Action not permitted
Modal body text goes here.
Modal Title
Modal Body
usn-6574-1
Vulnerability from osv_ubuntu
Takeshi Kaneko discovered that Go did not properly handle comments and special tags in the script context of html/template module. An attacker could possibly use this issue to inject Javascript code and perform a cross site scripting attack. This issue only affected Go 1.20 in Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2023-39318, CVE-2023-39319)
It was discovered that Go did not properly validate the "//go:cgo_" directives during compilation. An attacker could possibly use this issue to inject arbitrary code during compile time. (CVE-2023-39323)
It was discovered that Go did not limit the number of simultaneously executing handler goroutines in the net/http module. An attacker could possibly use this issue to cause a panic resulting into a denial of service. (CVE-2023-39325, CVE-2023-44487)
It was discovered that the Go net/http module did not properly validate the chunk extensions reading from a request or response body. An attacker could possibly use this issue to read sensitive information. (CVE-2023-39326)
It was discovered that Go did not properly validate the insecure "git://" protocol when using go get to fetch a module with the ".git" suffix. An attacker could possibly use this issue to bypass secure protocol checks. (CVE-2023-45285)
{
"affected": [
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2023-39318",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2023-39319",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2023-39323",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2023-39325",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2023-39326",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2023-45285",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:20.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.20",
"binary_version": "1.20.3-1ubuntu0.1~20.04.1"
},
{
"binary_name": "golang-1.20-go",
"binary_version": "1.20.3-1ubuntu0.1~20.04.1"
},
{
"binary_name": "golang-1.20-src",
"binary_version": "1.20.3-1ubuntu0.1~20.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "golang-1.20",
"purl": "pkg:deb/ubuntu/golang-1.20@1.20.3-1ubuntu0.1~20.04.1?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.20.3-1ubuntu0.1~20.04.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.20.3-1ubuntu0.1~20.04"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2023-39318",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2023-39319",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2023-39323",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2023-39325",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2023-39326",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2023-45285",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:20.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.21",
"binary_version": "1.21.1-1~ubuntu20.04.2"
},
{
"binary_name": "golang-1.21-go",
"binary_version": "1.21.1-1~ubuntu20.04.2"
},
{
"binary_name": "golang-1.21-src",
"binary_version": "1.21.1-1~ubuntu20.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "golang-1.21",
"purl": "pkg:deb/ubuntu/golang-1.21@1.21.1-1~ubuntu20.04.2?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.21.1-1~ubuntu20.04.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.21.1-1~ubuntu20.04.1"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2023-39318",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2023-39319",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2023-39323",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2023-39325",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2023-39326",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2023-45285",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:22.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.20",
"binary_version": "1.20.3-1ubuntu0.1~22.04.1"
},
{
"binary_name": "golang-1.20-go",
"binary_version": "1.20.3-1ubuntu0.1~22.04.1"
},
{
"binary_name": "golang-1.20-src",
"binary_version": "1.20.3-1ubuntu0.1~22.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "golang-1.20",
"purl": "pkg:deb/ubuntu/golang-1.20@1.20.3-1ubuntu0.1~22.04.1?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.20.3-1ubuntu0.1~22.04.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.20.3-1ubuntu0.1~22.04"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2023-39318",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2023-39319",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2023-39323",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2023-39325",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2023-39326",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2023-45285",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:22.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.21",
"binary_version": "1.21.1-1~ubuntu22.04.2"
},
{
"binary_name": "golang-1.21-go",
"binary_version": "1.21.1-1~ubuntu22.04.2"
},
{
"binary_name": "golang-1.21-src",
"binary_version": "1.21.1-1~ubuntu22.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "golang-1.21",
"purl": "pkg:deb/ubuntu/golang-1.21@1.21.1-1~ubuntu22.04.2?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.21.1-1~ubuntu22.04.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.21.1-1~ubuntu22.04.1"
]
}
],
"aliases": [],
"details": "Takeshi Kaneko discovered that Go did not properly handle comments and\nspecial tags in the script context of html/template module. An attacker\ncould possibly use this issue to inject Javascript code and perform a cross\nsite scripting attack. This issue only affected Go 1.20 in Ubuntu 20.04 LTS,\nUbuntu 22.04 LTS and Ubuntu 23.04. (CVE-2023-39318, CVE-2023-39319)\n\nIt was discovered that Go did not properly validate the \"//go:cgo_\"\ndirectives during compilation. An attacker could possibly use this issue to\ninject arbitrary code during compile time. (CVE-2023-39323)\n\nIt was discovered that Go did not limit the number of simultaneously\nexecuting handler goroutines in the net/http module. An attacker could\npossibly use this issue to cause a panic resulting into a denial of service.\n(CVE-2023-39325, CVE-2023-44487)\n\nIt was discovered that the Go net/http module did not properly validate the\nchunk extensions reading from a request or response body. An attacker could\npossibly use this issue to read sensitive information. (CVE-2023-39326)\n\nIt was discovered that Go did not properly validate the insecure \"git://\"\nprotocol when using go get to fetch a module with the \".git\" suffix. An\nattacker could possibly use this issue to bypass secure protocol checks.\n(CVE-2023-45285)\n",
"id": "USN-6574-1",
"modified": "2026-04-27T14:11:32Z",
"published": "2024-01-11T05:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6574-1"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2023-39318"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2023-39319"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2023-39323"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2023-39325"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2023-39326"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2023-44487"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2023-45285"
}
],
"related": [],
"schema_version": "1.7.0",
"summary": "Go vulnerabilities",
"upstream": [
"UBUNTU-CVE-2023-39318",
"UBUNTU-CVE-2023-39319",
"UBUNTU-CVE-2023-39323",
"UBUNTU-CVE-2023-39325",
"UBUNTU-CVE-2023-39326",
"UBUNTU-CVE-2023-44487",
"UBUNTU-CVE-2023-45285"
]
}
ubuntu-cve-2023-39318
Vulnerability from osv_ubuntu
The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in contexts. This may cause the template parser to improperly interpret the contents of contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.
| URL | Type | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.10",
"binary_version": "1.10.4-2ubuntu1~14.04.1"
},
{
"binary_name": "golang-1.10-go",
"binary_version": "1.10.4-2ubuntu1~14.04.1"
},
{
"binary_name": "golang-1.10-src",
"binary_version": "1.10.4-2ubuntu1~14.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:14.04:LTS",
"name": "golang-1.10",
"purl": "pkg:deb/ubuntu/golang-1.10@1.10.4-2ubuntu1~14.04.1?arch=source\u0026distro=trusty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.10.4-2ubuntu1~14.04.1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "golang-1.18",
"binary_version": "1.18.1-1ubuntu1~16.04.6+esm1"
},
{
"binary_name": "golang-1.18-go",
"binary_version": "1.18.1-1ubuntu1~16.04.6+esm1"
},
{
"binary_name": "golang-1.18-src",
"binary_version": "1.18.1-1ubuntu1~16.04.6+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "golang-1.18",
"purl": "pkg:deb/ubuntu/golang-1.18@1.18.1-1ubuntu1~16.04.6+esm1?arch=source\u0026distro=esm-apps/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.1-1ubuntu1~16.04.6+esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.18.1-1ubuntu1~16.04.6"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.10",
"binary_version": "1.10.4-2ubuntu1~16.04.2"
},
{
"binary_name": "golang-1.10-go",
"binary_version": "1.10.4-2ubuntu1~16.04.2"
},
{
"binary_name": "golang-1.10-src",
"binary_version": "1.10.4-2ubuntu1~16.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:16.04:LTS",
"name": "golang-1.10",
"purl": "pkg:deb/ubuntu/golang-1.10@1.10.4-2ubuntu1~16.04.2?arch=source\u0026distro=xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.10.4-2ubuntu1~16.04.1",
"1.10.4-2ubuntu1~16.04.2"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.6",
"binary_version": "1.6.2-0ubuntu5~16.04.4"
},
{
"binary_name": "golang-1.6-go",
"binary_version": "1.6.2-0ubuntu5~16.04.4"
},
{
"binary_name": "golang-1.6-src",
"binary_version": "1.6.2-0ubuntu5~16.04.4"
}
]
},
"package": {
"ecosystem": "Ubuntu:16.04:LTS",
"name": "golang-1.6",
"purl": "pkg:deb/ubuntu/golang-1.6@1.6.2-0ubuntu5~16.04.4?arch=source\u0026distro=xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.6-0ubuntu1",
"1.6-0ubuntu2",
"1.6-0ubuntu3",
"1.6-0ubuntu4",
"1.6-0ubuntu5",
"1.6.1-0ubuntu1",
"1.6.2-0ubuntu5~16.04",
"1.6.2-0ubuntu5~16.04.2",
"1.6.2-0ubuntu5~16.04.3",
"1.6.2-0ubuntu5~16.04.4"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.13",
"binary_version": "1.13.8-1ubuntu1~16.04.3+esm3"
},
{
"binary_name": "golang-1.13-go",
"binary_version": "1.13.8-1ubuntu1~16.04.3+esm3"
},
{
"binary_name": "golang-1.13-src",
"binary_version": "1.13.8-1ubuntu1~16.04.3+esm3"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "golang-1.13",
