Rapid7 Vulnerability & Exploit Database

FreeBSD: VID-3D73E384-AD1F-11ED-983C-83FE35862E3A (CVE-2022-41723): go -- multiple vulnerabilities

Free InsightVM Trial No Credit Card Necessary
2024 Attack Intel Report Latest research by Rapid7 Labs
Back to Search

FreeBSD: VID-3D73E384-AD1F-11ED-983C-83FE35862E3A (CVE-2022-41723): go -- multiple vulnerabilities

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
02/14/2023
Created
02/22/2023
Added
02/17/2023
Modified
03/13/2023

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.

From VID-3D73E384-AD1F-11ED-983C-83FE35862E3A:

The Go project reports:

path/filepath: path traversal in filepath.Clean on Windows

On Windows, the filepath.Clean function could transform

an invalid path such as a/../c:/b into the valid path

c:\b. This transformation of a relative (if invalid)

path into an absolute path could enable a directory

traversal attack. The filepath.Clean function will now

transform this path into the relative (but still

invalid) path .\c:\b.

net/http, mime/multipart: denial of service from excessive

resource consumption

Multipart form parsing with

mime/multipart.Reader.ReadForm can consume largely

unlimited amounts of memory and disk files. This also

affects form parsing in the net/http package with the

Request methods FormFile, FormValue, ParseMultipartForm,

and PostFormValue.

crypto/tls: large handshake records may cause panics

Both clients and servers may send large TLS handshake

records which cause servers and clients,

respectively, to panic when attempting to construct responses.

net/http: avoid quadratic complexity in HPACK decoding

A maliciously crafted HTTP/2 stream could cause

excessive CPU consumption in the HPACK decoder,

sufficient to cause a denial of service from a small

number of small requests.

Solution(s)

  • freebsd-upgrade-package-go119
  • freebsd-upgrade-package-go120

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;