According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from     DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to     the RFC1035 format. (CVE-2021-33195)

  - In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's     header) can cause a NewReader or OpenReader panic. (CVE-2021-33196)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from     net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
    (CVE-2021-33197)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the     math/big.Rat SetString or UnmarshalText method. (CVE-2021-33198)

  - The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an     X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS     server to cause a TLS client to panic. (CVE-2021-34558)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:0950-1 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2021:4156 advisory.

  - Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from     DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to     the RFC1035 format. (CVE-2021-33195)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from     net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
    (CVE-2021-33197)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the     math/big.Rat SetString or UnmarshalText method. (CVE-2021-33198)

  - Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil     ReverseProxy panic upon an ErrAbortHandler abort. (CVE-2021-36221)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202208-02 (Go: Multiple Vulnerabilities)

  - Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection. (CVE-2020-28366)

  - Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injection. (CVE-2020-28367)

  - encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader     (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode,     DecodeElement, or Skip method. (CVE-2021-27918)

  - archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon     attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any     filename. (CVE-2021-27919)

  - Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address     octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses,     because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR. (CVE-2021-29923)

  - In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs,     related to an underflow of the lowest limb during the final complete reduction in the P-224 field.
    (CVE-2021-3114)

  - Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code     execution when using the go get command to fetch modules that make use of cgo (for example, cgo can     execute a gcc program from an untrusted download). (CVE-2021-3115)

  - net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of     service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each     be affected in some configurations. (CVE-2021-31525)

  - Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from     DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to     the RFC1035 format. (CVE-2021-33195)

  - In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's     header) can cause a NewReader or OpenReader panic. (CVE-2021-33196)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from     net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
    (CVE-2021-33197)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the     math/big.Rat SetString or UnmarshalText method. (CVE-2021-33198)

  - The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an     X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS     server to cause a TLS client to panic. (CVE-2021-34558)

  - Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil     ReverseProxy panic upon an ErrAbortHandler abort. (CVE-2021-36221)

  - Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function     invocation from a WASM module, when GOARCH=wasm GOOS=js is used. (CVE-2021-38297)

  - ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3     Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.
    (CVE-2021-41771)

  - Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP     archive containing an invalid name or an empty filename field. (CVE-2021-41772)

  - net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the     header canonicalization cache via HTTP/2 requests. (CVE-2021-44716)

  - Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or     unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-     descriptor exhaustion. (CVE-2021-44717)

  - Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to     Uncontrolled Memory Consumption. (CVE-2022-23772)

  - cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to     be version tags. This can lead to incorrect access control if an actor is supposed to be able to create     branches but not tags. (CVE-2022-23773)

  - Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return     true in situations with a big.Int value that is not a valid field element. (CVE-2022-23806)

  - encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount     of PEM data. (CVE-2022-24675)

  - regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested     expression. (CVE-2022-24921)

  - Certificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1 can be caused to panic on macOS when     presented with certain malformed certificates. This allows a remote TLS server to cause a TLS client to     panic. (CVE-2022-27536)

  - The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic     via long scalar input. (CVE-2022-28327)

  - Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero     flags parameter, the Faccessat function could incorrectly report that a file is accessible.
    (CVE-2022-29526)

  - golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)

  - golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)

  - Automatic update for grafana-8.5.6-1.fc37.  ##### **Changelog**  ``` * Wed Jun 29 2022 Andreas Gerstmayr     <agerstmayr@redhat.com> 8.5.6-1 - update to 8.5.6 tagged upstream community sources, see CHANGELOG -     updated license to AGPLv3 - place commented sample config file in /etc/grafana/grafana.ini - enable Go     modules in build process - adapt Node.js bundling to yarn v3 and Zero Install feature * Sun Jun 19 2022     Robert-Andr Mauchin <zebob.m@gmail.com> - 7.5.15-3 - Rebuilt for CVE-2022-1996, CVE-2022-24675,     CVE-2022-28327, CVE-2022-27191,   CVE-2022-29526, CVE-2022-30629  ``` (CVE-2022-30629)

  - golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

  - golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

  - golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

  - golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)

  - golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

  - golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)

  - The Go project reports: encoding/gob & math/big: decoding big.Float and             big.Rat can panic     Decoding big.Float and big.Rat types can panic if the             encoded message is too short.
    (CVE-2022-32189)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

