The version of golang installed on the remote host is prior to 1.18.9-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2023-2015 advisory.

    Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including     unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy     forwards a parameter with an unparseable value. After fix, ReverseProxy sanitizes the query parameters in     the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director     function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse     query parameters continue to forward the original query parameters unchanged. (CVE-2022-2880)

    Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in     the working directory named either ..com or ..exe by calling Cmd.Run, Cmd.Start, Cmd.Output, or     Cmd.CombinedOutput when Cmd.Path is unset. (CVE-2022-30580)

    Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause     an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes. (CVE-2022-30634)

    The Go project has described this issue as follows:

    On Windows, the filepath.Clean function could transform an invalid path such as a/../c:/b into the valid     path c:\b. This transformation of a relative (if invalid) path into an absolute path could enable a     directory traversal attack. The filepath.Clean function will now transform this path into the relative     (but still invalid) path .\c:\b. (CVE-2022-41722)

    http2/hpack: avoid quadratic complexity in hpack decoding (CVE-2022-41723)

    RESERVEDNOTE: https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E (CVE-2022-41724)

    Golang: net/http, mime/multipart: denial of service from excessive resource consumption     (https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E) (CVE-2022-41725)

    The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with     some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages     of crypto/ecdsa or crypto/ecdh. (CVE-2023-24532)

    HTTP and MIME header parsing could allocate large amounts of memory, even when parsing small inputs.

    Certain unusual patterns of input data could cause the common function used to parse HTTP and MIME headers     to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit     this behavior to cause an HTTP server to allocate large amounts of memory from a small request,     potentially leading to memory exhaustion and a denial of service. (CVE-2023-24534)

    Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing     very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the     total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed,     leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased     pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3.
    ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage     collector. The combination of these factors can permit an attacker to cause an program that parses     multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service.
    This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http     package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix,     ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many     fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits     on the size of parsed forms: 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit     may be adjusted with the environment variable GODEBUG=multipartmaxparts=. 2. Form parts parsed with     NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with     ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with     the environment variable GODEBUG=multipartmaxheaders=. (CVE-2023-24536)

    Calling any of the Parse functions on Go source code which contains //line directives with very large line     numbers can cause an infinite loop due to integer overflow. (CVE-2023-24537)

    Templates did not properly consider backticks (`) as Javascript string delimiters, and as such didnot     escape them as expected. Backticks are used, since ES6, for JS template literals. If a templatecontained a     Go template action within a Javascript template literal, the contents of the action couldbe used to     terminate the literal, injecting arbitrary Javascript code into the Go template. (CVE-2023-24538)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Amazon Linux 2 : golang (ALAS-2023-2015)

critical Nessus Plugin ID 174580

Version 1.3

Version 1.2

Version 1.1

Version 1.0

Version 1.3 Dec 12, 2024, 9:55 AM CVSS metrics ("Cvssv4 score" set to 0.0) CVSSv2 severity (based on None, severity decreased from "High" to "Low") Detection (updated detection logic) Plugin metadata Plugin Feed: 202412120955
Version 1.2 May 4, 2023, 6:02 PM IAVM reference Plugin Feed: 202305041802
Version 1.1 Apr 21, 2023, 2:04 PM Exploit attributes ("Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202304211404
Version 1.0 Apr 21, 2023, 2:02 AM New Plugin Feed: 202304210202