BUG #18702: Critical & High Security vulnerability issue with Trivy Scan in postgres 16

The following bug has been logged on the website:

Bug reference: 18702
Logged by: Sathyendran Vellaisamy
Email address: sathyendran(dot)vellaisamy(at)intel(dot)com
PostgreSQL version: 16.0
Operating system: Ubuntu
Description:

Hi Team,

We are using postgres 16 docker image from hub and we found some Critical
and High vulnerability. This fix is essential for our releases. Please
provide fix for the vulnerability issue below.

Below is the report from Trivy scan:


Trivy Vulnerability Scan Results (usr/local/bin/gosu)
VulnerabilityID
Severity
CVSS Score
Title
Library
Vulnerable Version
Fixed Version
Information URL
Triage Information
CVE-2023-24538
CRITICAL
9.8
golang: html/template: backticks not treated as string delimiters
stdlib
1.18.2
1.19.8, 1.20.3
https://avd.aquasec.com/nvd/cve-2023-24538
CVE-2023-24540
CRITICAL
9.8
golang: html/template: improper handling of JavaScript whitespace
stdlib
1.18.2
1.19.9, 1.20.4
https://avd.aquasec.com/nvd/cve-2023-24540
CVE-2024-24790
CRITICAL
9.8
golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6
addresses
stdlib
1.18.2
1.21.11, 1.22.4
https://avd.aquasec.com/nvd/cve-2024-24790
CVE-2022-27664
HIGH
7.5
golang: net/http: handle server errors after sending GOAWAY
stdlib
1.18.2
1.18.6, 1.19.1
https://avd.aquasec.com/nvd/cve-2022-27664
CVE-2022-28131
HIGH
7.5
golang: encoding/xml: stack exhaustion in Decoder.Skip
stdlib
1.18.2
1.17.12, 1.18.4
https://avd.aquasec.com/nvd/cve-2022-28131
CVE-2022-2879
HIGH
7.5
golang: archive/tar: unbounded memory consumption when reading headers
stdlib
1.18.2
1.18.7, 1.19.2
https://avd.aquasec.com/nvd/cve-2022-2879
CVE-2022-2880
HIGH
7.5
golang: net/http/httputil: ReverseProxy should not forward unparseable query
parameters
stdlib
1.18.2
1.18.7, 1.19.2
https://avd.aquasec.com/nvd/cve-2022-2880
CVE-2022-29804
HIGH
7.5
ELSA-2022-17957: ol8addon security update (IMPORTANT)
stdlib
1.18.2
1.17.11, 1.18.3
https://avd.aquasec.com/nvd/cve-2022-29804
CVE-2022-30580
HIGH
7.8
golang: os/exec: Code injection in Cmd.Start
stdlib
1.18.2
1.17.11, 1.18.3
https://avd.aquasec.com/nvd/cve-2022-30580
CVE-2022-30630
HIGH
7.5
golang: io/fs: stack exhaustion in Glob
stdlib
1.18.2
1.17.12, 1.18.4
https://avd.aquasec.com/nvd/cve-2022-30630
CVE-2022-30631
HIGH
7.5
golang: compress/gzip: stack exhaustion in Reader.Read
stdlib
1.18.2
1.17.12, 1.18.4
https://avd.aquasec.com/nvd/cve-2022-30631
CVE-2022-30632
HIGH
7.5
golang: path/filepath: stack exhaustion in Glob
stdlib
1.18.2
1.17.12, 1.18.4
https://avd.aquasec.com/nvd/cve-2022-30632
CVE-2022-30633
HIGH
7.5
golang: encoding/xml: stack exhaustion in Unmarshal
stdlib
1.18.2
1.17.12, 1.18.4
https://avd.aquasec.com/nvd/cve-2022-30633
CVE-2022-30634
HIGH
7.5
ELSA-2022-17957: ol8addon security update (IMPORTANT)
stdlib
1.18.2
1.17.11, 1.18.3
https://avd.aquasec.com/nvd/cve-2022-30634
CVE-2022-30635
HIGH
7.5
golang: encoding/gob: stack exhaustion in Decoder.Decode
stdlib
1.18.2
1.17.12, 1.18.4
https://avd.aquasec.com/nvd/cve-2022-30635
CVE-2022-32189
HIGH
7.5
golang: math/big: decoding big.Float and big.Rat types can panic if the
