UbuntuUSN-6574-1Go vulnerabilities
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
8.3 High
AI Score
Confidence
High
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.72 High
EPSS
Percentile
98.0%
Releases
- Ubuntu 23.10
- Ubuntu 23.04
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Packages
- golang-1.20 - Go programming language compiler
- golang-1.21 - Go programming language compiler
Details
Takeshi Kaneko discovered that Go did not properly handle comments and
special tags in the script context of html/template module. An attacker
could possibly use this issue to inject Javascript code and perform a cross
site scripting attack. This issue only affected Go 1.20 in Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2023-39318, CVE-2023-39319)
It was discovered that Go did not properly validate the “//go:cgo_”
directives during compilation. An attacker could possibly use this issue to
inject arbitrary code during compile time. (CVE-2023-39323)
It was discovered that Go did not limit the number of simultaneously
executing handler goroutines in the net/http module. An attacker could
possibly use this issue to cause a panic resulting into a denial of service.
(CVE-2023-39325, CVE-2023-44487)
It was discovered that the Go net/http module did not properly validate the
chunk extensions reading from a request or response body. An attacker could
possibly use this issue to read sensitive information. (CVE-2023-39326)
It was discovered that Go did not properly validate the insecure “git://”
protocol when using go get to fetch a module with the “.git” suffix. An
attacker could possibly use this issue to bypass secure protocol checks.
(CVE-2023-45285)
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Ubuntu | 23.10 | noarch | golang-1.20 | < 1.20.8-1ubuntu0.23.10.1 | UNKNOWN |
| Ubuntu | 23.10 | noarch | golang-1.20-doc | < 1.20.8-1ubuntu0.23.10.1 | UNKNOWN |
| Ubuntu | 23.10 | noarch | golang-1.20-go | < 1.20.8-1ubuntu0.23.10.1 | UNKNOWN |
| Ubuntu | 23.10 | noarch | golang-1.20-src | < 1.20.8-1ubuntu0.23.10.1 | UNKNOWN |
| Ubuntu | 23.10 | noarch | golang-1.21 | < 1.21.1-1ubuntu0.23.10.1 | UNKNOWN |
| Ubuntu | 23.10 | noarch | golang-1.21-doc | < 1.21.1-1ubuntu0.23.10.1 | UNKNOWN |
| Ubuntu | 23.10 | noarch | golang-1.21-go | < 1.21.1-1ubuntu0.23.10.1 | UNKNOWN |
| Ubuntu | 23.10 | noarch | golang-1.21-src | < 1.21.1-1ubuntu0.23.10.1 | UNKNOWN |
| Ubuntu | 23.04 | noarch | golang-1.20 | < 1.20.3-1ubuntu0.2 | UNKNOWN |
| Ubuntu | 23.04 | noarch | golang-1.20-doc | < 1.20.3-1ubuntu0.2 | UNKNOWN |
Related
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
8.3 High
AI Score
Confidence
High
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.72 High
EPSS
Percentile
98.0%