"purl": "pkg:deb/ubuntu/golang-1.13@1.13.8-1ubuntu1~16.04.3+esm3?arch=source\u0026distro=esm-apps/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.13.8-1ubuntu1~16.04.2",
"1.13.8-1ubuntu1~16.04.3",
"1.13.8-1ubuntu1~16.04.3+esm2",
"1.13.8-1ubuntu1~16.04.3+esm3"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.10",
"binary_version": "1.10.4-2ubuntu1~18.04.2"
},
{
"binary_name": "golang-1.10-go",
"binary_version": "1.10.4-2ubuntu1~18.04.2"
},
{
"binary_name": "golang-1.10-src",
"binary_version": "1.10.4-2ubuntu1~18.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "golang-1.10",
"purl": "pkg:deb/ubuntu/golang-1.10@1.10.4-2ubuntu1~18.04.2?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.10~rc1-1",
"1.10~rc1-1ubuntu1",
"1.10~rc1-2ubuntu1",
"1.10~rc2-1ubuntu1",
"1.10-1ubuntu1",
"1.10.1-1ubuntu2",
"1.10.4-2ubuntu1~18.04.1",
"1.10.4-2ubuntu1~18.04.2"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.13",
"binary_version": "1.13.8-1ubuntu1~18.04.4+esm1"
},
{
"binary_name": "golang-1.13-go",
"binary_version": "1.13.8-1ubuntu1~18.04.4+esm1"
},
{
"binary_name": "golang-1.13-src",
"binary_version": "1.13.8-1ubuntu1~18.04.4+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "golang-1.13",
"purl": "pkg:deb/ubuntu/golang-1.13@1.13.8-1ubuntu1~18.04.4+esm1?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.13.8-1ubuntu1~18.04.2",
"1.13.8-1ubuntu1~18.04.3",
"1.13.8-1ubuntu1~18.04.4",
"1.13.8-1ubuntu1~18.04.4+esm1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.16",
"binary_version": "1.16.2-0ubuntu1~18.04.2+esm1"
},
{
"binary_name": "golang-1.16-go",
"binary_version": "1.16.2-0ubuntu1~18.04.2+esm1"
},
{
"binary_name": "golang-1.16-src",
"binary_version": "1.16.2-0ubuntu1~18.04.2+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "golang-1.16",
"purl": "pkg:deb/ubuntu/golang-1.16@1.16.2-0ubuntu1~18.04.2+esm1?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.16.2-0ubuntu1~18.04.2",
"1.16.2-0ubuntu1~18.04.2+esm1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "golang-1.18",
"binary_version": "1.18.1-1ubuntu1~18.04.4+esm1"
},
{
"binary_name": "golang-1.18-go",
"binary_version": "1.18.1-1ubuntu1~18.04.4+esm1"
},
{
"binary_name": "golang-1.18-src",
"binary_version": "1.18.1-1ubuntu1~18.04.4+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "golang-1.18",
"purl": "pkg:deb/ubuntu/golang-1.18@1.18.1-1ubuntu1~18.04.4+esm1?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.1-1ubuntu1~18.04.4+esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.18.1-1ubuntu1~18.04.3",
"1.18.1-1ubuntu1~18.04.4"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.8",
"binary_version": "1.8.3-2ubuntu1.18.04.1"
},
{
"binary_name": "golang-1.8-go",
"binary_version": "1.8.3-2ubuntu1.18.04.1"
},
{
"binary_name": "golang-1.8-go-shared-dev",
"binary_version": "1.8.3-2ubuntu1.18.04.1"
},
{
"binary_name": "golang-1.8-src",
"binary_version": "1.8.3-2ubuntu1.18.04.1"
},
{
"binary_name": "libgolang-1.8-std1",
"binary_version": "1.8.3-2ubuntu1.18.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "golang-1.8",
"purl": "pkg:deb/ubuntu/golang-1.8@1.8.3-2ubuntu1.18.04.1?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.8.3-2ubuntu1",
"1.8.3-2ubuntu1.18.04.1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.9",
"binary_version": "1.9.4-1ubuntu1"
},
{
"binary_name": "golang-1.9-go",
"binary_version": "1.9.4-1ubuntu1"
},
{
"binary_name": "golang-1.9-src",
"binary_version": "1.9.4-1ubuntu1"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "golang-1.9",
"purl": "pkg:deb/ubuntu/golang-1.9@1.9.4-1ubuntu1?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.9.1-2ubuntu1",
"1.9.2-1ubuntu1",
"1.9.2-3ubuntu1",
"1.9.3-1ubuntu1",
"1.9.4-1ubuntu1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.18",
"binary_version": "1.18.1-1ubuntu1~20.04.3"
},
{
"binary_name": "golang-1.18-go",
"binary_version": "1.18.1-1ubuntu1~20.04.3"
},
{
"binary_name": "golang-1.18-src",
"binary_version": "1.18.1-1ubuntu1~20.04.3"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "golang-1.18",
"purl": "pkg:deb/ubuntu/golang-1.18@1.18.1-1ubuntu1~20.04.3?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.1-1ubuntu1~20.04.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.18.1-1ubuntu1~20.04.1",
"1.18.1-1ubuntu1~20.04.2"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.20",
"binary_version": "1.20.3-1ubuntu0.1~20.04.1"
},
{
"binary_name": "golang-1.20-go",
"binary_version": "1.20.3-1ubuntu0.1~20.04.1"
},
{
"binary_name": "golang-1.20-src",
"binary_version": "1.20.3-1ubuntu0.1~20.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "golang-1.20",
"purl": "pkg:deb/ubuntu/golang-1.20@1.20.3-1ubuntu0.1~20.04.1?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.20.3-1ubuntu0.1~20.04.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.20.3-1ubuntu0.1~20.04"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.13",
"binary_version": "1.13.8-1ubuntu1.2"
},
{
"binary_name": "golang-1.13-go",
"binary_version": "1.13.8-1ubuntu1.2"
},
{
"binary_name": "golang-1.13-src",
"binary_version": "1.13.8-1ubuntu1.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "golang-1.13",
"purl": "pkg:deb/ubuntu/golang-1.13@1.13.8-1ubuntu1.2?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.13.1-1ubuntu1",
"1.13.3-1ubuntu1",
"1.13.4-1ubuntu1",
"1.13.5-1ubuntu1",
"1.13.6-1ubuntu1",
"1.13.6-2ubuntu1",
"1.13.7-1ubuntu1",
"1.13.8-1ubuntu1",
"1.13.8-1ubuntu1.1",
"1.13.8-1ubuntu1.2"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.14",
"binary_version": "1.14.3-2ubuntu2~20.04.2"
},
{
"binary_name": "golang-1.14-go",
"binary_version": "1.14.3-2ubuntu2~20.04.2"
},
{
"binary_name": "golang-1.14-src",
"binary_version": "1.14.3-2ubuntu2~20.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "golang-1.14",
"purl": "pkg:deb/ubuntu/golang-1.14@1.14.3-2ubuntu2~20.04.2?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.14~beta1-1",
"1.14~beta1-2",
"1.14~rc1-1",
"1.14-1",
"1.14.1-1",
"1.14.2-1",
"1.14.2-1ubuntu1",
"1.14.3-2ubuntu2~20.04.1",
"1.14.3-2ubuntu2~20.04.2"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.16",
"binary_version": "1.16.2-0ubuntu1~20.04.1+esm1"
},
{
"binary_name": "golang-1.16-go",
"binary_version": "1.16.2-0ubuntu1~20.04.1+esm1"
},
{
"binary_name": "golang-1.16-src",
"binary_version": "1.16.2-0ubuntu1~20.04.1+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "golang-1.16",
"purl": "pkg:deb/ubuntu/golang-1.16@1.16.2-0ubuntu1~20.04.1+esm1?arch=source\u0026distro=esm-apps/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.16.2-0ubuntu1~20.04",
"1.16.2-0ubuntu1~20.04.1",
"1.16.2-0ubuntu1~20.04.1+esm1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.17",
"binary_version": "1.17.13-3ubuntu1.2"
},
{
"binary_name": "golang-1.17-go",
"binary_version": "1.17.13-3ubuntu1.2"
},
{
"binary_name": "golang-1.17-src",
"binary_version": "1.17.13-3ubuntu1.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "golang-1.17",
"purl": "pkg:deb/ubuntu/golang-1.17@1.17.13-3ubuntu1.2?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.13-3ubuntu1.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.17-1ubuntu2",
"1.17.3-1ubuntu1",
"1.17.3-1ubuntu2",
"1.17.13-3ubuntu1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.18",
"binary_version": "1.18.1-1ubuntu1.2"
},
{
"binary_name": "golang-1.18-go",
"binary_version": "1.18.1-1ubuntu1.2"
},
{
"binary_name": "golang-1.18-src",
"binary_version": "1.18.1-1ubuntu1.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "golang-1.18",
"purl": "pkg:deb/ubuntu/golang-1.18@1.18.1-1ubuntu1.2?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.1-1ubuntu1.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.18~beta1-0ubuntu1",
"1.18~beta2-1ubuntu1",
"1.18~beta2-1ubuntu2",
"1.18~rc1-1ubuntu1",
"1.18-1ubuntu1",
"1.18.1-1ubuntu1",
"1.18.1-1ubuntu1.1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.20",
"binary_version": "1.20.3-1ubuntu0.1~22.04.1"
},
{
"binary_name": "golang-1.20-go",
"binary_version": "1.20.3-1ubuntu0.1~22.04.1"
},
{
"binary_name": "golang-1.20-src",
"binary_version": "1.20.3-1ubuntu0.1~22.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "golang-1.20",
"purl": "pkg:deb/ubuntu/golang-1.20@1.20.3-1ubuntu0.1~22.04.1?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.20.3-1ubuntu0.1~22.04.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.20.3-1ubuntu0.1~22.04"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.13",
"binary_version": "1.13.8-1ubuntu2.22.04.2"
},
{
"binary_name": "golang-1.13-go",
"binary_version": "1.13.8-1ubuntu2.22.04.2"
},
{
"binary_name": "golang-1.13-src",
"binary_version": "1.13.8-1ubuntu2.22.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:22.04:LTS",
"name": "golang-1.13",
"purl": "pkg:deb/ubuntu/golang-1.13@1.13.8-1ubuntu2.22.04.2?arch=source\u0026distro=esm-apps/jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.13.8-1ubuntu2",
"1.13.8-1ubuntu2.22.04.1",
"1.13.8-1ubuntu2.22.04.1+esm1",
"1.13.8-1ubuntu2.22.04.2"
]
}
],
"aliases": [],
"details": "The html/template package does not properly handle HTML-like \"\" comment tokens, nor hashbang \"#!\" comment tokens, in \u003cscript\u003e contexts. This may cause the template parser to improperly interpret the contents of \u003cscript\u003e contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.",
"id": "UBUNTU-CVE-2023-39318",
"modified": "2026-05-20T15:02:49Z",
"published": "2023-09-08T17:15:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2023-39318"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/62196"
},
{
"type": "REPORT",
"url": "https://github.com/golang/go/commit/b0e1d3ea26e8e8fce7726690c9ef0597e60739fb"
},
{
"type": "REPORT",
"url": "https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c"
},
{
"type": "REPORT",
"url": "https://groups.google.com/g/golang-announce/c/Fm51GRLNRvM"
},
{
"type": "REPORT",
"url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ"
},
{
"type": "REPORT",
"url": "https://pkg.go.dev/vuln/GO-2023-2041"
},
{
"type": "REPORT",
"url": "https://go.dev/cl/526156"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6574-1"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39318"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7061-1"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7109-1"
}
],
"related": [
"USN-6574-1",
"USN-7061-1",
"USN-7109-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2023-39318"
]
}
ubuntu-cve-2023-39319
Vulnerability from osv_ubuntu
The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.