encoded message is too short, potentially allowing a denial of service
stdlib
1.18.2
1.17.13, 1.18.5
https://avd.aquasec.com/nvd/cve-2022-32189
CVE-2022-41715
HIGH
7.5
golang: regexp/syntax: limit memory used by parsing regexps
stdlib
1.18.2
1.18.7, 1.19.2
https://avd.aquasec.com/nvd/cve-2022-41715
CVE-2022-41716
HIGH
7.5
Due to unsanitized NUL values, attackers may be able to maliciously se ...
stdlib
1.18.2
1.18.8, 1.19.3
https://avd.aquasec.com/nvd/cve-2022-41716
CVE-2022-41720
HIGH
7.5
golang: os, net/http: avoid escapes from os.DirFS and http.Dir on Windows
stdlib
1.18.2
1.18.9, 1.19.4
https://avd.aquasec.com/nvd/cve-2022-41720
CVE-2022-41722
HIGH
7.5
golang: path/filepath: path-filepath filepath.Clean path traversal
stdlib
1.18.2
1.19.6, 1.20.1
https://avd.aquasec.com/nvd/cve-2022-41722
CVE-2022-41723
HIGH
7.5
golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
stdlib
1.18.2
1.19.6, 1.20.1
https://avd.aquasec.com/nvd/cve-2022-41723
CVE-2022-41724
HIGH
7.5
golang: crypto/tls: large handshake records may cause panics
stdlib
1.18.2
1.19.6, 1.20.1
https://avd.aquasec.com/nvd/cve-2022-41724
CVE-2022-41725
HIGH
7.5
golang: net/http, mime/multipart: denial of service from excessive resource
consumption
stdlib
1.18.2
1.19.6, 1.20.1
https://avd.aquasec.com/nvd/cve-2022-41725
CVE-2023-24534
HIGH
7.5
golang: net/http, net/textproto: denial of service from excessive memory
allocation
stdlib
1.18.2
1.19.8, 1.20.3
https://avd.aquasec.com/nvd/cve-2023-24534
CVE-2023-24536
HIGH
7.5
golang: net/http, net/textproto, mime/multipart: denial of service from
excessive resource consumption
stdlib
1.18.2
1.19.8, 1.20.3
https://avd.aquasec.com/nvd/cve-2023-24536
CVE-2023-24537
HIGH
7.5
golang: go/parser: Infinite loop in parsing
stdlib
1.18.2
1.19.8, 1.20.3
https://avd.aquasec.com/nvd/cve-2023-24537
CVE-2023-24539
HIGH
7.3
golang: html/template: improper sanitization of CSS values
stdlib
1.18.2
1.19.9, 1.20.4
https://avd.aquasec.com/nvd/cve-2023-24539
CVE-2023-29400
HIGH
7.3
golang: html/template: improper handling of empty HTML attributes
stdlib
1.18.2
1.19.9, 1.20.4
https://avd.aquasec.com/nvd/cve-2023-29400
CVE-2023-29403
HIGH
7.8
golang: runtime: unexpected behavior of setuid/setgid binaries
stdlib
1.18.2
1.19.10, 1.20.5
https://avd.aquasec.com/nvd/cve-2023-29403
CVE-2023-39325
HIGH
7.5
golang: net/http, x/net/http2: rapid stream resets can cause excessive work
(CVE-2023-44487)
stdlib
1.18.2
1.20.10, 1.21.3
https://avd.aquasec.com/nvd/cve-2023-39325
CVE-2023-45283
HIGH
7.5
The filepath package does not recognize paths with a \\??\\ prefix as sp
...
stdlib
1.18.2
1.20.11, 1.21.4, 1.20.12, 1.21.5
https://avd.aquasec.com/nvd/cve-2023-45283
CVE-2023-45287
HIGH
7.5
golang: crypto/tls: Timing Side Channel attack in RSA based TLS key
exchanges.
stdlib
1.18.2
1.20.0
https://avd.aquasec.com/nvd/cve-2023-45287
CVE-2023-45288
HIGH
golang: net/http, x/net/http2: unlimited number of CONTINUATION frames
causes DoS
stdlib
1.18.2
1.21.9, 1.22.2
https://avd.aquasec.com/nvd/cve-2023-45288
CVE-2024-34156
HIGH
encoding/gob: golang: Calling Decoder.Decode on a message which contains
deeply nested structures can cause a panic due to stack exhaustion
