Ubuntu update for golang-1.17



Risk High
Patch available YES
Number of vulnerabilities 11
CVE-ID CVE-2023-24531
CVE-2023-24538
CVE-2023-29402
CVE-2023-29403
CVE-2023-29405
CVE-2023-29406
CVE-2023-39318
CVE-2023-39319
CVE-2023-39325
CVE-2024-24785
CVE-2023-29404
CWE-ID CWE-78
CWE-94
CWE-264
CWE-644
CWE-79
CWE-400
Exploitation vector Network
Public exploit N/A
Vulnerable software
 Ubuntu
Operating systems & Components / Operating system

golang-1.17-src (Ubuntu package)
Operating systems & Components / Operating system package or component

golang-1.17-go (Ubuntu package)
Operating systems & Components / Operating system package or component

golang-1.17 (Ubuntu package)
Operating systems & Components / Operating system package or component

Vendor Canonical Ltd.

Security Bulletin

This security bulletin contains information about 11 vulnerabilities.

1) OS Command Injection

EUVDB-ID: #VU101963

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-24531

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation when handling output of environment variables. A local user can execute arbitrary commands on the system by setting specially crafted values to environment variables and making "go env" print them out.

Mitigation

Update the affected package golang-1.17 to the latest version.

Vulnerable software versions

Ubuntu: 22.04

golang-1.17-src (Ubuntu package): before 1.17.13-3ubuntu1.2

golang-1.17-go (Ubuntu package): before 1.17.13-3ubuntu1.2

golang-1.17 (Ubuntu package): before 1.17.13-3ubuntu1.2

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7061-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Code Injection

EUVDB-ID: #VU74574

Risk: High

CVSSv4.0: 8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2023-24538

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in html/template when handling JavaScript templates that contain backticks in code. If a template contains a Go template action within a JavaScript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary JavaScript code into the Go template.

Mitigation

Update the affected package golang-1.17 to the latest version.

Vulnerable software versions

Ubuntu: 22.04

golang-1.17-src (Ubuntu package): before 1.17.13-3ubuntu1.2

golang-1.17-go (Ubuntu package): before 1.17.13-3ubuntu1.2

golang-1.17 (Ubuntu package): before 1.17.13-3ubuntu1.2

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7061-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Code Injection

EUVDB-ID: #VU77528

Risk: Medium

CVSSv4.0: 4.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-29402

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation within the cgo go command when building code that contains directories with newline characters in their names. A remote attacker can pass specially crafted input to the cgo command at build time and potentially compromise the system.

Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).

Mitigation

Update the affected package golang-1.17 to the latest version.

Vulnerable software versions

Ubuntu: 22.04

golang-1.17-src (Ubuntu package): before 1.17.13-3ubuntu1.2

golang-1.17-go (Ubuntu package): before 1.17.13-3ubuntu1.2

golang-1.17 (Ubuntu package): before 1.17.13-3ubuntu1.2

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7061-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU77529

Risk: Medium

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-29403

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists within Go runtime due to application allows to execute setuid/setgid binaries without any restrictions. An attacker with ability to control the application flow can execute arbitrary code on the system with elevated privileges.

Mitigation

Update the affected package golang-1.17 to the latest version.

Vulnerable software versions

Ubuntu: 22.04

golang-1.17-src (Ubuntu package): before 1.17.13-3ubuntu1.2

golang-1.17-go (Ubuntu package): before 1.17.13-3ubuntu1.2

golang-1.17 (Ubuntu package): before 1.17.13-3ubuntu1.2

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7061-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Code Injection

EUVDB-ID: #VU77531

Risk: Medium

CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-29405

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists within Go runtime when running "go get" on a malicious module, or when running any other
command which builds untrusted code.A remote attacker can inject and execute arbitrary code on the target system at build time when using cgo.

Mitigation

Update the affected package golang-1.17 to the latest version.

