The version of golang installed on the remote host is prior to 1.20.5-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2023-2163 advisory.

    RESERVEDNOTE: https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E (CVE-2022-41724)

    Golang: net/http, mime/multipart: denial of service from excessive resource consumption     (https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E) (CVE-2022-41725)

    The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with     some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages     of crypto/ecdsa or crypto/ecdh. (CVE-2023-24532)

    Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing     very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the     total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed,     leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased     pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3.
    ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage     collector. The combination of these factors can permit an attacker to cause an program that parses     multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service.
    This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http     package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix,     ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many     fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits     on the size of parsed forms: 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit     may be adjusted with the environment variable GODEBUG=multipartmaxparts=. 2. Form parts parsed with     NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with     ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with     the environment variable GODEBUG=multipartmaxheaders=. (CVE-2023-24536)

    Templates did not properly consider backticks (`) as Javascript string delimiters, and as such didnot     escape them as expected. Backticks are used, since ES6, for JS template literals. If a templatecontained a     Go template action within a Javascript template literal, the contents of the action couldbe used to     terminate the literal, injecting arbitrary Javascript code into the Go template. (CVE-2023-24538)

    html/template: improper handling of JavaScript whitespace.

    Not all valid JavaScript whitespace characters were considered to be whitespace. Templates containing     whitespace characters outside of the character set \t\n\f\r\u0020\u2028\u2029 in JavaScript contexts     that also contain actions may not be properly sanitized during execution. (CVE-2023-24540)

    html/template: improper handling of empty HTML attributes.

    Templates containing actions in unquoted HTML attributes (e.g. attr={{.}}) executed with empty input     could result in output that would have unexpected results when parsed due to HTML normalization rules.
    This may allow injection of arbitrary attributes into tags. (CVE-2023-29400)

    On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid     bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of     standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors     closed, opening any files can result in unexpected content being read or written with elevated privileges.
    Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents     of its registers. (CVE-2023-29403)

    The go command may execute arbitrary code at build time when using cgo. This may occur when running go     get on a malicious module, or when running any other command which builds untrusted code. This is can by     triggered by linker flags, specified via a #cgo LDFLAGS directive. The arguments for a number of flags     which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled     through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers. (CVE-2023-29404)

    The go command may execute arbitrary code at build time when using cgo. This may occur when running go     get on a malicious module, or when running any other command which builds untrusted code. This is can by     triggered by linker flags, specified via a #cgo LDFLAGS directive. Flags containing embedded spaces are     mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in     the argument of another flag. This only affects usage of the gccgo compiler. (CVE-2023-29405)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Amazon Linux 2 : golang (ALAS-2023-2163)

critical Nessus Plugin ID 178816

Version 1.3

Version 1.2

Version 1.1

Version 1.0

Version 1.3 Dec 12, 2024, 9:55 AM CVSS metrics ("Cvssv4 score" set to 0.0) CVSSv2 severity (based on None, severity decreased from "High" to "Low") Detection (updated detection logic) Plugin metadata Plugin Feed: 202412120955
Version 1.2 Dec 8, 2023, 11:43 AM IAVM reference Plugin Feed: 202312081143
Version 1.1 Oct 13, 2023, 2:22 PM IAVM reference Plugin Feed: 202310131422
Version 1.0 Jul 26, 2023, 12:08 PM New Plugin Feed: 202307261208