Golang 1.18.2 in latest Redis Image Contains Multiple High Severity Vulnerabilities

[charles-horel-rogers]

The following vulns exist in the tag 7.4.2.
Can golang be patched?

CVE-2022-30632 | 416 | fail | go | high | path/filepath | 1.18.2 |   | 7.5 | fixed in 1.17.12, 1.18.4 | 23:02.0 |   | Attack complexity: low, Attack vector: network, DoS - High, Has fix, High severity | Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators. | 9 |   | 15:41.0 | 38:13.0 |  
-- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | --
CVE-2022-30630 | 416 | fail | go | high | io/fs |   | 1.18.2 |   | 7.5 | fixed in 1.17.12, 1.18.4 | 23:02.0 |   | Attack complexity: low, Attack vector: network, DoS - High, Has fix, High severity | Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators. | 9 |   | 15:40.0 | 38:13.0 |  
CVE-2023-29403 | 416 | fail | go | high | runtime |   | 1.18.2 |   | 7.8 | fixed in 1.19.10, 1.20.5 | 23:02.0 |   | Attack complexity: low, DoS - High, Has fix, High severity | On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers. | 9 |   | 15:16.0 | 38:13.0 |
CVE-2022-30630 | 416 | fail | go | high | io/fs |   | 1.18.2 |   | 7.5 | fixed in 1.17.12, 1.18.4 | 23:02.0 |   | Attack complexity: low, Attack vector: network, DoS - High, Has fix, High severity | Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators. | 6 |   | 15:40.0 | 53:56.0 |  
CVE-2023-29403 | 416 | fail | go | high | runtime |   | 1.18.2 |   | 7.8 | fixed in 1.19.10, 1.20.5 | 23:02.0 |   | Attack complexity: low, DoS - High, Has fix, High severity | On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers. | 6 |   | 15:16.0 | 53:56.0 |  
CVE-2022-30632 | 416 | fail | go | high | path/filepath | 1.18.2 |   | 7.5 | fixed in 1.17.12, 1.18.4 | 23:02.0 |   | Attack complexity: low, Attack vector: network, DoS - High, Has fix, High severity | Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators. | 6 |   | 15:41.0 | 53:56.0 |

[LaurentGoderre]

Duplicate of #424

[frankyjquintero]