SB20230816219 - Fedora 38 update for golang-github-need-being-tree-0.1.0-1.fc38 golang-helm-3-3.11.1-1.fc38 golang-oras-0.15.1-1.20221105git690716b.fc38 golang-oras-1-1.2.1-1.fc38 golang-oras-2 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20230816219

SB20230816219 - Fedora 38 update for golang-github-need-being-tree-0.1.0-1.fc38 golang-helm-3-3.11.1-1.fc38 golang-oras-0.15.1-1.20221105git690716b.fc38 golang-oras-1-1.2.1-1.fc38 golang-oras-2

Published: August 16, 2023

Security Bulletin ID SB20230816219
Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 75% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Overly permissive cross-domain whitelist (CVE-ID: CVE-2022-1996)

The vulnerability allows a remote attacker to bypass the CORS protection mechanism.

The vulnerability exists due to incorrect processing of the "Origin" HTTP header that is supplied within HTTP request. A remote attacker can supply arbitrary value via the "Origin" HTTP header, bypass implemented CORS protection mechanism and perform cross-site scripting attacks against the vulnerable application.


2) Input validation error (CVE-ID: CVE-2022-23524)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in the strvals package when parsing string values. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.


3) Input validation error (CVE-ID: CVE-2022-23526)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in the chartutil package. A remote attacker can pass specially crafted JSON Schema validation file to the application and perform a denial of service (DoS) attack.


4) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2022-41717)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to excessive memory growth when handling HTTP/2 server requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.


Remediation

Install update from vendor's website.

References