| URL | Type | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.10",
"binary_version": "1.10.4-2ubuntu1~14.04.1"
},
{
"binary_name": "golang-1.10-go",
"binary_version": "1.10.4-2ubuntu1~14.04.1"
},
{
"binary_name": "golang-1.10-src",
"binary_version": "1.10.4-2ubuntu1~14.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:14.04:LTS",
"name": "golang-1.10",
"purl": "pkg:deb/ubuntu/golang-1.10@1.10.4-2ubuntu1~14.04.1?arch=source\u0026distro=trusty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.10.4-2ubuntu1~14.04.1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "golang-1.18",
"binary_version": "1.18.1-1ubuntu1~16.04.6+esm1"
},
{
"binary_name": "golang-1.18-go",
"binary_version": "1.18.1-1ubuntu1~16.04.6+esm1"
},
{
"binary_name": "golang-1.18-src",
"binary_version": "1.18.1-1ubuntu1~16.04.6+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "golang-1.18",
"purl": "pkg:deb/ubuntu/golang-1.18@1.18.1-1ubuntu1~16.04.6+esm1?arch=source\u0026distro=esm-apps/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.1-1ubuntu1~16.04.6+esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.18.1-1ubuntu1~16.04.6"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.10",
"binary_version": "1.10.4-2ubuntu1~16.04.2"
},
{
"binary_name": "golang-1.10-go",
"binary_version": "1.10.4-2ubuntu1~16.04.2"
},
{
"binary_name": "golang-1.10-src",
"binary_version": "1.10.4-2ubuntu1~16.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:16.04:LTS",
"name": "golang-1.10",
"purl": "pkg:deb/ubuntu/golang-1.10@1.10.4-2ubuntu1~16.04.2?arch=source\u0026distro=xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.10.4-2ubuntu1~16.04.1",
"1.10.4-2ubuntu1~16.04.2"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.6",
"binary_version": "1.6.2-0ubuntu5~16.04.4"
},
{
"binary_name": "golang-1.6-go",
"binary_version": "1.6.2-0ubuntu5~16.04.4"
},
{
"binary_name": "golang-1.6-src",
"binary_version": "1.6.2-0ubuntu5~16.04.4"
}
]
},
"package": {
"ecosystem": "Ubuntu:16.04:LTS",
"name": "golang-1.6",
"purl": "pkg:deb/ubuntu/golang-1.6@1.6.2-0ubuntu5~16.04.4?arch=source\u0026distro=xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.6-0ubuntu1",
"1.6-0ubuntu2",
"1.6-0ubuntu3",
"1.6-0ubuntu4",
"1.6-0ubuntu5",
"1.6.1-0ubuntu1",
"1.6.2-0ubuntu5~16.04",
"1.6.2-0ubuntu5~16.04.2",
"1.6.2-0ubuntu5~16.04.3",
"1.6.2-0ubuntu5~16.04.4"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.13",
"binary_version": "1.13.8-1ubuntu1~16.04.3+esm3"
},
{
"binary_name": "golang-1.13-go",
"binary_version": "1.13.8-1ubuntu1~16.04.3+esm3"
},
{
"binary_name": "golang-1.13-src",
"binary_version": "1.13.8-1ubuntu1~16.04.3+esm3"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "golang-1.13",
"purl": "pkg:deb/ubuntu/golang-1.13@1.13.8-1ubuntu1~16.04.3+esm3?arch=source\u0026distro=esm-apps/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.13.8-1ubuntu1~16.04.2",
"1.13.8-1ubuntu1~16.04.3",
"1.13.8-1ubuntu1~16.04.3+esm2",
"1.13.8-1ubuntu1~16.04.3+esm3"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.10",
"binary_version": "1.10.4-2ubuntu1~18.04.2"
},
{
"binary_name": "golang-1.10-go",
"binary_version": "1.10.4-2ubuntu1~18.04.2"
},
{
"binary_name": "golang-1.10-src",
"binary_version": "1.10.4-2ubuntu1~18.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "golang-1.10",
"purl": "pkg:deb/ubuntu/golang-1.10@1.10.4-2ubuntu1~18.04.2?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.10~rc1-1",
"1.10~rc1-1ubuntu1",
"1.10~rc1-2ubuntu1",
"1.10~rc2-1ubuntu1",
"1.10-1ubuntu1",
"1.10.1-1ubuntu2",
"1.10.4-2ubuntu1~18.04.1",
"1.10.4-2ubuntu1~18.04.2"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.13",
"binary_version": "1.13.8-1ubuntu1~18.04.4+esm1"
},
{
"binary_name": "golang-1.13-go",
"binary_version": "1.13.8-1ubuntu1~18.04.4+esm1"
},
{
"binary_name": "golang-1.13-src",
"binary_version": "1.13.8-1ubuntu1~18.04.4+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "golang-1.13",
"purl": "pkg:deb/ubuntu/golang-1.13@1.13.8-1ubuntu1~18.04.4+esm1?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.13.8-1ubuntu1~18.04.2",
"1.13.8-1ubuntu1~18.04.3",
"1.13.8-1ubuntu1~18.04.4",
"1.13.8-1ubuntu1~18.04.4+esm1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.16",
"binary_version": "1.16.2-0ubuntu1~18.04.2+esm1"
},
{
"binary_name": "golang-1.16-go",
"binary_version": "1.16.2-0ubuntu1~18.04.2+esm1"
},
{
"binary_name": "golang-1.16-src",
"binary_version": "1.16.2-0ubuntu1~18.04.2+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "golang-1.16",
"purl": "pkg:deb/ubuntu/golang-1.16@1.16.2-0ubuntu1~18.04.2+esm1?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.16.2-0ubuntu1~18.04.2",
"1.16.2-0ubuntu1~18.04.2+esm1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "golang-1.18",
"binary_version": "1.18.1-1ubuntu1~18.04.4+esm1"
},
{
"binary_name": "golang-1.18-go",
"binary_version": "1.18.1-1ubuntu1~18.04.4+esm1"
},
{
"binary_name": "golang-1.18-src",
"binary_version": "1.18.1-1ubuntu1~18.04.4+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "golang-1.18",
"purl": "pkg:deb/ubuntu/golang-1.18@1.18.1-1ubuntu1~18.04.4+esm1?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.1-1ubuntu1~18.04.4+esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.18.1-1ubuntu1~18.04.3",
"1.18.1-1ubuntu1~18.04.4"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.8",
"binary_version": "1.8.3-2ubuntu1.18.04.1"
},
{
"binary_name": "golang-1.8-go",
"binary_version": "1.8.3-2ubuntu1.18.04.1"
},
{
"binary_name": "golang-1.8-go-shared-dev",
"binary_version": "1.8.3-2ubuntu1.18.04.1"
},
{
"binary_name": "golang-1.8-src",
"binary_version": "1.8.3-2ubuntu1.18.04.1"
},
{
"binary_name": "libgolang-1.8-std1",
"binary_version": "1.8.3-2ubuntu1.18.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "golang-1.8",
"purl": "pkg:deb/ubuntu/golang-1.8@1.8.3-2ubuntu1.18.04.1?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.8.3-2ubuntu1",
"1.8.3-2ubuntu1.18.04.1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.9",
"binary_version": "1.9.4-1ubuntu1"
},
{
"binary_name": "golang-1.9-go",
"binary_version": "1.9.4-1ubuntu1"
},
{
"binary_name": "golang-1.9-src",
"binary_version": "1.9.4-1ubuntu1"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "golang-1.9",
"purl": "pkg:deb/ubuntu/golang-1.9@1.9.4-1ubuntu1?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.9.1-2ubuntu1",
"1.9.2-1ubuntu1",
"1.9.2-3ubuntu1",
"1.9.3-1ubuntu1",
"1.9.4-1ubuntu1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.18",
"binary_version": "1.18.1-1ubuntu1~20.04.3"
},
{
"binary_name": "golang-1.18-go",
"binary_version": "1.18.1-1ubuntu1~20.04.3"
},
{
"binary_name": "golang-1.18-src",
"binary_version": "1.18.1-1ubuntu1~20.04.3"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "golang-1.18",
"purl": "pkg:deb/ubuntu/golang-1.18@1.18.1-1ubuntu1~20.04.3?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.1-1ubuntu1~20.04.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.18.1-1ubuntu1~20.04.1",
"1.18.1-1ubuntu1~20.04.2"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.20",
"binary_version": "1.20.3-1ubuntu0.1~20.04.1"
},
{
"binary_name": "golang-1.20-go",
"binary_version": "1.20.3-1ubuntu0.1~20.04.1"
},
{
"binary_name": "golang-1.20-src",
"binary_version": "1.20.3-1ubuntu0.1~20.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "golang-1.20",
"purl": "pkg:deb/ubuntu/golang-1.20@1.20.3-1ubuntu0.1~20.04.1?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.20.3-1ubuntu0.1~20.04.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.20.3-1ubuntu0.1~20.04"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.13",
"binary_version": "1.13.8-1ubuntu1.2"
},
{
"binary_name": "golang-1.13-go",
"binary_version": "1.13.8-1ubuntu1.2"
},
{
"binary_name": "golang-1.13-src",
"binary_version": "1.13.8-1ubuntu1.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "golang-1.13",
"purl": "pkg:deb/ubuntu/golang-1.13@1.13.8-1ubuntu1.2?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.13.1-1ubuntu1",
"1.13.3-1ubuntu1",
"1.13.4-1ubuntu1",
"1.13.5-1ubuntu1",
"1.13.6-1ubuntu1",
"1.13.6-2ubuntu1",
"1.13.7-1ubuntu1",
"1.13.8-1ubuntu1",
"1.13.8-1ubuntu1.1",
"1.13.8-1ubuntu1.2"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.14",
"binary_version": "1.14.3-2ubuntu2~20.04.2"
},
{
"binary_name": "golang-1.14-go",
"binary_version": "1.14.3-2ubuntu2~20.04.2"
},
{
"binary_name": "golang-1.14-src",
"binary_version": "1.14.3-2ubuntu2~20.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "golang-1.14",
"purl": "pkg:deb/ubuntu/golang-1.14@1.14.3-2ubuntu2~20.04.2?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.14~beta1-1",
"1.14~beta1-2",
"1.14~rc1-1",
"1.14-1",
"1.14.1-1",
"1.14.2-1",
"1.14.2-1ubuntu1",
"1.14.3-2ubuntu2~20.04.1",
"1.14.3-2ubuntu2~20.04.2"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.16",
"binary_version": "1.16.2-0ubuntu1~20.04.1+esm1"
},
{
"binary_name": "golang-1.16-go",
"binary_version": "1.16.2-0ubuntu1~20.04.1+esm1"
},
{
"binary_name": "golang-1.16-src",
"binary_version": "1.16.2-0ubuntu1~20.04.1+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "golang-1.16",
"purl": "pkg:deb/ubuntu/golang-1.16@1.16.2-0ubuntu1~20.04.1+esm1?arch=source\u0026distro=esm-apps/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.16.2-0ubuntu1~20.04",
"1.16.2-0ubuntu1~20.04.1",
"1.16.2-0ubuntu1~20.04.1+esm1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.17",
"binary_version": "1.17.13-3ubuntu1.2"
},
{
"binary_name": "golang-1.17-go",
"binary_version": "1.17.13-3ubuntu1.2"
},
{
"binary_name": "golang-1.17-src",
"binary_version": "1.17.13-3ubuntu1.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "golang-1.17",
"purl": "pkg:deb/ubuntu/golang-1.17@1.17.13-3ubuntu1.2?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.13-3ubuntu1.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.17-1ubuntu2",
"1.17.3-1ubuntu1",
"1.17.3-1ubuntu2",
"1.17.13-3ubuntu1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.18",
"binary_version": "1.18.1-1ubuntu1.2"
},
{
"binary_name": "golang-1.18-go",
"binary_version": "1.18.1-1ubuntu1.2"
},
{
"binary_name": "golang-1.18-src",
"binary_version": "1.18.1-1ubuntu1.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "golang-1.18",
"purl": "pkg:deb/ubuntu/golang-1.18@1.18.1-1ubuntu1.2?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.1-1ubuntu1.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.18~beta1-0ubuntu1",
"1.18~beta2-1ubuntu1",
"1.18~beta2-1ubuntu2",
"1.18~rc1-1ubuntu1",
"1.18-1ubuntu1",
"1.18.1-1ubuntu1",
"1.18.1-1ubuntu1.1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.20",
"binary_version": "1.20.3-1ubuntu0.1~22.04.1"
},
{
"binary_name": "golang-1.20-go",
"binary_version": "1.20.3-1ubuntu0.1~22.04.1"
},
{
"binary_name": "golang-1.20-src",
"binary_version": "1.20.3-1ubuntu0.1~22.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "golang-1.20",
"purl": "pkg:deb/ubuntu/golang-1.20@1.20.3-1ubuntu0.1~22.04.1?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.20.3-1ubuntu0.1~22.04.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.20.3-1ubuntu0.1~22.04"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.13",
"binary_version": "1.13.8-1ubuntu2.22.04.2"
},
{
"binary_name": "golang-1.13-go",
"binary_version": "1.13.8-1ubuntu2.22.04.2"
},
{
"binary_name": "golang-1.13-src",
"binary_version": "1.13.8-1ubuntu2.22.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:22.04:LTS",
"name": "golang-1.13",
"purl": "pkg:deb/ubuntu/golang-1.13@1.13.8-1ubuntu2.22.04.2?arch=source\u0026distro=esm-apps/jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.13.8-1ubuntu2",
"1.13.8-1ubuntu2.22.04.1",
"1.13.8-1ubuntu2.22.04.1+esm1",
"1.13.8-1ubuntu2.22.04.2"
]
}
],
"aliases": [],
"details": "The html/template package does not apply the proper rules for handling occurrences of \"\u003cscript\", \"\u003c!--\", and \"\u003c/script\" within JS literals in \u003cscript\u003e contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.",
"id": "UBUNTU-CVE-2023-39319",
"modified": "2026-05-20T15:02:49Z",
"published": "2023-09-08T17:15:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2023-39319"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/62197"
},
{
"type": "REPORT",
"url": "https://github.com/golang/go/commit/bbd043ff0d6d59f1a9232d31ecd5eacf6507bf6a"
},
{
"type": "REPORT",
"url": "https://github.com/golang/go/commit/2070531d2f53df88e312edace6c8dfc9686ab2f5"
},
{
"type": "REPORT",
"url": "https://groups.google.com/g/golang-announce/c/Fm51GRLNRvM"
},
{
"type": "REPORT",
"url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ"
},
{
"type": "REPORT",
"url": "https://pkg.go.dev/vuln/GO-2023-2043"
},
{
"type": "REPORT",
"url": "https://go.dev/cl/526157"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6574-1"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39319"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7061-1"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7109-1"
}
],
"related": [
"USN-6574-1",
"USN-7061-1",
"USN-7109-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2023-39319"
]
}
ubuntu-cve-2023-39323
Vulnerability from osv_ubuntu
Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.