遠端 CentOS Linux 8 主機上安裝的套件受到 CESA-2021: 4156 公告中提及的多個弱點影響。

  - golang：net：查詢函式可能傳回無效的主機名稱 (CVE-2021-33195)

  - golang：net/http/httputil：如果第一個標頭為空，ReverseProxy 會轉送連線標頭 (CVE-2021-33197)

  - golang：math/big.Rat：如果傳遞具有很大指數的輸入，可能會造成不穩定或無法復原的嚴重錯誤 (CVE-2021-33198)

  - golang：net/http/httputil：處理程序錯誤後因爭用性讀取 persistConn 而發生錯誤 (CVE-2021-36221)

請注意，Nessus 並未測試此問題，而是僅依據應用程式自我報告的版本號碼。

遠端 Redhat Enterprise Linux 8 主機上安裝的套件受到 RHSA-2021: 3009 公告中提及的多個弱點影響。

  - golang：net：查詢函式可能傳回無效的主機名稱 (CVE-2021-33195)

  - golang：net/http/httputil：如果第一個標頭為空，ReverseProxy 會轉送連線標頭 (CVE-2021-33197)

  - golang：math/big.Rat：如果傳遞具有很大指數的輸入，可能會造成不穩定或無法復原的嚴重錯誤 (CVE-2021-33198)

  - golang：crypto/tls：憑證類型錯誤造成 TLS 用戶端不穩定 (CVE-2021-34558)

請注意，Nessus 並未測試這些問題，而是僅依據應用程式自我報告的版本號碼作出判斷。

遠端主機受到 GLSA-202208-02 中所述的弱點影響 (Go：多個弱點)

  - Go 1.14.12 之前版本以及 1.15.5 之前的 1.15.x 版本允許發生程式碼插入攻擊。(CVE-2020-28366)

  - Go 1.14.12 之前版本以及 1.15.5 之前的 1.15.x 版本允許發生引數插入攻擊。(CVE-2020-28367)

  - 在 Go 1.15.9 版和 1.16.x 版的 1.16.1 之前版本中，如果自訂 TokenReader (對於 xml.NewTokenDecoder) 在元件中間返回 EOF，則 encoding/xml 會發生無限迴圈。Decode、DecodeElement 或 Skip 方法中皆可發生此問題。(CVE-2021-27918)

  - 在 Go 1.16.1 之前的 1.16.x 版本中，archive/zip 允許攻擊者在針對任何檔案名稱開頭出現 ../ 的 ZIP 封存嘗試使用 Reader.Open API 時，造成程式拒絕服務 (發生錯誤)。(CVE-2021-27919)

  - Go 1.17 之前版本未正確考量 IP 位址八位元組開頭的無關零字元，由於非預期的八進位轉譯，這 (在某些情況下) 允許攻擊者繞過以 IP 位址為基礎的存取控制。這會影響 net.ParseIP 和 net.ParseCIDR。(CVE-2021-29923)

  - 在 Go 1.14.14 和 1.15.x 版的 1.15.7 之前版本中，crypto/elliptic/p224.go 可以生成不正確的輸出，此問題與最後完整還原過程中 P-224 欄位中最低分支的反向溢位相關。
    (CVE-2021-3114)

  - Windows 上的 Go 1.14.14 和 1.15.x 版的 1.15.7 之前版本在使用 go get 命令擷取利用 CGO 的模組時 (例如，CGO 可以從不受信任的下載來源執行 GCC 程序)，很容易受到命令插入和遠端程式碼執行攻擊。(CVE-2021-3115)

  - 1.15.12 版之前的 net/http (在 Go 中) 和 1.16.4 版之前的 1.16.x 允許遠端攻擊者透過傳送至 ReadRequest 或 ReadResponse 的大形標頭，以引發拒絕服務 (不穩定)。伺服器、傳輸和用戶端在某些組態中都會受到影響。(CVE-2021-31525)

  - 1.15.13 之前的 Go 和 1.16.5 之前的 1.16.x 具有不驗證來自 DNS 伺服器的回覆的 DNS 查閱函式，因此傳回值可能包含不符合 RFC1035 格式的不安全插入 (例如 XSS)。(CVE-2021-33195)

