https://go.dev/cl/442235

https://go.dev/issue/56152

https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ

https://pkg.go.dev/vuln/GO-2022-1059

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 22.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5873-1 advisory.

  - The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the     UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker     could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an     infinite loop if the String function on the Decoder is called, or the Decoder is passed to     golang.org/x/text/transform.String. (CVE-2020-14040)

  - In x/text in Go 1.15.4, an index out of range panic occurs in language.ParseAcceptLanguage while parsing     the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)     (CVE-2020-28851)

  - In x/text in Go before v0.3.5, a slice bounds out of range panic occurs in language.ParseAcceptLanguage     while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language     header.) (CVE-2020-28852)

  - golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during     BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be     used as a vector for a denial-of-service attack. (CVE-2021-38561)

  - An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage     will take significant time to parse. (CVE-2022-32149)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202210-14 (Gitea: Multiple Vulnerabilities)

  - Cross-site Scripting (XSS) - Stored in GitHub repository go-gitea/gitea prior to 1.16.9. (CVE-2022-1928)

  - An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage     will take significant time to parse. (CVE-2022-32149)

  - In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper     access controls, an attacker could assign any issue to any project in Gitea (there was no permission check     for fetching the issue). As a result, the attacker would get access to private issue titles.
    (CVE-2022-38183)

  - Gitea before 1.17.3 does not sanitize and escape refs in the git backend. Arguments to git commands are     mishandled. (CVE-2022-42968)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
171575	Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 22.10 : Go Text vulnerabilities (USN-5873-1)	Nessus	Ubuntu Local Security Checks	high
166729	GLSA-202210-14 : Gitea: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	critical

CVE-2022-32149

high

Tenable Plugins

high

critical