| URL | Type | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "golang-1.18",
"binary_version": "1.18.1-1ubuntu1~16.04.6+esm1"
},
{
"binary_name": "golang-1.18-go",
"binary_version": "1.18.1-1ubuntu1~16.04.6+esm1"
},
{
"binary_name": "golang-1.18-src",
"binary_version": "1.18.1-1ubuntu1~16.04.6+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "golang-1.18",
"purl": "pkg:deb/ubuntu/golang-1.18@1.18.1-1ubuntu1~16.04.6+esm1?arch=source\u0026distro=esm-apps/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.1-1ubuntu1~16.04.6+esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.18.1-1ubuntu1~16.04.6"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "golang-1.18",
"binary_version": "1.18.1-1ubuntu1~18.04.4+esm1"
},
{
"binary_name": "golang-1.18-go",
"binary_version": "1.18.1-1ubuntu1~18.04.4+esm1"
},
{
"binary_name": "golang-1.18-src",
"binary_version": "1.18.1-1ubuntu1~18.04.4+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "golang-1.18",
"purl": "pkg:deb/ubuntu/golang-1.18@1.18.1-1ubuntu1~18.04.4+esm1?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.1-1ubuntu1~18.04.4+esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.18.1-1ubuntu1~18.04.3",
"1.18.1-1ubuntu1~18.04.4"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.18",
"binary_version": "1.18.1-1ubuntu1~20.04.3"
},
{
"binary_name": "golang-1.18-go",
"binary_version": "1.18.1-1ubuntu1~20.04.3"
},
{
"binary_name": "golang-1.18-src",
"binary_version": "1.18.1-1ubuntu1~20.04.3"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "golang-1.18",
"purl": "pkg:deb/ubuntu/golang-1.18@1.18.1-1ubuntu1~20.04.3?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.1-1ubuntu1~20.04.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.18.1-1ubuntu1~20.04.1",
"1.18.1-1ubuntu1~20.04.2"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.20",
"binary_version": "1.20.3-1ubuntu0.1~20.04.1"
},
{
"binary_name": "golang-1.20-go",
"binary_version": "1.20.3-1ubuntu0.1~20.04.1"
},
{
"binary_name": "golang-1.20-src",
"binary_version": "1.20.3-1ubuntu0.1~20.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "golang-1.20",
"purl": "pkg:deb/ubuntu/golang-1.20@1.20.3-1ubuntu0.1~20.04.1?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.20.3-1ubuntu0.1~20.04.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.20.3-1ubuntu0.1~20.04"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.21",
"binary_version": "1.21.1-1~ubuntu20.04.2"
},
{
"binary_name": "golang-1.21-go",
"binary_version": "1.21.1-1~ubuntu20.04.2"
},
{
"binary_name": "golang-1.21-src",
"binary_version": "1.21.1-1~ubuntu20.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "golang-1.21",
"purl": "pkg:deb/ubuntu/golang-1.21@1.21.1-1~ubuntu20.04.2?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.21.1-1~ubuntu20.04.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.21.1-1~ubuntu20.04.1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.17",
"binary_version": "1.17.13-3ubuntu1.3"
},
{
"binary_name": "golang-1.17-go",
"binary_version": "1.17.13-3ubuntu1.3"
},
{
"binary_name": "golang-1.17-src",
"binary_version": "1.17.13-3ubuntu1.3"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "golang-1.17",
"purl": "pkg:deb/ubuntu/golang-1.17@1.17.13-3ubuntu1.3?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.13-3ubuntu1.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.17-1ubuntu2",
"1.17.3-1ubuntu1",
"1.17.3-1ubuntu2",
"1.17.13-3ubuntu1",
"1.17.13-3ubuntu1.2"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.18",
"binary_version": "1.18.1-1ubuntu1.2"
},
{
"binary_name": "golang-1.18-go",
"binary_version": "1.18.1-1ubuntu1.2"
},
{
"binary_name": "golang-1.18-src",
"binary_version": "1.18.1-1ubuntu1.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "golang-1.18",
"purl": "pkg:deb/ubuntu/golang-1.18@1.18.1-1ubuntu1.2?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.1-1ubuntu1.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.18~beta1-0ubuntu1",
"1.18~beta2-1ubuntu1",
"1.18~beta2-1ubuntu2",
"1.18~rc1-1ubuntu1",
"1.18-1ubuntu1",
"1.18.1-1ubuntu1",
"1.18.1-1ubuntu1.1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.20",
"binary_version": "1.20.3-1ubuntu0.1~22.04.1"
},
{
"binary_name": "golang-1.20-go",
"binary_version": "1.20.3-1ubuntu0.1~22.04.1"
},
{
"binary_name": "golang-1.20-src",
"binary_version": "1.20.3-1ubuntu0.1~22.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "golang-1.20",
"purl": "pkg:deb/ubuntu/golang-1.20@1.20.3-1ubuntu0.1~22.04.1?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.20.3-1ubuntu0.1~22.04.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.20.3-1ubuntu0.1~22.04"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.21",
"binary_version": "1.21.1-1~ubuntu22.04.2"
},
{
"binary_name": "golang-1.21-go",
"binary_version": "1.21.1-1~ubuntu22.04.2"
},
{
"binary_name": "golang-1.21-src",
"binary_version": "1.21.1-1~ubuntu22.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "golang-1.21",
"purl": "pkg:deb/ubuntu/golang-1.21@1.21.1-1~ubuntu22.04.2?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.21.1-1~ubuntu22.04.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.21.1-1~ubuntu22.04.1"
]
}
],
"aliases": [],
"details": "Line directives (\"//line\") can be used to bypass the restrictions on \"//go:cgo_\" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running \"go build\". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.",
"id": "UBUNTU-CVE-2023-39323",
"modified": "2025-09-08T16:56:28Z",
"published": "2023-10-05T21:15:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2023-39323"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/63211"
},
{
"type": "REPORT",
"url": "https://go.dev/cl/533215"
},
{
"type": "REPORT",
"url": "https://groups.google.com/g/golang-announce/c/XBa1oHDevAo"
},
{
"type": "REPORT",
"url": "https://pkg.go.dev/vuln/GO-2023-2095"
},
{
"type": "REPORT",
"url": "https://github.com/golang/go/commit/2ddfc04d12da7028334ab4f8effbc3a78b92d9d2"
},
{
"type": "REPORT",
"url": "https://github.com/golang/go/commit/31d5b604ac0adb58aec4870ac1b974c08312fd49"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6574-1"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39323"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7109-1"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7111-1"
}
],
"related": [
"USN-6574-1",
"USN-7109-1",
"USN-7111-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2023-39323"
]
}
ubuntu-cve-2023-39325
Vulnerability from osv_ubuntu
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
| URL | Type | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.10",
"binary_version": "1.10.4-2ubuntu1~14.04.1"
},
{
"binary_name": "golang-1.10-go",
"binary_version": "1.10.4-2ubuntu1~14.04.1"
},
{
"binary_name": "golang-1.10-src",
"binary_version": "1.10.4-2ubuntu1~14.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:14.04:LTS",
"name": "golang-1.10",
"purl": "pkg:deb/ubuntu/golang-1.10@1.10.4-2ubuntu1~14.04.1?arch=source\u0026distro=trusty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.10.4-2ubuntu1~14.04.1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "golang-1.18",
"binary_version": "1.18.1-1ubuntu1~16.04.6+esm1"
},
{
"binary_name": "golang-1.18-go",
"binary_version": "1.18.1-1ubuntu1~16.04.6+esm1"
},
{
"binary_name": "golang-1.18-src",
"binary_version": "1.18.1-1ubuntu1~16.04.6+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "golang-1.18",
"purl": "pkg:deb/ubuntu/golang-1.18@1.18.1-1ubuntu1~16.04.6+esm1?arch=source\u0026distro=esm-apps/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.1-1ubuntu1~16.04.6+esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.18.1-1ubuntu1~16.04.6"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.10",
"binary_version": "1.10.4-2ubuntu1~16.04.2"
},
{
"binary_name": "golang-1.10-go",
"binary_version": "1.10.4-2ubuntu1~16.04.2"
},
{
"binary_name": "golang-1.10-src",
"binary_version": "1.10.4-2ubuntu1~16.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:16.04:LTS",
"name": "golang-1.10",
"purl": "pkg:deb/ubuntu/golang-1.10@1.10.4-2ubuntu1~16.04.2?arch=source\u0026distro=xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.10.4-2ubuntu1~16.04.1",
"1.10.4-2ubuntu1~16.04.2"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.6",
"binary_version": "1.6.2-0ubuntu5~16.04.4"
},
{
"binary_name": "golang-1.6-go",
"binary_version": "1.6.2-0ubuntu5~16.04.4"
},
{
"binary_name": "golang-1.6-src",
"binary_version": "1.6.2-0ubuntu5~16.04.4"
}
]
},
"package": {
"ecosystem": "Ubuntu:16.04:LTS",
"name": "golang-1.6",
"purl": "pkg:deb/ubuntu/golang-1.6@1.6.2-0ubuntu5~16.04.4?arch=source\u0026distro=xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.6-0ubuntu1",
"1.6-0ubuntu2",
"1.6-0ubuntu3",
"1.6-0ubuntu4",
"1.6-0ubuntu5",
"1.6.1-0ubuntu1",
"1.6.2-0ubuntu5~16.04",
"1.6.2-0ubuntu5~16.04.2",
"1.6.2-0ubuntu5~16.04.3",
"1.6.2-0ubuntu5~16.04.4"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.13",
"binary_version": "1.13.8-1ubuntu1~16.04.3+esm3"
},
{
"binary_name": "golang-1.13-go",
"binary_version": "1.13.8-1ubuntu1~16.04.3+esm3"
},
{
"binary_name": "golang-1.13-src",
"binary_version": "1.13.8-1ubuntu1~16.04.3+esm3"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "golang-1.13",
"purl": "pkg:deb/ubuntu/golang-1.13@1.13.8-1ubuntu1~16.04.3+esm3?arch=source\u0026distro=esm-apps/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.13.8-1ubuntu1~16.04.2",
"1.13.8-1ubuntu1~16.04.3",
"1.13.8-1ubuntu1~16.04.3+esm2",
"1.13.8-1ubuntu1~16.04.3+esm3"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.10",
"binary_version": "1.10.4-2ubuntu1~18.04.2"
},
{
"binary_name": "golang-1.10-go",
"binary_version": "1.10.4-2ubuntu1~18.04.2"
},
{
"binary_name": "golang-1.10-src",
"binary_version": "1.10.4-2ubuntu1~18.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "golang-1.10",
"purl": "pkg:deb/ubuntu/golang-1.10@1.10.4-2ubuntu1~18.04.2?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.10~rc1-1",
"1.10~rc1-1ubuntu1",
"1.10~rc1-2ubuntu1",
"1.10~rc2-1ubuntu1",
"1.10-1ubuntu1",
"1.10.1-1ubuntu2",
"1.10.4-2ubuntu1~18.04.1",
"1.10.4-2ubuntu1~18.04.2"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.13",
