In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)

The version of multus installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2020-28852 advisory.

  - In x/text in Go before v0.3.5, a slice bounds out of range panic occurs in language.ParseAcceptLanguage     while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language     header.) (CVE-2020-28852)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote MiracleLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2022-3920:02 advisory.

    * golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension (CVE-2020-28851)
      * golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag (CVE-2020-28852)
      * golang: net/[http:](http:) improper sanitization of Transfer-Encoding header (CVE-2022-1705)
      * golang: net/[http:](http:) handle server errors after sending GOAWAY (CVE-2022-27664)
      * golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
      * golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
      * golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
      * golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working     (CVE-2022-32148)
      * golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short,     potentially allowing a denial of service (CVE-2022-32189)

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2023-5056:01 advisory.

    * golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u-     extension (CVE-2020-28851)
      * golang.org/x/text: Panic in language.ParseAcceptLanguage while processing     bcp47 tag (CVE-2020-28852)
      * podman: podman machine spawns gvproxy with port bound to all IPs     (CVE-2021-4024)
      * podman: Remote traffic to rootless containers is seen as orginating from     localhost (CVE-2021-20199)
      * containers/storage: DoS via malicious image (CVE-2021-20291)
      * golang: net/http/httputil: ReverseProxy forwards connection headers if first     one is empty (CVE-2021-33197)
      * golang: crypto/tls: certificate of wrong type is causing TLS client to panic     (CVE-2021-34558)
      * golang: net: lookup functions may return invalid host names (CVE-2021-33195)
      * golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if     passed inputs with very large exponents (CVE-2021-33198)
      * golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)
      * podman: possible information disclosure and modification (CVE-2022-2989)
      * buildah: possible information disclosure and modification (CVE-2022-2990)
      * golang: net/[http:](http:) improper sanitization of Transfer-Encoding header (CVE-2022-1705)
      * golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
      * golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
      * golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)     CVE(s):
    CVE-2020-28851     CVE-2020-28852     CVE-2021-20199     CVE-2021-20291     CVE-2021-33195     CVE-2021-33197     CVE-2021-33198     CVE-2021-34558     CVE-2021-4024     CVE-2022-1705     CVE-2022-2989     CVE-2022-2990     CVE-2022-27191     CVE-2022-30630     CVE-2022-30631     CVE-2022-30632

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2022:0180 advisory.

    Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities:

    CVE-2020-28851:
    In x/text in Go 1.15.4, an index out of range panic occurs in language.ParseAcceptLanguage while parsing     the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)

    CVE-2020-28852:
    In x/text in Go before v0.3.5, a slice bounds out of range panic occurs in language.ParseAcceptLanguage     while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language     header.)

    CVE-2022-1705:
    Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12     and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly     fails to reject the header as invalid.

    CVE-2022-27664:
    In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because     an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

    CVE-2022-30630:
    Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a     panic due to stack exhaustion via a path which contains a large number of path separators.

    CVE-2022-30632:
    Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to     cause a panic due to stack exhaustion via a path containing a large number of path separators.

    CVE-2022-30635:
    Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an     attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.

    CVE-2022-32148:
    Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by     calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the     X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For     header.

    CVE-2022-32189:
    A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go     before 1.17.13 and 1.18.5, potentially allowing a denial of service.

Tenable has extracted the preceding description block directly from the Alibaba Cloud Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - In x/text in Go before v0.3.5, a slice bounds out of range panic occurs in language.ParseAcceptLanguage     while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language     header.) (CVE-2020-28852)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5873-1 advisory.

    It was discovered that Go Text incorrectly handled certain encodings. An attacker could possibly use this     issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
    (CVE-2020-14040)

    It was discovered that Go Text incorrectly handled certain BCP 47 language tags. An attacker could     possibly use this issue to cause a denial of service. CVE-2020-28851, CVE-2020-28852 and CVE-2021-38561     affected only Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-28851, CVE-2020-28852, CVE-2021-38561,     CVE-2022-32149)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-7954 advisory.

