103-2ea4-11ed-b403-3dae8ac60d3e)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2022-32190

high

Tenable Plugins

high

high

high

high

high

high

critical

high

high

critical

high

high

high

high