  - 在 Go 1.15.13 版和 1.16.x 的 1.16.5 之前版本中，封存/ZIP 中特製的檔案數（在封存的標頭中）可能會導致 NewReader 或 OpenReader 錯誤。(CVE-2021-33196)

  - 在 1.15.13 版之前的 Go 和 1.16.5 版之前的 1.16.x，攻擊者可以利用 ReverseProxy 的一些配置 (來自 net/http/httputil) 插入任意標頭。
    (CVE-2021-33197)

  - 在 1.15.13 版之前的 Go 和 1.16.x 版之前的 1.16.5，大量使用 math/big.Rat SetString 或 UnmarshalText 方法可能會引起錯誤。(CVE-2021-33198)

  - 在 Go 1.16.5 版以及之前的所有版本中，crypto/tls 套件在進行 RSA 型金鑰交換時，未正確宣告 X.509 憑證中的公開金鑰類型符合預期類型，惡意 TLS 伺服器會藉此造成 TLS 用戶端不穩定。(CVE-2021-34558)

  - 1.15.15 之前的版本和 1.16.7 之前的 1.16.x 存在一個爭用情形，可導致 ErrAbortHandler 中止時發生 net/http/httputil ReverseProxy 錯誤。(CVE-2021-36221)

  - 使用 GOARCH=wasm GOOS=js 時，Go 1.16.9 之前版本和 Go 1.17.x 至 1.17.2 版本會透過大型引數從 WASM 模組叫用函式來造成緩衝區溢位。(CVE-2021-38297)

  - 在早於 1.16.10 版的 Go 和早於 1.17.x 版的 Go 1.17.3 中，debug/macho (針對 Open 或 OpenFat) 中的 ImportedSymbols 會存取緩衝區結尾後的記憶體位置，此情形亦即「超出邊界分割」。
    (CVE-2021-41771)

  - Go 1.16.10 之前版本和 Go 1.17.x 至 1.17.3 版本允許透過建構包含無效名稱或空白檔案名稱欄位的 ZIP 封存造成 archive/zip Reader.Open 錯誤。(CVE-2021-41772)

  - 在早於 1.16.12 版的 Go 和早於 1.17.x 版的  Go 1.17.5 中，net/http 允許透過 HTTP/2 要求在標頭標準化快取中消耗不受控制的記憶體。(CVE-2021-44716)

  - 由於在檔案描述符號耗儘後錯誤關閉檔案描述符號 0，因此 UNIX 上早於 1.16.12 的 Go 版本和早於 1.17.x 的 Go 1.17.5 版本允許寫入非預定檔案或非預定網路連線。(CVE-2021-44717)

  - 在 Go 1.16.14 之前版本和 Go 1.17.x 至 1.17.7 版本中，math/big 的 Rat.SetString 內有溢位問題，可能導致不受控制的記憶體消耗。(CVE-2022-23772)

  - 在 Go 1.16.14 之前版本和 1.17.x 至 1.17.7 版本中，cmd/go 會錯誤地將分支名稱解釋為版本標籤。如果執行者能夠建立分支，但不能建立標籤，此弱點有可能會導致不正確的存取控制問題。(CVE-2022-23773)

  - 在 Go 1.16.14 之前版本和 Go 1.17.x 至 1.17.7 版本中，crypto/elliptic 內的 Curve.IsOnCurve 在 big.Int 值不是有效欄位元素的情況下，可能會不正確地傳回 true。(CVE-2022-23806)

  - 在 Go 1.17.9 之前版本以及 1.18.x 的 1.18.1 之前版本中，encoding/pem 允許透過大量 PEM 資料造成解碼堆疊溢位問題。(CVE-2022-24675)

  - Go 1.16.15 之前版本和 Go 1.17.x 至 1.17.8 版本中的 regexp.Compile 允許透過深度巢狀運算式造成堆疊耗盡。(CVE-2022-24921)

  - 在 Go 1.18.x 版的 1.18.1 之前版本中，當提供某些格式錯誤的憑證時，crypto/x509 中的 Certificate.Verify 可能會在 macOS 上發生錯誤，這允許遠端 TLS 伺服器造成 TLS 用戶端發生錯誤。(CVE-2022-27536)

  - 在 Go 1.17.9 之前版本以及 1.18.x 的 1.18.1 之前版本中，crypto/elliptic 的一般 P-256 特徵允許透過長純量輸入造成錯誤。(CVE-2022-28327)

