ALAS2023-2023-048 --- golangID: oval:org.secpod.oval:def:19500124 | Date: (C)2023-06-12 (M)2024-02-26 |
Class: PATCH | Family: unix |
2023-05-11: CVE-2022-1996 has changed status to NOT AFFECTED for this package and has been removed from this advisory.A vulnerability was found in archive/zip of the Go standard library. Applications written in Go can panic or potentially exhaust system memory when parsing malformed ZIP files. A validation flaw was found in golang. When invoking functions from WASM modules built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments. The highest threat from this vulnerability is to integrity. An out of bounds read vulnerability was found in debug/macho of the Go standard library. When using the debug/macho standard library and malformed binaries are parsed using Open or OpenFat, it can cause golang to attempt to read outside of a slice causing a panic when calling ImportedSymbols. An attacker can use this vulnerability to craft a file which causes an application using this library to crash resulting in a denial of service. A vulnerability was found in archive/zip of the Go standard library. Applications written in Go where Reader.Open can panic when parsing a crafted ZIP archive containing completely invalid names or an empty filename argument. There's an uncontrolled resource consumption flaw in golang's net/http library in the canonicalHeader function. An attacker who submits specially crafted requests to applications linked with net/http's http2 functionality could cause excessive resource consumption that could lead to a denial of service or otherwise impact to system performance and resources. There's a flaw in golang's syscall.ForkExec interface. An attacker who manages to first cause a file descriptor exhaustion for the process, then cause syscall.ForkExec to be called repeatedly, could compromise data integrity and/or confidentiality in a somewhat uncontrolled way in programs linked with and using syscall.ForkExec. A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. A flaw was found in the golang standard library, go/parser. When calling any Parse functions on the Go source code, which contains deeply nested types or declarations, a panic can occur due to stack exhaustion. This issue allows an attacker to impact system availability. A buffer overflow flaw was found in Golang's library encoding/pem. This flaw allows an attacker to use a large PEM input (CVE-2022-24675(CVE-2022-27191(CVE-2022-27664(CVE-2022-28131(((CVE-2022-28327(CVE-2022-2879(CVE-2022-29526(CVE-2022-30629(CVE-2022-30630(CVE-2022-30631(CVE-2022-30632(CVE-2022-30633(CVE-2022-30635(CVE-2022-32148(CVE-2022-32189("https://go.dev", "../go"(CVE-2022-32190(CVE-2022-41715
Platform: |
Amazon Linux 2023 |