    [2:4.2.0-3.0.1]
    - Drop nmap-ncat requirement and skip ignore-socket test case [Orabug: 34117404]

    [2:4.2.0-3]
    - fix dependency in test subpackage
    - Related: #2061316

    [2:4.2.0-2]
    - readd catatonit
    - Related: #2061316

    [2:4.2.0-1]
    - update to latest content of https://github.com/containers/podman/releases/tag/4.2.0       (https://github.com/containers/podman/commit/7fe5a419cfd2880df2028ad3d7fd9378a88a04f4)
    - Related: #2061316

    [2:4.2.0-0.3rc3]
    - require catatonit for gating tests
    - Related: #2061316

    [2:4.2.0-0.2rc3]
    - update to 4.2.0-rc3
    - Related: #2061316

    [2:4.2.0-0.1rc2]
    - update to 4.2.0-rc2
    - Related: #2061316

    [2:4.1.1-6]
    - convert catatonit dependency to soft dep as catatonit is       no longer in Appstream but in CRB
    - Related: #2061316

    [2:4.1.1-5]
    - rebuild for combined gating with catatonit
    - Related: #2097694

    [2:4.1.1-4]
    - catatonit is now a standalone package
    - Related: #2097694

    [2:4.1.1-3]
    - update to the latest content of https://github.com/containers/podman/tree/v4.1.1-rhel       (https://github.com/containers/podman/commit/fa692a6)
    - Related: #2097694

    [2:4.1.1-2]
    - be sure podman services/sockets are stopped upon package removal
    - Related: #2061316

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2022:7954 advisory.

  - In x/text in Go 1.15.4, an index out of range panic occurs in language.ParseAcceptLanguage while parsing     the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)     (CVE-2020-28851)

  - In x/text in Go before v0.3.5, a slice bounds out of range panic occurs in language.ParseAcceptLanguage     while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language     header.) (CVE-2020-28852)

  - A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual     machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is     accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an     attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making     private services on the VM accessible to the network. This issue could be also used to interrupt the     host's services by forwarding all ports to the VM. (CVE-2021-4024)

  - Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including     from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by     default and do not require authentication. This issue affects Podman 1.8.0 onwards. (CVE-2021-20199)

  - A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a     container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid     `tar` archive this causes an error leading to an unexpected situation where the code indefinitely waits     for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a     malicious image, which when downloaded and stored by an application using containers/storage, would then     cause a deadlock leading to a Denial of Service (DoS). (CVE-2021-20291)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from     net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
    (CVE-2021-33197)

  - The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an     X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS     server to cause a TLS client to panic. (CVE-2021-34558)

  - The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to     crash a server in certain circumstances involving AddHostKey. (CVE-2022-27191)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:7129 advisory.

  - A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go     before 1.17.13 and 1.18.5, potentially allowing a denial of service. (CVE-2022-32189)

  - In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because     an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:7954 advisory.

    The podman tool manages pods, container images, and containers. It is part of the libpod library, which is     for applications that use container pods. Container pods is a concept in Kubernetes.

    Security Fix(es):

    * golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension (CVE-2020-28851)

    * golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag (CVE-2020-28852)

    * podman: podman machine spawns gvproxy with port bound to all IPs (CVE-2021-4024)

    * podman: Remote traffic to rootless containers is seen as orginating from localhost (CVE-2021-20199)

    * containers/storage: DoS via malicious image (CVE-2021-20291)

    * golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty     (CVE-2021-33197)

    * golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)

    * golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2022-7129 advisory.

    [2.13.3-3]
    - Rebuild with new Golang
    - Resolves: rhbz#2131795

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2022:7129 advisory.

  - In x/text in Go 1.15.4, an index out of range panic occurs in language.ParseAcceptLanguage while parsing     the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)     (CVE-2020-28851)

  - In x/text in Go before v0.3.5, a slice bounds out of range panic occurs in language.ParseAcceptLanguage     while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language     header.) (CVE-2020-28852)

  - Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12     and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly     fails to reject the header as invalid. (CVE-2022-1705)

  - In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because     an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

  - Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a     panic due to stack exhaustion via a path which contains a large number of path separators.
    (CVE-2022-30630)

  - Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to     cause a panic due to stack exhaustion via a path containing a large number of path separators.
    (CVE-2022-30632)

  - Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an     attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
    (CVE-2022-30635)

  - Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by     calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the     X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For     header. (CVE-2022-32148)

  - A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go     before 1.17.13 and 1.18.5, potentially allowing a denial of service. (CVE-2022-32189)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2022:7129 advisory.

    Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics     with text pointers inside Git, while storing the file contents on a remote server.

    Security Fix(es):

    * golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension (CVE-2020-28851)

    * golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag (CVE-2020-28852)

    * golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)

    * golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)

    * golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

    * golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

    * golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

    * golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)

    * golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short,     potentially allowing a denial of service (CVE-2022-32189)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Bug Fix(es):

    * git-lfs needs to be rebuild with golang 1.17.7-1 or above

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:1276 advisory.

    Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for     installation into an on-premise OpenShift Container Platform installation.

    This advisory covers the RPM packages for the release.

    Security Fix(es):

    * gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121)

    * envoy: Incorrect configuration handling allows mTLS session re-use without re-validation     (CVE-2022-21654)

    * envoy: Incorrect handling of internal redirects to routes with a direct response entry (CVE-2022-21655)

    * istio: Unauthenticated control plane denial of service attack due to stack exhaustion (CVE-2022-24726)

    * golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension (CVE-2020-28851)

    * golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag (CVE-2020-28852)

    * nodejs-axios: Regular expression denial of service in trim function (CVE-2021-3749)

    * ulikunitz/xz: Infinite loop in readUvarint allows for denial of service (CVE-2021-29482)

    * golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet     (CVE-2021-29923)

    * golang: net/http/httputil: panic due to racy read of persistConn after handler panic (CVE-2021-36221)

    * golang.org/x/crypto: empty plaintext packet causes panic (CVE-2021-43565)

    * envoy: Null pointer dereference when using JWT filter safe_regex match (CVE-2021-43824)

    * envoy: Use-after-free when response filters increase response data (CVE-2021-43825)

    * envoy: Use-after-free when tunneling TCP over HTTP (CVE-2021-43826)

    * envoy: Stack exhaustion when a cluster is deleted via Cluster Discovery Service (CVE-2022-23606)

    * istio: unauthenticated control plane denial of service attack (CVE-2022-23635)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
295402	Azure Linux 3.0 Security Update: multus (CVE-2020-28852)	Nessus	Azure Linux Local Security Checks	high
293342	MiracleLinux 8 : git-lfs-2.13.3-3.el8 (AXSA:2022-3920:02)	Nessus	Miracle Linux Local Security Checks	medium
292898	MiracleLinux 9 : container-tools, python-podman-4.2.0-1.el9, toolbox-0.0.99.3-5.el9 (AXSA:2023-5056:01)	Nessus	Miracle Linux Local Security Checks	high
236486	Alibaba Cloud Linux 3 : 0180: git-lfs (ALINUX3-SA-2022:0180)	Nessus	Alibaba Cloud Linux Local Security Checks	medium
223481	Linux Distros Unpatched Vulnerability : CVE-2020-28852	Nessus	Misc.	high
171575	Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS : Go Text vulnerabilities (USN-5873-1)	Nessus	Ubuntu Local Security Checks	high
168070	Oracle Linux 9 : podman (ELSA-2022-7954)	Nessus	Oracle Linux Local Security Checks	medium
167982	AlmaLinux 9 : podman (ALSA-2022:7954)	Nessus	Alma Linux Local Security Checks	medium
167810	Rocky Linux 8 : git-lfs (RLSA-2022:7129)	Nessus	Rocky Linux Local Security Checks	medium
167600	RHEL 9 : podman (RHSA-2022:7954)	Nessus	Red Hat Local Security Checks	medium
166517	Oracle Linux 8 : git-lfs (ELSA-2022-7129)	Nessus	Oracle Linux Local Security Checks	medium
166511	AlmaLinux 8 : git-lfs (ALSA-2022:7129)	Nessus	Alma Linux Local Security Checks	medium
166480	RHEL 8 : git-lfs (RHSA-2022:7129)	Nessus	Red Hat Local Security Checks	medium
159603	RHEL 8 : Red Hat OpenShift Service Mesh 2.0.9 (RHSA-2022:1276)	Nessus	Red Hat Local Security Checks	critical

Detections

Analytics

CVE-2020-28852

high

Tenable Plugins

high

medium

high

medium

high

high

medium

medium

medium

medium

medium

medium

medium

critical