"binary_version": "1.13.8-1ubuntu1~18.04.4+esm1"
},
{
"binary_name": "golang-1.13-go",
"binary_version": "1.13.8-1ubuntu1~18.04.4+esm1"
},
{
"binary_name": "golang-1.13-src",
"binary_version": "1.13.8-1ubuntu1~18.04.4+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "golang-1.13",
"purl": "pkg:deb/ubuntu/golang-1.13@1.13.8-1ubuntu1~18.04.4+esm1?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.13.8-1ubuntu1~18.04.2",
"1.13.8-1ubuntu1~18.04.3",
"1.13.8-1ubuntu1~18.04.4",
"1.13.8-1ubuntu1~18.04.4+esm1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.16",
"binary_version": "1.16.2-0ubuntu1~18.04.2+esm1"
},
{
"binary_name": "golang-1.16-go",
"binary_version": "1.16.2-0ubuntu1~18.04.2+esm1"
},
{
"binary_name": "golang-1.16-src",
"binary_version": "1.16.2-0ubuntu1~18.04.2+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "golang-1.16",
"purl": "pkg:deb/ubuntu/golang-1.16@1.16.2-0ubuntu1~18.04.2+esm1?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.16.2-0ubuntu1~18.04.2",
"1.16.2-0ubuntu1~18.04.2+esm1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "golang-1.18",
"binary_version": "1.18.1-1ubuntu1~18.04.4+esm1"
},
{
"binary_name": "golang-1.18-go",
"binary_version": "1.18.1-1ubuntu1~18.04.4+esm1"
},
{
"binary_name": "golang-1.18-src",
"binary_version": "1.18.1-1ubuntu1~18.04.4+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "golang-1.18",
"purl": "pkg:deb/ubuntu/golang-1.18@1.18.1-1ubuntu1~18.04.4+esm1?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.1-1ubuntu1~18.04.4+esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.18.1-1ubuntu1~18.04.3",
"1.18.1-1ubuntu1~18.04.4"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.8",
"binary_version": "1.8.3-2ubuntu1.18.04.1"
},
{
"binary_name": "golang-1.8-go",
"binary_version": "1.8.3-2ubuntu1.18.04.1"
},
{
"binary_name": "golang-1.8-go-shared-dev",
"binary_version": "1.8.3-2ubuntu1.18.04.1"
},
{
"binary_name": "golang-1.8-src",
"binary_version": "1.8.3-2ubuntu1.18.04.1"
},
{
"binary_name": "libgolang-1.8-std1",
"binary_version": "1.8.3-2ubuntu1.18.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "golang-1.8",
"purl": "pkg:deb/ubuntu/golang-1.8@1.8.3-2ubuntu1.18.04.1?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.8.3-2ubuntu1",
"1.8.3-2ubuntu1.18.04.1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.9",
"binary_version": "1.9.4-1ubuntu1"
},
{
"binary_name": "golang-1.9-go",
"binary_version": "1.9.4-1ubuntu1"
},
{
"binary_name": "golang-1.9-src",
"binary_version": "1.9.4-1ubuntu1"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "golang-1.9",
"purl": "pkg:deb/ubuntu/golang-1.9@1.9.4-1ubuntu1?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.9.1-2ubuntu1",
"1.9.2-1ubuntu1",
"1.9.2-3ubuntu1",
"1.9.3-1ubuntu1",
"1.9.4-1ubuntu1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.18",
"binary_version": "1.18.1-1ubuntu1~20.04.3"
},
{
"binary_name": "golang-1.18-go",
"binary_version": "1.18.1-1ubuntu1~20.04.3"
},
{
"binary_name": "golang-1.18-src",
"binary_version": "1.18.1-1ubuntu1~20.04.3"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "golang-1.18",
"purl": "pkg:deb/ubuntu/golang-1.18@1.18.1-1ubuntu1~20.04.3?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.1-1ubuntu1~20.04.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.18.1-1ubuntu1~20.04.1",
"1.18.1-1ubuntu1~20.04.2"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.20",
"binary_version": "1.20.3-1ubuntu0.1~20.04.1"
},
{
"binary_name": "golang-1.20-go",
"binary_version": "1.20.3-1ubuntu0.1~20.04.1"
},
{
"binary_name": "golang-1.20-src",
"binary_version": "1.20.3-1ubuntu0.1~20.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "golang-1.20",
"purl": "pkg:deb/ubuntu/golang-1.20@1.20.3-1ubuntu0.1~20.04.1?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.20.3-1ubuntu0.1~20.04.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.20.3-1ubuntu0.1~20.04"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.21",
"binary_version": "1.21.1-1~ubuntu20.04.2"
},
{
"binary_name": "golang-1.21-go",
"binary_version": "1.21.1-1~ubuntu20.04.2"
},
{
"binary_name": "golang-1.21-src",
"binary_version": "1.21.1-1~ubuntu20.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "golang-1.21",
"purl": "pkg:deb/ubuntu/golang-1.21@1.21.1-1~ubuntu20.04.2?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.21.1-1~ubuntu20.04.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.21.1-1~ubuntu20.04.1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.13",
"binary_version": "1.13.8-1ubuntu1.2"
},
{
"binary_name": "golang-1.13-go",
"binary_version": "1.13.8-1ubuntu1.2"
},
{
"binary_name": "golang-1.13-src",
"binary_version": "1.13.8-1ubuntu1.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "golang-1.13",
"purl": "pkg:deb/ubuntu/golang-1.13@1.13.8-1ubuntu1.2?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.13.1-1ubuntu1",
"1.13.3-1ubuntu1",
"1.13.4-1ubuntu1",
"1.13.5-1ubuntu1",
"1.13.6-1ubuntu1",
"1.13.6-2ubuntu1",
"1.13.7-1ubuntu1",
"1.13.8-1ubuntu1",
"1.13.8-1ubuntu1.1",
"1.13.8-1ubuntu1.2"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.14",
"binary_version": "1.14.3-2ubuntu2~20.04.2"
},
{
"binary_name": "golang-1.14-go",
"binary_version": "1.14.3-2ubuntu2~20.04.2"
},
{
"binary_name": "golang-1.14-src",
"binary_version": "1.14.3-2ubuntu2~20.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "golang-1.14",
"purl": "pkg:deb/ubuntu/golang-1.14@1.14.3-2ubuntu2~20.04.2?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.14~beta1-1",
"1.14~beta1-2",
"1.14~rc1-1",
"1.14-1",
"1.14.1-1",
"1.14.2-1",
"1.14.2-1ubuntu1",
"1.14.3-2ubuntu2~20.04.1",
"1.14.3-2ubuntu2~20.04.2"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.16",
"binary_version": "1.16.2-0ubuntu1~20.04.1+esm1"
},
{
"binary_name": "golang-1.16-go",
"binary_version": "1.16.2-0ubuntu1~20.04.1+esm1"
},
{
"binary_name": "golang-1.16-src",
"binary_version": "1.16.2-0ubuntu1~20.04.1+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "golang-1.16",
"purl": "pkg:deb/ubuntu/golang-1.16@1.16.2-0ubuntu1~20.04.1+esm1?arch=source\u0026distro=esm-apps/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.16.2-0ubuntu1~20.04",
"1.16.2-0ubuntu1~20.04.1",
"1.16.2-0ubuntu1~20.04.1+esm1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.17",
"binary_version": "1.17.13-3ubuntu1.2"
},
{
"binary_name": "golang-1.17-go",
"binary_version": "1.17.13-3ubuntu1.2"
},
{
"binary_name": "golang-1.17-src",
"binary_version": "1.17.13-3ubuntu1.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "golang-1.17",
"purl": "pkg:deb/ubuntu/golang-1.17@1.17.13-3ubuntu1.2?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.13-3ubuntu1.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.17-1ubuntu2",
"1.17.3-1ubuntu1",
"1.17.3-1ubuntu2",
"1.17.13-3ubuntu1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.18",
"binary_version": "1.18.1-1ubuntu1.2"
},
{
"binary_name": "golang-1.18-go",
"binary_version": "1.18.1-1ubuntu1.2"
},
{
"binary_name": "golang-1.18-src",
"binary_version": "1.18.1-1ubuntu1.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "golang-1.18",
"purl": "pkg:deb/ubuntu/golang-1.18@1.18.1-1ubuntu1.2?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.1-1ubuntu1.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.18~beta1-0ubuntu1",
"1.18~beta2-1ubuntu1",
"1.18~beta2-1ubuntu2",
"1.18~rc1-1ubuntu1",
"1.18-1ubuntu1",
"1.18.1-1ubuntu1",
"1.18.1-1ubuntu1.1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.20",
"binary_version": "1.20.3-1ubuntu0.1~22.04.1"
},
{
"binary_name": "golang-1.20-go",
"binary_version": "1.20.3-1ubuntu0.1~22.04.1"
},
{
"binary_name": "golang-1.20-src",
"binary_version": "1.20.3-1ubuntu0.1~22.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "golang-1.20",
"purl": "pkg:deb/ubuntu/golang-1.20@1.20.3-1ubuntu0.1~22.04.1?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.20.3-1ubuntu0.1~22.04.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.20.3-1ubuntu0.1~22.04"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.21",
"binary_version": "1.21.1-1~ubuntu22.04.2"
},
{
"binary_name": "golang-1.21-go",
"binary_version": "1.21.1-1~ubuntu22.04.2"
},
{
"binary_name": "golang-1.21-src",
"binary_version": "1.21.1-1~ubuntu22.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "golang-1.21",
"purl": "pkg:deb/ubuntu/golang-1.21@1.21.1-1~ubuntu22.04.2?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.21.1-1~ubuntu22.04.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.21.1-1~ubuntu22.04.1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "golang-1.13",
"binary_version": "1.13.8-1ubuntu2.22.04.2"
},
{
"binary_name": "golang-1.13-go",
"binary_version": "1.13.8-1ubuntu2.22.04.2"
},
{
"binary_name": "golang-1.13-src",
"binary_version": "1.13.8-1ubuntu2.22.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:22.04:LTS",
"name": "golang-1.13",
"purl": "pkg:deb/ubuntu/golang-1.13@1.13.8-1ubuntu2.22.04.2?arch=source\u0026distro=esm-apps/jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.13.8-1ubuntu2",
"1.13.8-1ubuntu2.22.04.1",
"1.13.8-1ubuntu2.22.04.1+esm1",
"1.13.8-1ubuntu2.22.04.2"
]
}
],
"aliases": [],
"details": "A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.",
"id": "UBUNTU-CVE-2023-39325",
"modified": "2026-05-20T15:02:49Z",
"published": "2023-10-11T22:15:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2023-39325"
},
{
"type": "REPORT",
"url": "https://github.com/golang/go/issues/63417"
},
{
"type": "REPORT",
"url": "https://github.com/golang/go/commit/24ae2d927285c697440fdde3ad7f26028354bcf3"
},
{
"type": "REPORT",
"url": "https://github.com/golang/go/commit/e175f27f58aa7b9cd4d79607ae65d2cd5baaee68"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6574-1"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39325"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7061-1"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7109-1"
}
],
"related": [
"USN-6574-1",
"USN-7061-1",
"USN-7109-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2023-39325"
]
}
ubuntu-cve-2023-39326
Vulnerability from osv_ubuntu
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.