  - 在 Go 1.17.10 之前版本和 1.18.2 之前的 1.18.x 版本中具有不正確的權限指派。使用非零旗標參數呼叫時，Faccessat 函式可能會錯誤報告檔案可供存取。
    (CVE-2022-29526)

  - golang：net/http：不當清理 Transfer-Encoding 標頭 (CVE-2022-1705)

  - golang：encoding/xml：Decoder.Skip 中的堆疊耗盡弱點 (CVE-2022-28131)

  - grafana-8.5.6-1.fc37 的自動更新。##### **變更記錄** ``` * 2022 年 6 月 29 日星期三 Andreas Gerstmayr <agerstmayr@redhat.com> 8.5.6-1 - 更新標記 8.5.6 的上游社群原始程式碼，請參閱變更記錄 - 已更新 AGPLv3 的授權 - 在 /etc/grafana/grafana.ini 中放置加註解的範例組態檔案 - 在構建程序中啟用 Go 模組 - 根據 yarn v3 和 Zero Install 功能調整 Node.js bundling * Sun 2022 年 6 月 19 日 Robert-Andr Mauchin <zebob.m@gmail.com> - 7.5.15-3 - 針對 CVE-2022-1996、CVE-2022-24675、CVE-2022-28327、CVE-2022-27191、CVE-2022-29526、CVE-2022-30629 重新構建``` (CVE-2022-30629)

  - golang：io/fs：Glob 中的堆疊耗盡弱點 (CVE-2022-30630)

  - golang：compress/gzip：Reader.Read 中的堆疊耗盡弱點 (CVE-2022-30631)

  - golang：path/filepath：Glob 中的堆疊耗盡弱點 (CVE-2022-30632)

  - golang：encoding/xml：Unmarshal 中的堆疊耗盡弱點 (CVE-2022-30633)

  - golang：encoding/gob：Decoder.Decode 中的堆疊耗盡弱點 (CVE-2022-30635)

  - golang：net/http/httputil：NewSingleHostReverseProxy - 省略 X-Forwarded-For 無法運作 (CVE-2022-32148)

  - Go 專案報告：encoding/gob 與 math/big：解碼 big.Float 和 big.Rat 可能會發生錯誤。如果編碼的訊息太短，則解碼 big.Float 和 big.Rat 類型可能會發生錯誤。
    (CVE-2022-32189)

請注意，Nessus 並未測試這些問題，而是僅依據應用程式自我報告的版本號碼作出判斷。

ID	Name	Product	Family	Published	Updated	Severity
155254	EulerOS 2.0 SP9 : golang (EulerOS-SA-2021-2710)	Nessus	Huawei Local Security Checks	11/11/2021	11/24/2023	high
151282	openSUSE 15 Security Update : go1.15 (openSUSE-SU-2021:0950-1)	Nessus	SuSE Local Security Checks	7/2/2021	12/11/2023	high
158854	AlmaLinux 8 : go-toolset:rhel8 (ALSA-2021:4156)	Nessus	Alma Linux Local Security Checks	3/11/2022	11/6/2023	high
163840	GLSA-202208-02 : Go: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	8/4/2022	10/16/2023	critical
194928	Splunk Enterprise 8.2.0 < 8.2.12, 9.0.0 < 9.0.6, 9.1.0 < 9.1.1 (SVD-2023-0808)	Nessus	CGI abuses	5/2/2024	5/30/2024	critical
155083	CentOS 8：go-toolset: rhel8 (CESA-2021: 4156)	Nessus	CentOS Local Security Checks	11/11/2021	11/24/2023	high
152585	RHEL 8：OpenShift Container Platform 4.6.42 (RHSA-2021: 3009)	Nessus	Red Hat Local Security Checks	8/16/2021	4/28/2024	high
163840	GLSA-202208-02：Go：多個弱點	Nessus	Gentoo Local Security Checks	8/4/2022	10/16/2023	critical
194928	Splunk Enterprise 8.2.0 < 8.2.12、9.0.0 < 9.0.6、9.1.0 < 9.1.1 (SVD-2023-0808)	Nessus	CGI abuses	5/2/2024	5/30/2024	critical

Detections

Analytics

Plugins Search

high

high

high

critical

critical

high

high

critical

critical