The version of golang installed on the remote host is prior to 1.20.10-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2023-2313 advisory.

  - The html/template package does not properly handle HTML-like  comment tokens, nor hashbang #! comment     tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of     <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS     attack. (CVE-2023-39318)

  - The html/template package does not apply the proper rules for handling occurrences of <script, <!--,     and </script within JS literals in <script> contexts. This may cause the template parser to improperly     consider script contexts to be terminated early, causing actions to be improperly escaped. This could be     leveraged to perform an XSS attack. (CVE-2023-39319)

  - Line directives (//line) can be used to bypass the restrictions on //go:cgo_ directives, allowing     blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution     of arbitrary code when running go build. The line directive requires the absolute path of the file in     which the directive lives, which makes exploiting this issue significantly more complex. (CVE-2023-39323)

  - A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive     server resource consumption. While the total number of requests is bounded by the     http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create     a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound     the number of simultaneously executing handler goroutines to the stream concurrency limit     (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client     has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows     too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2     for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per     HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the     Server.MaxConcurrentStreams setting and the ConfigureServer function. (CVE-2023-39325)

  - The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation     can reset many streams quickly, as exploited in the wild in August through October 2023. (CVE-2023-44487)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Amazon Linux 2 : golang (ALAS-2023-2313)

high Nessus Plugin ID 183206

Version 1.6