| URL | Type | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.20",
"binary_version": "1.20.3-1ubuntu0.1~20.04.1"
},
{
"binary_name": "golang-1.20-go",
"binary_version": "1.20.3-1ubuntu0.1~20.04.1"
},
{
"binary_name": "golang-1.20-src",
"binary_version": "1.20.3-1ubuntu0.1~20.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "golang-1.20",
"purl": "pkg:deb/ubuntu/golang-1.20@1.20.3-1ubuntu0.1~20.04.1?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.20.3-1ubuntu0.1~20.04.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.20.3-1ubuntu0.1~20.04"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.21",
"binary_version": "1.21.1-1~ubuntu20.04.2"
},
{
"binary_name": "golang-1.21-go",
"binary_version": "1.21.1-1~ubuntu20.04.2"
},
{
"binary_name": "golang-1.21-src",
"binary_version": "1.21.1-1~ubuntu20.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "golang-1.21",
"purl": "pkg:deb/ubuntu/golang-1.21@1.21.1-1~ubuntu20.04.2?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.21.1-1~ubuntu20.04.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.21.1-1~ubuntu20.04.1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.20",
"binary_version": "1.20.3-1ubuntu0.1~22.04.1"
},
{
"binary_name": "golang-1.20-go",
"binary_version": "1.20.3-1ubuntu0.1~22.04.1"
},
{
"binary_name": "golang-1.20-src",
"binary_version": "1.20.3-1ubuntu0.1~22.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "golang-1.20",
"purl": "pkg:deb/ubuntu/golang-1.20@1.20.3-1ubuntu0.1~22.04.1?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.20.3-1ubuntu0.1~22.04.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.20.3-1ubuntu0.1~22.04"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.21",
"binary_version": "1.21.1-1~ubuntu22.04.2"
},
{
"binary_name": "golang-1.21-go",
"binary_version": "1.21.1-1~ubuntu22.04.2"
},
{
"binary_name": "golang-1.21-src",
"binary_version": "1.21.1-1~ubuntu22.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "golang-1.21",
"purl": "pkg:deb/ubuntu/golang-1.21@1.21.1-1~ubuntu22.04.2?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.21.1-1~ubuntu22.04.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.21.1-1~ubuntu22.04.1"
]
}
],
"aliases": [],
"details": "A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.",
"id": "UBUNTU-CVE-2023-39326",
"modified": "2025-09-08T16:56:28Z",
"published": "2023-12-06T00:00:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2023-39326"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/64433"
},
{
"type": "REPORT",
"url": "https://github.com/golang/go/commit/ec8c526e4be720e94b98ca509e6364f0efaf28f7"
},
{
"type": "REPORT",
"url": "https://github.com/golang/go/commit/6446af942e2e2b161c4ec1b60d9703a2b55dc4dd"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6574-1"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39326"
}
],
"related": [
"USN-6574-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2023-39326"
]
}
ubuntu-cve-2023-44487
Vulnerability from osv_ubuntu
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "libnghttp2-14",
"binary_version": "1.7.1-1ubuntu0.1~esm2"
},
{
"binary_name": "nghttp2",
"binary_version": "1.7.1-1ubuntu0.1~esm2"
},
{
"binary_name": "nghttp2-client",
"binary_version": "1.7.1-1ubuntu0.1~esm2"
},
{
"binary_name": "nghttp2-proxy",
"binary_version": "1.7.1-1ubuntu0.1~esm2"
},
{
"binary_name": "nghttp2-server",
"binary_version": "1.7.1-1ubuntu0.1~esm2"
}
],
"priority_reason": "Listed in CISA Known Exploited Vulnerabilities Catalog"
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "nghttp2",
"purl": "pkg:deb/ubuntu/nghttp2@1.7.1-1ubuntu0.1~esm2?arch=source\u0026distro=esm-apps/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.1-1ubuntu0.1~esm2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.6.7-1",
"1.3.4-2",
"1.4.0-1",
"1.4.0-2",
"1.5.0-2",
"1.6.0-1",
"1.7.0-1",
"1.7.1-1",
"1.7.1-1ubuntu0.1~esm1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "haproxy",
"binary_version": "1.8.8-1ubuntu0.13+esm3"
},
{
"binary_name": "vim-haproxy",
"binary_version": "1.8.8-1ubuntu0.13+esm3"
}
],
"priority_reason": "Listed in CISA Known Exploited Vulnerabilities Catalog"
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "haproxy",
"purl": "pkg:deb/ubuntu/haproxy@1.8.8-1ubuntu0.13+esm3?arch=source\u0026distro=esm-infra/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.8-1ubuntu0.13+esm3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.7.9-1ubuntu1",
"1.7.9-1ubuntu2",
"1.8.4-1",
"1.8.7-1",
"1.8.8-1",
"1.8.8-1ubuntu0.1",
"1.8.8-1ubuntu0.2",
"1.8.8-1ubuntu0.3",
"1.8.8-1ubuntu0.4",
"1.8.8-1ubuntu0.6",
"1.8.8-1ubuntu0.7",
"1.8.8-1ubuntu0.8",
"1.8.8-1ubuntu0.9",
"1.8.8-1ubuntu0.10",
"1.8.8-1ubuntu0.11",
"1.8.8-1ubuntu0.13",
"1.8.8-1ubuntu0.13+esm2"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "libnghttp2-14",
"binary_version": "1.30.0-1ubuntu1+esm2"
},
{
"binary_name": "nghttp2",
"binary_version": "1.30.0-1ubuntu1+esm2"
},
{
"binary_name": "nghttp2-client",
"binary_version": "1.30.0-1ubuntu1+esm2"
},
{
"binary_name": "nghttp2-proxy",
"binary_version": "1.30.0-1ubuntu1+esm2"
},
{
"binary_name": "nghttp2-server",
"binary_version": "1.30.0-1ubuntu1+esm2"
}
],
"priority_reason": "Listed in CISA Known Exploited Vulnerabilities Catalog"
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "nghttp2",
"purl": "pkg:deb/ubuntu/nghttp2@1.30.0-1ubuntu1+esm2?arch=source\u0026distro=esm-infra/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.30.0-1ubuntu1+esm2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.25.0-1",
"1.27.0-1",
"1.28.0-1",
"1.29.0-1",
"1.29.0-1build1",
"1.30.0-1",
"1.30.0-1ubuntu1",
"1.30.0-1ubuntu1+esm1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "h2o",
"binary_version": "2.2.4+dfsg-1ubuntu0.1~esm2"
},
{
"binary_name": "libh2o-dev-common",
"binary_version": "2.2.4+dfsg-1ubuntu0.1~esm2"
},
{
"binary_name": "libh2o-evloop0.13",
"binary_version": "2.2.4+dfsg-1ubuntu0.1~esm2"
},
{
"binary_name": "libh2o0.13",
"binary_version": "2.2.4+dfsg-1ubuntu0.1~esm2"
}
],
"priority_reason": "Listed in CISA Known Exploited Vulnerabilities Catalog"
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "h2o",
"purl": "pkg:deb/ubuntu/h2o@2.2.4+dfsg-1ubuntu0.1~esm2?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.4+dfsg-1ubuntu0.1~esm2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.2.3+dfsg-2",
"2.2.4+dfsg-1",
"2.2.4+dfsg-1build1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "nodejs",
"binary_version": "8.10.0~dfsg-2ubuntu0.4+esm6"
}
],
"priority_reason": "Listed in CISA Known Exploited Vulnerabilities Catalog"
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "nodejs",
"purl": "pkg:deb/ubuntu/nodejs@8.10.0~dfsg-2ubuntu0.4+esm6?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.10.0~dfsg-2ubuntu0.4+esm6"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"6.11.4~dfsg-1ubuntu1",
"6.11.4~dfsg-1ubuntu2",
"6.12.0~dfsg-1ubuntu1",
"6.12.0~dfsg-2ubuntu1",
"6.12.0~dfsg-2ubuntu2",
"8.10.0~dfsg-2",
"8.10.0~dfsg-2ubuntu0.2",
"8.10.0~dfsg-2ubuntu0.3",
"8.10.0~dfsg-2ubuntu0.4",
"8.10.0~dfsg-2ubuntu0.4+esm1",
"8.10.0~dfsg-2ubuntu0.4+esm2",
"8.10.0~dfsg-2ubuntu0.4+esm3",
"8.10.0~dfsg-2ubuntu0.4+esm4",
"8.10.0~dfsg-2ubuntu0.4+esm5"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "libtomcat8-embed-java",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm4"
},
{
"binary_name": "libtomcat8-java",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm4"
},
{
"binary_name": "tomcat8",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm4"
},
{
"binary_name": "tomcat8-admin",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm4"
},
{
"binary_name": "tomcat8-common",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm4"
},
{
"binary_name": "tomcat8-docs",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm4"
},
{
"binary_name": "tomcat8-examples",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm4"
},
{
"binary_name": "tomcat8-user",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm4"
}
],
"priority_reason": "Listed in CISA Known Exploited Vulnerabilities Catalog"
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "tomcat8",
"purl": "pkg:deb/ubuntu/tomcat8@8.5.39-1ubuntu1~18.04.3+esm4?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.5.39-1ubuntu1~18.04.3+esm4"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8.5.21-1ubuntu1",
"8.5.29-1",
"8.5.30-1",
"8.5.30-1ubuntu1",
"8.5.30-1ubuntu1.2",
"8.5.30-1ubuntu1.3",
"8.5.30-1ubuntu1.4",
"8.5.39-1ubuntu1~18.04.1",
"8.5.39-1ubuntu1~18.04.2",
"8.5.39-1ubuntu1~18.04.3",
"8.5.39-1ubuntu1~18.04.3+esm1",
"8.5.39-1ubuntu1~18.04.3+esm2",
"8.5.39-1ubuntu1~18.04.3+esm3"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "libtomcat9-embed-java",
"binary_version": "9.0.16-3ubuntu0.18.04.2+esm5"
},
{
"binary_name": "libtomcat9-java",
"binary_version": "9.0.16-3ubuntu0.18.04.2+esm5"
},
{
"binary_name": "tomcat9",
"binary_version": "9.0.16-3ubuntu0.18.04.2+esm5"
},
{
"binary_name": "tomcat9-admin",
"binary_version": "9.0.16-3ubuntu0.18.04.2+esm5"
},
{
"binary_name": "tomcat9-common",
"binary_version": "9.0.16-3ubuntu0.18.04.2+esm5"
},
{
"binary_name": "tomcat9-docs",
"binary_version": "9.0.16-3ubuntu0.18.04.2+esm5"
},
{
"binary_name": "tomcat9-examples",
"binary_version": "9.0.16-3ubuntu0.18.04.2+esm5"
},
{
"binary_name": "tomcat9-user",
"binary_version": "9.0.16-3ubuntu0.18.04.2+esm5"
}
],
"priority_reason": "Listed in CISA Known Exploited Vulnerabilities Catalog"
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "tomcat9",
"purl": "pkg:deb/ubuntu/tomcat9@9.0.16-3ubuntu0.18.04.2+esm5?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.16-3ubuntu0.18.04.2+esm5"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"9.0.16-3~18.04.1",
"9.0.16-3ubuntu0.18.04.1",
"9.0.16-3ubuntu0.18.04.2",
"9.0.16-3ubuntu0.18.04.2+esm1",
"9.0.16-3ubuntu0.18.04.2+esm2",
"9.0.16-3ubuntu0.18.04.2+esm3",
"9.0.16-3ubuntu0.18.04.2+esm4"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libnghttp2-14",
"binary_version": "1.40.0-1ubuntu0.2"
},
{
"binary_name": "nghttp2",
