The version of golang installed on the remote host is prior to 1.16.15-1.37. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2022-1583 advisory.

    2024-01-03: CVE-2021-27919 was added to this advisory.

    An out of bounds read vulnerability was found in golang. When using the archive/zip standard library     (stdlib) and an unexpected file is parsed, it can cause golang to attempt to read outside of a slice     (array) causing a panic in the runtime. A potential attacker can use this vulnerability to craft an     archive which causes an application using this library to crash resulting in a Denial of Service (DoS).
    (CVE-2021-27919)

    A validation flaw was found in golang. When invoking functions from WASM modules built using GOARCH=wasm     GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from     the arguments. The highest threat from this vulnerability is to integrity. (CVE-2021-38297)

    An out of bounds read vulnerability was found in debug/macho of the Go standard library. When using the     debug/macho standard library (stdlib) and malformed binaries are parsed using Open or OpenFat, it can     cause golang to attempt to read outside of a slice (array) causing a panic when calling ImportedSymbols.
    An attacker can use this vulnerability to craft a file which causes an application using this library to     crash resulting in a denial of service. (CVE-2021-41771)

    A vulnerability was found in archive/zip of the Go standard library. Applications written in Go where     Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can panic when parsing a crafted ZIP     archive containing completely invalid names or an empty filename argument. (CVE-2021-41772)

    There's an uncontrolled resource consumption flaw in golang's net/http library in the canonicalHeader()     function. An attacker who submits specially crafted requests to applications linked with net/http's http2     functionality could cause excessive resource consumption that could lead to a denial of service or     otherwise impact to system performance and resources. (CVE-2021-44716)

    There's a flaw in golang's syscall.ForkExec() interface. An attacker who manages to first cause a file     descriptor exhaustion for the process, then cause syscall.ForkExec() to be called repeatedly, could     compromise data integrity and/or confidentiality in a somewhat uncontrolled way in programs linked with     and using syscall.ForkExec(). (CVE-2021-44717)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Amazon Linux AMI : golang (ALAS-2022-1583)

critical Nessus Plugin ID 160332

Version 1.5

Version 1.4

Version 1.5 Dec 11, 2024, 10:15 PM CVSS metrics ("Cvssv4 score" set to 0.0) CVSSv2 severity (based on None, severity decreased from "High" to "Low") Detection (updated detection logic) Plugin metadata Plugin Feed: 202412112215
Version 1.4 Jan 9, 2024, 3:33 AM CVE (set "CVE" coverage to "CVE-2021-27919,CVE-2021-38297,CVE-2021-41771,CVE-2021-41772,CVE-2021-44716,CVE-2021-44717") Plugin metadata Detection (updated detection logic) Plugin Feed: 202401090333