Alpine: multiple go packages: security update to 1.22.1-r0

high Tenable Cloud Security Plugin ID 426877

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial
domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For
example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to
bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly
forwarded. (CVE-2023-45289)

- When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with
Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed
form were not applied to the memory consumed while reading a single form line. This permits a maliciously
crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory,
potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits
the maximum size of form lines. (CVE-2023-45290)

- Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause
Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth
to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not
verify client certificates. (CVE-2024-24783)

- The ParseAddressList function incorrectly handles comments (text within parentheses) within display names.
Since this is a misalignment with conforming address parsers, it can result in different trust decisions
being made by programs using different parsers. (CVE-2024-24784)

- If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the
contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject
unexpected content into templates. (CVE-2024-24785)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-45289

https://security.alpinelinux.org/vuln/CVE-2023-45290

https://security.alpinelinux.org/vuln/CVE-2024-24783

https://security.alpinelinux.org/vuln/CVE-2024-24784

https://security.alpinelinux.org/vuln/CVE-2024-24785

Plugin Details

Severity: High

ID: 426877

Version: Revision 1.3

Type: Local

Published: 5/16/2025

Updated: 12/4/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2024-24785

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2024-24784

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 3/5/2024

Reference Information

CVE: CVE-2023-45289, CVE-2023-45290, CVE-2024-24783, CVE-2024-24784, CVE-2024-24785

IAVB: 2024-B-0020-S