QID 354401
Date Published: 2022-12-21
QID 354401: Amazon Linux Security Advisory for golang : ALAS2022-2021-007
A validation flaw was found in golang.
When invoking functions from wasm modules built using goarch=wasm goos=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments.
The highest threat from this vulnerability is to integrity. (
( CVE-2021-38297) an out of bounds read vulnerability was found in debug/macho of the go standard library.
When using the debug/macho standard library (stdlib) and malformed binaries are parsed using open or openfat, it can cause golang to attempt to read outside of a slice (array) causing a panic when calling importedsymbols.
An attacker can use this vulnerability to craft a file which causes an application using this library to crash resulting in a denial of service. (
( CVE-2021-41771) a vulnerability was found in archive/zip of the go standard library.
Applications written in go where reader.
Open (the api implementing io/fs.
Fs introduced in go 1.16) can panic when parsing a crafted zip archive containing completely invalid names or an empty filename argument. (
( CVE-2021-41772)
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
- ALAS2022-2021-007 -
alas.aws.amazon.com/AL2022/ALAS-2021-007.html
CVEs related to QID 354401
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| ALAS2022-2021-007 | amazon linux 2022 |
alas.aws.amazon.com/AL2022/ALAS-2021-007.html |