A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability. This is a go-git implementation issue and does not affect the upstream git cli.

The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-7fecec055b advisory.

    Automatic update for golang-github-git-5-5.12.0-1.fc41.

    ##### **Changelog**

    ```
    * Tue Apr 23 2024 Mikel Olasagasti Uranga <mikel@olasagasti.info> - 5.12.0-1
    - Update to 5.12.0 - Closes rhbz#2214601 rhbz#2255090 rhbz#2259808       rhbz#2259817 rhbz#2259827 rhbz#2259832

    ```

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of packer installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-49568 advisory.

  - A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This     vulnerability allows an attacker to perform denial of service attacks by providing specially crafted     responses from a Git server which triggers resource exhaustion in go-git clients. Applications using only     the in-memory filesystem supported by go-git are not affected by this vulnerability. This is a go-git     implementation issue and does not affect the upstream git cli. (CVE-2023-49568)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:3925 advisory.

    Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable     version of the Ceph storage system with a Ceph management platform, deployment utilities, and support     services.

    These new packages include numerous enhancements, bug fixes, and known issues. Space precludes documenting     all of these changes in this advisory. Users are directed to the Red Hat Ceph Storage Release Notes for     information on the most significant of these changes:

    https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/7.1/html/release_notes/index

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This plugin has been deprecated as it does not adhere to established standards for this style of check.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2024:0880 advisory.

    Red Hat OpenShift Serverless Client kn 1.31.1 provides a CLI to interact with     Red Hat OpenShift Serverless 1.31.1. The kn CLI is delivered as an RPM package     for installation on RHEL platforms, and as binaries for non-Linux platforms.

    This release includes security, bug fixes, and enhancements.

    Security Fix(es):

    * go-git: Maliciously crafted Git server replies can cause DoS on go-git clients (CVE-2023-49568)
    * go-git: Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients     (CVE-2023-49569)
    * golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests     (CVE-2023-39326)
    * ssh: Prefix truncation attack on Binary Packet Protocol (BPP) (CVE-2023-48795)

    A Red Hat Security Bulletin, which addresses further details about the Rapid     Reset flaw is available in the References section.

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References     section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-526 advisory.

  - A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive     server resource consumption. While the total number of requests is bounded by the     http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create     a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound     the number of simultaneously executing handler goroutines to the stream concurrency limit     (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client     has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows     too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2     for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per     HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the     Server.MaxConcurrentStreams setting and the ConfigureServer function. (CVE-2023-39325)

  - A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response     body to read many more bytes from the network than are in the body. A malicious HTTP client can further     exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a     handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which     permit including additional metadata in a request or response body sent using the chunked encoding. The     net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large     metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real     body to encoded bytes grows too small. (CVE-2023-39326)

  - A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This     vulnerability allows an attacker to perform denial of service attacks by providing specially crafted     responses from a Git server which triggers resource exhaustion in go-git clients. Applications using only     the in-memory filesystem supported by go-git are not affected by this vulnerability. This is a go-git     implementation issue and does not affect the upstream git cli. (CVE-2023-49568)

  - A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows     an attacker to create and amend files across the filesystem. In the worse case scenario, remote code     execution could be achieved. Applications are only affected if they are using the ChrootOS     https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using Plain     versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS     https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS or in-memory filesystems are not affected by     this issue. This is a go-git implementation issue and does not affect the upstream git cli.
    (CVE-2023-49569)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of amazon-ssm-agent installed on the remote host is prior to 3.2.2222.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2024-1920 advisory.

  - A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive     server resource consumption. While the total number of requests is bounded by the     http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create     a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound     the number of simultaneously executing handler goroutines to the stream concurrency limit     (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client     has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows     too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2     for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per     HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the     Server.MaxConcurrentStreams setting and the ConfigureServer function. (CVE-2023-39325)

  - A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response     body to read many more bytes from the network than are in the body. A malicious HTTP client can further     exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a     handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which     permit including additional metadata in a request or response body sent using the chunked encoding. The     net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large     metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real     body to encoded bytes grows too small. (CVE-2023-39326)

  - A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This     vulnerability allows an attacker to perform denial of service attacks by providing specially crafted     responses from a Git server which triggers resource exhaustion in go-git clients. Applications using only     the in-memory filesystem supported by go-git are not affected by this vulnerability. This is a go-git     implementation issue and does not affect the upstream git cli. (CVE-2023-49568)

  - A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows     an attacker to create and amend files across the filesystem. In the worse case scenario, remote code     execution could be achieved. Applications are only affected if they are using the ChrootOS     https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using Plain     versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS     https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS or in-memory filesystems are not affected by     this issue. This is a go-git implementation issue and does not affect the upstream git cli.
    (CVE-2023-49569)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of amazon-ssm-agent installed on the remote host is prior to 3.2.2222.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2458 advisory.

  - A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive     server resource consumption. While the total number of requests is bounded by the     http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create     a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound     the number of simultaneously executing handler goroutines to the stream concurrency limit     (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client     has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows     too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2     for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per     HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the     Server.MaxConcurrentStreams setting and the ConfigureServer function. (CVE-2023-39325)

  - A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response     body to read many more bytes from the network than are in the body. A malicious HTTP client can further     exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a     handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which     permit including additional metadata in a request or response body sent using the chunked encoding. The     net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large     metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real     body to encoded bytes grows too small. (CVE-2023-39326)

  - A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This     vulnerability allows an attacker to perform denial of service attacks by providing specially crafted     responses from a Git server which triggers resource exhaustion in go-git clients. Applications using only     the in-memory filesystem supported by go-git are not affected by this vulnerability. This is a go-git     implementation issue and does not affect the upstream git cli. (CVE-2023-49568)

  - A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows     an attacker to create and amend files across the filesystem. In the worse case scenario, remote code     execution could be achieved. Applications are only affected if they are using the ChrootOS     https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using Plain     versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS     https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS or in-memory filesystems are not affected by     this issue. This is a go-git implementation issue and does not affect the upstream git cli.
    (CVE-2023-49569)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
211030	Fedora 41 : golang-github-git-5 (2024-7fecec055b)	Nessus	Fedora Local Security Checks	critical
205673	CBL Mariner 2.0 Security Update: packer (CVE-2023-49568)	Nessus	MarinerOS Local Security Checks	high
200554	RHEL 8 / 9 : Red Hat Ceph Storage 7.1 (RHSA-2024:3925)	Nessus	Red Hat Local Security Checks	critical
196376	RHEL 8 : go-git (Unpatched Vulnerability) (deprecated)	Nessus	Red Hat Local Security Checks	high
196261	RHEL 9 : go-git (Unpatched Vulnerability) (deprecated)	Nessus	Red Hat Local Security Checks	critical
194406	RHEL 8 : Release of OpenShift Serverless Client kn 1.31.1 (RHSA-2024:0880)	Nessus	Red Hat Local Security Checks	critical
190744	Amazon Linux 2023 : amazon-ssm-agent (ALAS2023-2024-526)	Nessus	Amazon Linux Local Security Checks	critical
190705	Amazon Linux AMI : amazon-ssm-agent (ALAS-2024-1920)	Nessus	Amazon Linux Local Security Checks	critical
190697	Amazon Linux 2 : amazon-ssm-agent (ALAS-2024-2458)	Nessus	Amazon Linux Local Security Checks	critical

Detections

Analytics

CVE-2023-49568

high

Tenable Plugins

critical

high

critical

high

critical

critical

critical

critical

critical