Fedora 37 : golang (2023-a9da32bf13)

The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-a9da32bf13 advisory. This release includes fixes to the go command, the crypto/tls, net/http packages, and several more. Tenable has extracted the preceding description block...

Fedora 38 : golang (2023-aad8537873)

The remote Fedora 38 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-aad8537873 advisory. This release includes fixes to the go command, the crypto/tls, net/http packages, and several more. Tenable has extracted the preceding description block...

Amazon Linux AMI : amazon-ssm-agent (ALAS-2023-1825)

The version of amazon-ssm-agent installed on the remote host is prior to 3.2.1377.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2023-1825 advisory. The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker t...

Amazon Linux 2 : amazon-ssm-agent, --advisory ALAS2-2023-2238 (ALAS-2023-2238)

The version of amazon-ssm-agent installed on the remote host is prior to 3.2.1377.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2023-2238 advisory. A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fa...

Oracle Linux 8 : go-toolset:rhel8 (ELSA-2019-1519)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2019-1519 advisory. - Include patch to fix CVE-2019-9741 - Include patch to fix CVE-2019-9741 Tenable has extracted the preceding description block directly from the Oracle Linux...

Important: amazon-ssm-agent

Issue Overview: The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server. CVE-2021-43565 A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fail authentification with R...

golang: net/http: handle server errors after sending GOAWAY

A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown...

golang: net/http: handle server errors after sending GOAWAY

A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown...

Important: Red Hat Security Advisory: Migration Toolkit for Applications security and bug fix update

Migration Toolkit for Applications 6.2.0 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the...

Amazon Linux 2 : containerd (ALASNITRO-ENCLAVES-2023-026)

The version of containerd installed on the remote host is prior to 1.6.19-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2NITRO-ENCLAVES-2023-026 advisory. http2/hpack: avoid quadratic complexity in hpack decoding CVE-2022-41723 Large handshake records may caus...

golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests

A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache...

golang: net/http, mime/multipart: denial of service from excessive resource consumption

A flaw was found in Go, where it is vulnerable to a denial of service caused by an excessive resource consumption flaw in the net/http and mime/multipart packages. By sending a specially-crafted request, a remote attacker can cause a denial of service...

Moderate: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.11 security and bug fix update

The Migration Toolkit for Containers MTC 1.7.11 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE...

Amazon Linux 2 : golang (ALAS-2023-2163)

The version of golang installed on the remote host is prior to 1.20.5-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2023-2163 advisory. RESERVEDNOTE: https://groups.google.com/g/golang-announce/c/V0aBFqaFsE CVE-2022-41724 Golang: net/http, mime/multipart:...

Important: golang

Issue Overview: RESERVED NOTE: https://groups.google.com/g/golang-announce/c/V0aBFqaFsE CVE-2022-41724 Golang: net/http, mime/multipart: denial of service from excessive resource consumption https://groups.google.com/g/golang-announce/c/V0aBFqaFsE CVE-2022-41725 The ScalarMult and ScalarBaseMult...

CVE-2023-29406 Insufficient sanitization of Host header in net/http

The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value...

HTTP Response Splitting

Overview std/net/http is a Go standard library package std/net/http Affected versions of this package are vulnerable to HTTP Response Splitting. Go Vulnerability Report: The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject...

golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters

A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an...

golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption

A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by an issue during multipart form parsing. By sending a specially crafted input, a remote attacker can consume large amounts of CPU and memory, resulting in a denial of service...

Moderate: Red Hat Security Advisory: Red Hat Service Interconnect 1.4 Release security update

This is release 1.4 of the rpms for Red Hat Service Interconnect. Red Hat Service Interconnect 1.4 introduces a service network, linking TCP and HTTP services across the hybrid cloud. A service network enables communication between services running in different network locations or sites. It allo...