Alpine: multiple go packages: security update to 1.17-r0

high Tenable Self-Hosted Container Security Plugin ID 404756

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute
namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave
in conflicting ways during different stages of processing in affected downstream applications.
(CVE-2020-29509)

- The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element
namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave
in conflicting ways during different stages of processing in affected downstream applications.
(CVE-2020-29511)

- Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address
octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses,
because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR. (CVE-2021-29923)

See Also

https://security.alpinelinux.org/vuln/CVE-2020-29509

https://security.alpinelinux.org/vuln/CVE-2020-29511

https://security.alpinelinux.org/vuln/CVE-2021-29923

Plugin Details

Severity: High

ID: 404756

Version: Revision 1.27

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-29511

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2021-29923

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 12/14/2020

Reference Information

CVE: CVE-2020-29509, CVE-2020-29511, CVE-2021-29923

IAVB: 2021-B-0047-S