"binary_version": "1.40.0-1ubuntu0.2"
},
{
"binary_name": "nghttp2-client",
"binary_version": "1.40.0-1ubuntu0.2"
},
{
"binary_name": "nghttp2-proxy",
"binary_version": "1.40.0-1ubuntu0.2"
},
{
"binary_name": "nghttp2-server",
"binary_version": "1.40.0-1ubuntu0.2"
}
],
"priority_reason": "Listed in CISA Known Exploited Vulnerabilities Catalog"
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "nghttp2",
"purl": "pkg:deb/ubuntu/nghttp2@1.40.0-1ubuntu0.2?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.40.0-1ubuntu0.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.39.2-1",
"1.40.0-1",
"1.40.0-1build1",
"1.40.0-1ubuntu0.1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libtomcat9-embed-java",
"binary_version": "9.0.31-1ubuntu0.9"
},
{
"binary_name": "libtomcat9-java",
"binary_version": "9.0.31-1ubuntu0.9"
},
{
"binary_name": "tomcat9",
"binary_version": "9.0.31-1ubuntu0.9"
},
{
"binary_name": "tomcat9-admin",
"binary_version": "9.0.31-1ubuntu0.9"
},
{
"binary_name": "tomcat9-common",
"binary_version": "9.0.31-1ubuntu0.9"
},
{
"binary_name": "tomcat9-docs",
"binary_version": "9.0.31-1ubuntu0.9"
},
{
"binary_name": "tomcat9-examples",
"binary_version": "9.0.31-1ubuntu0.9"
},
{
"binary_name": "tomcat9-user",
"binary_version": "9.0.31-1ubuntu0.9"
}
],
"priority_reason": "Listed in CISA Known Exploited Vulnerabilities Catalog"
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "tomcat9",
"purl": "pkg:deb/ubuntu/tomcat9@9.0.31-1ubuntu0.9?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.31-1ubuntu0.9"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"9.0.24-1",
"9.0.27-1",
"9.0.31-1",
"9.0.31-1ubuntu0.1",
"9.0.31-1ubuntu0.2",
"9.0.31-1ubuntu0.3",
"9.0.31-1ubuntu0.4",
"9.0.31-1ubuntu0.5",
"9.0.31-1ubuntu0.6",
"9.0.31-1ubuntu0.7",
"9.0.31-1ubuntu0.8"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "h2o",
"binary_version": "2.2.5+dfsg2-3ubuntu0.1~esm1"
},
{
"binary_name": "libh2o-dev-common",
"binary_version": "2.2.5+dfsg2-3ubuntu0.1~esm1"
},
{
"binary_name": "libh2o-evloop0.13",
"binary_version": "2.2.5+dfsg2-3ubuntu0.1~esm1"
},
{
"binary_name": "libh2o0.13",
"binary_version": "2.2.5+dfsg2-3ubuntu0.1~esm1"
}
],
"priority_reason": "Listed in CISA Known Exploited Vulnerabilities Catalog"
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "h2o",
"purl": "pkg:deb/ubuntu/h2o@2.2.5+dfsg2-3ubuntu0.1~esm1?arch=source\u0026distro=esm-apps/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.5+dfsg2-3ubuntu0.1~esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.2.5+dfsg2-3",
"2.2.5+dfsg2-3build1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "libnode64",
"binary_version": "10.19.0~dfsg-3ubuntu1.6+esm2"
},
{
"binary_name": "nodejs",
"binary_version": "10.19.0~dfsg-3ubuntu1.6+esm2"
}
],
"priority_reason": "Listed in CISA Known Exploited Vulnerabilities Catalog"
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "nodejs",
"purl": "pkg:deb/ubuntu/nodejs@10.19.0~dfsg-3ubuntu1.6+esm2?arch=source\u0026distro=esm-apps/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.19.0~dfsg-3ubuntu1.6+esm2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"10.15.2~dfsg-2ubuntu1",
"10.17.0~dfsg-2ubuntu4",
"10.17.0~dfsg-2ubuntu6",
"10.19.0~dfsg-3ubuntu1",
"10.19.0~dfsg-3ubuntu1.1",
"10.19.0~dfsg-3ubuntu1.2",
"10.19.0~dfsg-3ubuntu1.3",
"10.19.0~dfsg-3ubuntu1.5",
"10.19.0~dfsg-3ubuntu1.6"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "trafficserver",
"binary_version": "8.0.5+ds-3ubuntu0.1~esm1"
},
{
"binary_name": "trafficserver-experimental-plugins",
"binary_version": "8.0.5+ds-3ubuntu0.1~esm1"
}
],
"priority_reason": "Listed in CISA Known Exploited Vulnerabilities Catalog"
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "trafficserver",
"purl": "pkg:deb/ubuntu/trafficserver@8.0.5+ds-3ubuntu0.1~esm1?arch=source\u0026distro=esm-apps/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.5+ds-3ubuntu0.1~esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8.0.5+ds-1",
"8.0.5+ds-2",
"8.0.5+ds-2build1",
"8.0.5+ds-2ubuntu1",
"8.0.5+ds-3"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "aspnetcore-runtime-6.0",
"binary_version": "6.0.123-0ubuntu1~22.04.1"
},
{
"binary_name": "aspnetcore-targeting-pack-6.0",
"binary_version": "6.0.123-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet-apphost-pack-6.0",
"binary_version": "6.0.123-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet-host",
"binary_version": "6.0.123-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet-hostfxr-6.0",
"binary_version": "6.0.123-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet-runtime-6.0",
"binary_version": "6.0.123-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet-sdk-6.0",
"binary_version": "6.0.123-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet-sdk-6.0-source-built-artifacts",
"binary_version": "6.0.123-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet-targeting-pack-6.0",
"binary_version": "6.0.123-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet-templates-6.0",
"binary_version": "6.0.123-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet6",
"binary_version": "6.0.123-0ubuntu1~22.04.1"
},
{
"binary_name": "netstandard-targeting-pack-2.1",
"binary_version": "6.0.123-0ubuntu1~22.04.1"
}
],
"priority_reason": "Listed in CISA Known Exploited Vulnerabilities Catalog"
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "dotnet6",
"purl": "pkg:deb/ubuntu/dotnet6@6.0.123-0ubuntu1~22.04.1?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.0.123-0ubuntu1~22.04.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"6.0.108-0ubuntu1~22.04.1",
"6.0.109-0ubuntu1~22.04.1",
"6.0.110-0ubuntu1~22.04.1",
"6.0.111-0ubuntu1~22.04.1",
"6.0.113-0ubuntu1~22.04.1",
"6.0.116-0ubuntu1~22.04.1",
"6.0.118-0ubuntu1~22.04.1",
"6.0.119-0ubuntu1~22.04.1",
"6.0.120-0ubuntu1~22.04.1",
"6.0.121-0ubuntu1~22.04.1",
"6.0.122-0ubuntu1~22.04.1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "aspnetcore-runtime-7.0",
"binary_version": "7.0.112-0ubuntu1~22.04.1"
},
{
"binary_name": "aspnetcore-targeting-pack-7.0",
"binary_version": "7.0.112-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet-apphost-pack-7.0",
"binary_version": "7.0.112-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet-host-7.0",
"binary_version": "7.0.112-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet-hostfxr-7.0",
"binary_version": "7.0.112-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet-runtime-7.0",
"binary_version": "7.0.112-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet-sdk-7.0",
"binary_version": "7.0.112-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet-sdk-7.0-source-built-artifacts",
"binary_version": "7.0.112-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet-targeting-pack-7.0",
"binary_version": "7.0.112-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet-templates-7.0",
"binary_version": "7.0.112-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet7",
"binary_version": "7.0.112-0ubuntu1~22.04.1"
},
{
"binary_name": "netstandard-targeting-pack-2.1-7.0",
"binary_version": "7.0.112-0ubuntu1~22.04.1"
}
],
"priority_reason": "Listed in CISA Known Exploited Vulnerabilities Catalog"
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "dotnet7",
"purl": "pkg:deb/ubuntu/dotnet7@7.0.112-0ubuntu1~22.04.1?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.112-0ubuntu1~22.04.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"7.0.105-0ubuntu1~22.04.1",
"7.0.107-0ubuntu1~22.04.1",
"7.0.108-0ubuntu1~22.04.1",
"7.0.109-0ubuntu1~22.04.1",
"7.0.110-0ubuntu1~22.04.1",
"7.0.111-0ubuntu1~22.04.1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libnetty-java",
"binary_version": "1:4.1.48-4+deb11u2build0.22.04.1"
}
],
"priority_reason": "Listed in CISA Known Exploited Vulnerabilities Catalog"
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "netty",
"purl": "pkg:deb/ubuntu/netty@1:4.1.48-4+deb11u2build0.22.04.1?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:4.1.48-4+deb11u2build0.22.04.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1:4.1.48-4",
"1:4.1.48-4+deb11u1build0.22.04.1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libnghttp2-14",
"binary_version": "1.43.0-1ubuntu0.1"
},
{
"binary_name": "nghttp2",
"binary_version": "1.43.0-1ubuntu0.1"
},
{
"binary_name": "nghttp2-client",
"binary_version": "1.43.0-1ubuntu0.1"
},
{
"binary_name": "nghttp2-proxy",
"binary_version": "1.43.0-1ubuntu0.1"
},
{
"binary_name": "nghttp2-server",
"binary_version": "1.43.0-1ubuntu0.1"
}
],
"priority_reason": "Listed in CISA Known Exploited Vulnerabilities Catalog"
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "nghttp2",
"purl": "pkg:deb/ubuntu/nghttp2@1.43.0-1ubuntu0.1?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.43.0-1ubuntu0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.43.0-1",
"1.43.0-1build1",
"1.43.0-1build2",
"1.43.0-1build3"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libtomcat9-embed-java",
"binary_version": "9.0.58-1ubuntu0.2"
},
{
"binary_name": "libtomcat9-java",
"binary_version": "9.0.58-1ubuntu0.2"
},
{
"binary_name": "tomcat9",
"binary_version": "9.0.58-1ubuntu0.2"
},
{
"binary_name": "tomcat9-admin",
"binary_version": "9.0.58-1ubuntu0.2"
},
{
"binary_name": "tomcat9-common",
"binary_version": "9.0.58-1ubuntu0.2"
},
{
"binary_name": "tomcat9-docs",
"binary_version": "9.0.58-1ubuntu0.2"
},
{
"binary_name": "tomcat9-examples",
"binary_version": "9.0.58-1ubuntu0.2"
},
{
"binary_name": "tomcat9-user",
"binary_version": "9.0.58-1ubuntu0.2"
}
],
"priority_reason": "Listed in CISA Known Exploited Vulnerabilities Catalog"
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "tomcat9",
"purl": "pkg:deb/ubuntu/tomcat9@9.0.58-1ubuntu0.2?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.58-1ubuntu0.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"9.0.43-3",
"9.0.54-1",
"9.0.55-1",
"9.0.58-1",
"9.0.58-1ubuntu0.1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "dnsdist",
"binary_version": "1.6.1-1ubuntu0.1~esm1"
}
],
