SB2022071516 - Multiple vulnerabilities in Go programming language
Published: July 15, 2022 Updated: March 21, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Infinite loop (CVE-ID: CVE-2022-30634)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in crypto/rand on Windows when handling buffer larger than 1 << 32 - 1 bytes. A remote attacker can consume all available system resources and cause denial of service conditions.
2) Path traversal (CVE-ID: CVE-2022-29804)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error within the filepath.Clean function on Windows, which can convert certain invalid paths to valid, absolute paths, potentially allowing a directory traversal attack. A remote attacker can pass specially crafted data to the application and perform directory traversal attacks.
Remediation
Install update from vendor's website.
References
- https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
- https://go.dev/cl/402257
- https://go.googlesource.com/go/+/bb1f4416180511231de6d17a1f2f55c82aafc863
- https://go.dev/issue/52561
- https://pkg.go.dev/vuln/GO-2022-0477
- https://go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290
- https://pkg.go.dev/vuln/GO-2022-0533
- https://go.dev/cl/401595
- https://go.dev/issue/52476