Alpine: multiple go packages: security update to 1.16.15-r0

critical Tenable Self-Hosted Container Security Plugin ID 404749

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return
true in situations with a big.Int value that is not a valid field element. (CVE-2022-23806)

- net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the
header canonicalization cache via HTTP/2 requests. (CVE-2021-44716)

- Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to
Uncontrolled Memory Consumption. (CVE-2022-23772)

- cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to
be version tags. This can lead to incorrect access control if an actor is supposed to be able to create
branches but not tags. (CVE-2022-23773)

See Also

https://security.alpinelinux.org/vuln/CVE-2021-44716

https://security.alpinelinux.org/vuln/CVE-2022-23772

https://security.alpinelinux.org/vuln/CVE-2022-23773

https://security.alpinelinux.org/vuln/CVE-2022-23806

https://security.alpinelinux.org/vuln/CVE-2022-24921

https://security.alpinelinux.org/vuln/CVE-2022-27191

Plugin Details

Severity: Critical

ID: 404749

Version: Revision 1.29

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.04

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSS Score Source: CVE-2022-23806

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 12/9/2021

Reference Information

CVE: CVE-2021-44716, CVE-2022-23772, CVE-2022-23773, CVE-2022-23806, CVE-2022-24921, CVE-2022-27191

IAVB: 2022-B-0008-S, 2022-B-0011