Vulnerable software versions

Ubuntu: 22.04

golang-1.17-src (Ubuntu package): before 1.17.13-3ubuntu1.2

golang-1.17-go (Ubuntu package): before 1.17.13-3ubuntu1.2

golang-1.17 (Ubuntu package): before 1.17.13-3ubuntu1.2

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7061-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Improper Neutralization of HTTP Headers for Scripting Syntax

EUVDB-ID: #VU78327

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-29406

CWE-ID: CWE-644 - Improper Neutralization of HTTP Headers for Scripting Syntax

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to improper input validation in HTTP/1 client when handling HTTP Host header. A remote non-authenticated attacker can send a specially crafted HTTP request with a maliciously crafted Host header and inject additional headers or entire requests.

Successful exploitation of the vulnerability may allow an attacker to perform cross-site scripting, cache poisoning or session hijacking attacks.

Mitigation

Update the affected package golang-1.17 to the latest version.

Vulnerable software versions

Ubuntu: 22.04

golang-1.17-src (Ubuntu package): before 1.17.13-3ubuntu1.2

golang-1.17-go (Ubuntu package): before 1.17.13-3ubuntu1.2

golang-1.17 (Ubuntu package): before 1.17.13-3ubuntu1.2

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7061-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Cross-site scripting

EUVDB-ID: #VU80572

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-39318

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the html/template package when handling HMTL-like "<!--" and "-->" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. A remote attacker can pass specially crafted input to the application and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Mitigation

Update the affected package golang-1.17 to the latest version.

Vulnerable software versions

Ubuntu: 22.04

golang-1.17-src (Ubuntu package): before 1.17.13-3ubuntu1.2

golang-1.17-go (Ubuntu package): before 1.17.13-3ubuntu1.2

golang-1.17 (Ubuntu package): before 1.17.13-3ubuntu1.2

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7061-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Cross-site scripting

EUVDB-ID: #VU80573

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-39319

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists within the html/template package caused by improperly applied rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. A remote attacker can pass specially crafted input to the application and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Mitigation

Update the affected package golang-1.17 to the latest version.

Vulnerable software versions

Ubuntu: 22.04

golang-1.17-src (Ubuntu package): before 1.17.13-3ubuntu1.2

golang-1.17-go (Ubuntu package): before 1.17.13-3ubuntu1.2

golang-1.17 (Ubuntu package): before 1.17.13-3ubuntu1.2

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7061-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Resource exhaustion

EUVDB-ID: #VU82064

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-39325

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to excessive consumption of internal resources when handling HTTP/2 requests. A remote attacker can bypass the http2.Server.MaxConcurrentStreams setting by creating new connections while the current connections are still being processed, trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Update the affected package golang-1.17 to the latest version.

Vulnerable software versions

Ubuntu: 22.04

golang-1.17-src (Ubuntu package): before 1.17.13-3ubuntu1.2

golang-1.17-go (Ubuntu package): before 1.17.13-3ubuntu1.2

golang-1.17 (Ubuntu package): before 1.17.13-3ubuntu1.2

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7061-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Cross-site scripting

EUVDB-ID: #VU87200

Risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-24785

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in html/template when parsing errors returned from MarshalJSON methods. A remote attacker can execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Mitigation

Update the affected package golang-1.17 to the latest version.

Vulnerable software versions

Ubuntu: 22.04

golang-1.17-src (Ubuntu package): before 1.17.13-3ubuntu1.2

golang-1.17-go (Ubuntu package): before 1.17.13-3ubuntu1.2

golang-1.17 (Ubuntu package): before 1.17.13-3ubuntu1.2

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7061-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Code Injection

EUVDB-ID: #VU77530

Risk: Medium

CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-29404

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists within Go runtime when running "go get" on a malicious module, or when running any other
command which builds untrusted code.A remote attacker can inject and execute arbitrary code on the target system at build time when using cgo.

Mitigation

Update the affected package golang-1.17 to the latest version.

Vulnerable software versions

Ubuntu: 22.04

golang-1.17-src (Ubuntu package): before 1.17.13-3ubuntu1.2

golang-1.17-go (Ubuntu package): before 1.17.13-3ubuntu1.2

golang-1.17 (Ubuntu package): before 1.17.13-3ubuntu1.2

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7061-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###