"priority_reason": "Listed in CISA Known Exploited Vulnerabilities Catalog"
},
"package": {
"ecosystem": "Ubuntu:Pro:22.04:LTS",
"name": "dnsdist",
"purl": "pkg:deb/ubuntu/dnsdist@1.6.1-1ubuntu0.1~esm1?arch=source\u0026distro=esm-apps/jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.1-1ubuntu0.1~esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.5.1-3build2",
"1.6.1-1build1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "h2o",
"binary_version": "2.2.5+dfsg2-6.1ubuntu2+esm1"
},
{
"binary_name": "libh2o-dev-common",
"binary_version": "2.2.5+dfsg2-6.1ubuntu2+esm1"
},
{
"binary_name": "libh2o-evloop0.13",
"binary_version": "2.2.5+dfsg2-6.1ubuntu2+esm1"
},
{
"binary_name": "libh2o0.13",
"binary_version": "2.2.5+dfsg2-6.1ubuntu2+esm1"
}
],
"priority_reason": "Listed in CISA Known Exploited Vulnerabilities Catalog"
},
"package": {
"ecosystem": "Ubuntu:Pro:22.04:LTS",
"name": "h2o",
"purl": "pkg:deb/ubuntu/h2o@2.2.5+dfsg2-6.1ubuntu2+esm1?arch=source\u0026distro=esm-apps/jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.5+dfsg2-6.1ubuntu2+esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.2.5+dfsg2-6",
"2.2.5+dfsg2-6.1",
"2.2.5+dfsg2-6.1ubuntu1",
"2.2.5+dfsg2-6.1ubuntu2"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "libnode72",
"binary_version": "12.22.9~dfsg-1ubuntu3.6+esm2"
},
{
"binary_name": "nodejs",
"binary_version": "12.22.9~dfsg-1ubuntu3.6+esm2"
}
],
"priority_reason": "Listed in CISA Known Exploited Vulnerabilities Catalog"
},
"package": {
"ecosystem": "Ubuntu:Pro:22.04:LTS",
"name": "nodejs",
"purl": "pkg:deb/ubuntu/nodejs@12.22.9~dfsg-1ubuntu3.6+esm2?arch=source\u0026distro=esm-apps/jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "12.22.9~dfsg-1ubuntu3.6+esm2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"12.22.5~dfsg-5ubuntu1",
"12.22.7~dfsg-2ubuntu1",
"12.22.7~dfsg-2ubuntu3",
"12.22.9~dfsg-1ubuntu2",
"12.22.9~dfsg-1ubuntu3",
"12.22.9~dfsg-1ubuntu3.1",
"12.22.9~dfsg-1ubuntu3.2",
"12.22.9~dfsg-1ubuntu3.3",
"12.22.9~dfsg-1ubuntu3.4",
"12.22.9~dfsg-1ubuntu3.5",
"12.22.9~dfsg-1ubuntu3.6"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "trafficserver",
"binary_version": "9.1.1+ds-2ubuntu0.1~esm1"
},
{
"binary_name": "trafficserver-experimental-plugins",
"binary_version": "9.1.1+ds-2ubuntu0.1~esm1"
}
],
"priority_reason": "Listed in CISA Known Exploited Vulnerabilities Catalog"
},
"package": {
"ecosystem": "Ubuntu:Pro:22.04:LTS",
"name": "trafficserver",
"purl": "pkg:deb/ubuntu/trafficserver@9.1.1+ds-2ubuntu0.1~esm1?arch=source\u0026distro=esm-apps/jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.1.1+ds-2ubuntu0.1~esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8.1.1+ds-1.1",
"9.1.1+ds-2build1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "aspnetcore-runtime-8.0",
"binary_version": "8.0.0-0ubuntu1"
},
{
"binary_name": "aspnetcore-targeting-pack-8.0",
"binary_version": "8.0.0-0ubuntu1"
},
{
"binary_name": "dotnet-apphost-pack-8.0",
"binary_version": "8.0.0-0ubuntu1"
},
{
"binary_name": "dotnet-host-8.0",
"binary_version": "8.0.0-0ubuntu1"
},
{
"binary_name": "dotnet-hostfxr-8.0",
"binary_version": "8.0.0-0ubuntu1"
},
{
"binary_name": "dotnet-runtime-8.0",
"binary_version": "8.0.0-0ubuntu1"
},
{
"binary_name": "dotnet-sdk-8.0",
"binary_version": "8.0.100-0ubuntu1"
},
{
"binary_name": "dotnet-sdk-8.0-source-built-artifacts",
"binary_version": "8.0.100-0ubuntu1"
},
{
"binary_name": "dotnet-targeting-pack-8.0",
"binary_version": "8.0.0-0ubuntu1"
},
{
"binary_name": "dotnet-templates-8.0",
"binary_version": "8.0.100-0ubuntu1"
},
{
"binary_name": "dotnet8",
"binary_version": "8.0.100-8.0.0-0ubuntu1"
},
{
"binary_name": "netstandard-targeting-pack-2.1-8.0",
"binary_version": "8.0.100-0ubuntu1"
}
],
"priority_reason": "Listed in CISA Known Exploited Vulnerabilities Catalog"
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "dotnet8",
"purl": "pkg:deb/ubuntu/dotnet8@8.0.100-8.0.0-0ubuntu1?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.100-8.0.0-0ubuntu1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8.0.100-8.0.0~rc1-0ubuntu1",
"8.0.100-8.0.0~rc2-0ubuntu1",
"8.0.100-8.0.0~rc2-0ubuntu2"
]
}
],
"aliases": [],
"details": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.",
"id": "UBUNTU-CVE-2023-44487",
"modified": "2026-04-22T07:45:27Z",
"published": "2023-10-10T00:00:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2023-44487"
},
{
"type": "REPORT",
"url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/"
},
{
"type": "REPORT",
"url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
},
{
"type": "REPORT",
"url": "https://www.mail-archive.com/haproxy@formilux.org/msg44134.html"
},
{
"type": "REPORT",
"url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/"
},
{
"type": "REPORT",
"url": "https://my.f5.com/manage/s/article/K000137106"
},
{
"type": "REPORT",
"url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html"
},
{
"type": "REPORT",
"url": "https://www.mail-archive.com/haproxy@formilux.org/msg44134.html"
},
{
"type": "REPORT",
"url": "https://devblogs.microsoft.com/dotnet/october-2023-updates/"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6427-1"
},
{
"type": "REPORT",
"url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0"
},
{
"type": "REPORT",
"url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6427-2"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6438-1"
},
{
"type": "REPORT",
"url": "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6505-1"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6574-1"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6754-1"
},
{
"type": "REPORT",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6994-1"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7067-1"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7410-1"
},
{
"type": "REPORT",
"url": "https://tomcat.apache.org/security-8.html"
},
{
"type": "REPORT",
"url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7469-1"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7469-2"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7469-3"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7469-4"
},
{
"type": "REPORT",
"url": "https://blog.powerdns.com/2024/02/16/powerdns-dnsdist-1.9.0-released"
},
{
"type": "REPORT",
"url": "https://mailman.powerdns.com/pipermail/dnsdist/2023-October/001409.html"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7892-1"
}
],
"related": [
"USN-6427-1",
"USN-6427-2",
"USN-6438-1",
"USN-6505-1",
"USN-6574-1",
"USN-6754-1",
"USN-6994-1",
"USN-7067-1",
"USN-7410-1",
"USN-7469-1",
"USN-7469-2",
"USN-7469-3",
"USN-7469-4",
"USN-7892-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "high",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2023-44487"
]
}
ubuntu-cve-2023-45285
Vulnerability from osv_ubuntu
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
| URL | Type | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.20",
"binary_version": "1.20.3-1ubuntu0.1~20.04.1"
},
{
"binary_name": "golang-1.20-go",
"binary_version": "1.20.3-1ubuntu0.1~20.04.1"
},
{
"binary_name": "golang-1.20-src",
"binary_version": "1.20.3-1ubuntu0.1~20.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "golang-1.20",
"purl": "pkg:deb/ubuntu/golang-1.20@1.20.3-1ubuntu0.1~20.04.1?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.20.3-1ubuntu0.1~20.04.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.20.3-1ubuntu0.1~20.04"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.21",
"binary_version": "1.21.1-1~ubuntu20.04.2"
},
{
"binary_name": "golang-1.21-go",
"binary_version": "1.21.1-1~ubuntu20.04.2"
},
{
"binary_name": "golang-1.21-src",
"binary_version": "1.21.1-1~ubuntu20.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "golang-1.21",
"purl": "pkg:deb/ubuntu/golang-1.21@1.21.1-1~ubuntu20.04.2?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.21.1-1~ubuntu20.04.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.21.1-1~ubuntu20.04.1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.20",
"binary_version": "1.20.3-1ubuntu0.1~22.04.1"
},
{
"binary_name": "golang-1.20-go",
"binary_version": "1.20.3-1ubuntu0.1~22.04.1"
},
{
"binary_name": "golang-1.20-src",
"binary_version": "1.20.3-1ubuntu0.1~22.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "golang-1.20",
"purl": "pkg:deb/ubuntu/golang-1.20@1.20.3-1ubuntu0.1~22.04.1?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.20.3-1ubuntu0.1~22.04.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.20.3-1ubuntu0.1~22.04"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "golang-1.21",
"binary_version": "1.21.1-1~ubuntu22.04.2"
},
{
"binary_name": "golang-1.21-go",
"binary_version": "1.21.1-1~ubuntu22.04.2"
},
{
"binary_name": "golang-1.21-src",
"binary_version": "1.21.1-1~ubuntu22.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "golang-1.21",
"purl": "pkg:deb/ubuntu/golang-1.21@1.21.1-1~ubuntu22.04.2?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.21.1-1~ubuntu22.04.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.21.1-1~ubuntu22.04.1"
]
}
],
"aliases": [],
"details": "Using go get to fetch a module with the \".git\" suffix may unexpectedly fallback to the insecure \"git://\" protocol if the module is unavailable via the secure \"https://\" and \"git+ssh://\" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).",
"id": "UBUNTU-CVE-2023-45285",
"modified": "2025-09-08T16:56:32Z",
"published": "2023-12-06T00:00:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2023-45285"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/63845"
},
{
"type": "REPORT",
"url": "https://github.com/golang/go/commit/23c943e5296c6fa3a6f9433bd929306c4dbf2aa3"
},
{
"type": "REPORT",
"url": "https://github.com/golang/go/commit/46bc33819ac86a9596b8059235842f0e0c7469bd"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6574-1"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45285"
}
],
"related": [
"USN-6574-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2023-45285"
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.