stdlib
1.18.2
1.22.7, 1.23.1
https://avd.aquasec.com/nvd/cve-2024-34156
CVE-2022-1705
MEDIUM
6.5
golang: net/http: improper sanitization of Transfer-Encoding header
stdlib
1.18.2
1.17.12, 1.18.4
https://avd.aquasec.com/nvd/cve-2022-1705
CVE-2022-1962
MEDIUM
5.5
golang: go/parser: stack exhaustion in all Parse* functions
stdlib
1.18.2
1.17.12, 1.18.4
https://avd.aquasec.com/nvd/cve-2022-1962
CVE-2022-32148
MEDIUM
6.5
golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For
not working
stdlib
1.18.2
1.17.12, 1.18.4
https://avd.aquasec.com/nvd/cve-2022-32148
CVE-2022-41717
MEDIUM
5.3
golang: net/http: excessive memory growth in a Go server accepting HTTP/2
requests
stdlib
1.18.2
1.18.9, 1.19.4
https://avd.aquasec.com/nvd/cve-2022-41717
CVE-2023-24532
MEDIUM
5.3
golang: crypto/internal/nistec: specific unreduced P-256 scalars produce
incorrect results
stdlib
1.18.2
1.19.7, 1.20.2
https://avd.aquasec.com/nvd/cve-2023-24532
CVE-2023-29406
MEDIUM
6.5
golang: net/http: insufficient sanitization of Host header
stdlib
1.18.2
1.19.11, 1.20.6
https://avd.aquasec.com/nvd/cve-2023-29406
CVE-2023-29409
MEDIUM
5.3
golang: crypto/tls: slow verification of certificate chains containing large
RSA keys
stdlib
1.18.2
1.19.12, 1.20.7, 1.21.0-rc.4
https://avd.aquasec.com/nvd/cve-2023-29409
CVE-2023-39318
MEDIUM
6.1
golang: html/template: improper handling of HTML-like comments within script
contexts
stdlib
1.18.2
1.20.8, 1.21.1
https://avd.aquasec.com/nvd/cve-2023-39318
CVE-2023-39319
MEDIUM
6.1
golang: html/template: improper handling of special tags within script
contexts
stdlib
1.18.2
1.20.8, 1.21.1
https://avd.aquasec.com/nvd/cve-2023-39319
CVE-2023-39326
MEDIUM
5.3
golang: net/http/internal: Denial of Service (DoS) via Resource Consumption
via HTTP requests
stdlib
1.18.2
1.20.12, 1.21.5
https://avd.aquasec.com/nvd/cve-2023-39326
CVE-2023-45284
MEDIUM
5.3
On Windows, The IsLocal function does not correctly detect reserved de ...
stdlib
1.18.2
1.20.11, 1.21.4
https://avd.aquasec.com/nvd/cve-2023-45284
CVE-2023-45289
MEDIUM
golang: net/http/cookiejar: incorrect forwarding of sensitive headers and
cookies on HTTP redirect
stdlib
1.18.2
1.21.8, 1.22.1
https://avd.aquasec.com/nvd/cve-2023-45289
CVE-2023-45290
MEDIUM
golang: net/http: golang: mime/multipart: golang: net/textproto: memory
exhaustion in Request.ParseMultipartForm
stdlib
1.18.2
1.21.8, 1.22.1
https://avd.aquasec.com/nvd/cve-2023-45290
CVE-2024-24783
MEDIUM
golang: crypto/x509: Verify panics on certificates with an unknown public
key algorithm
stdlib
1.18.2
1.21.8, 1.22.1
https://avd.aquasec.com/nvd/cve-2024-24783
CVE-2024-24784
MEDIUM
golang: net/mail: comments in display names are incorrectly handled
stdlib
1.18.2
1.21.8, 1.22.1
https://avd.aquasec.com/nvd/cve-2024-24784
CVE-2024-24785
MEDIUM
golang: html/template: errors returned from MarshalJSON methods may break
template escaping
stdlib
1.18.2
1.21.8, 1.22.1
https://avd.aquasec.com/nvd/cve-2024-24785
CVE-2024-24789
MEDIUM
5.5
golang: archive/zip: Incorrect handling of certain ZIP files
stdlib
1.18.2
1.21.11, 1.22.4
https://avd.aquasec.com/nvd/cve-2024-24789
CVE-2024-24791
MEDIUM
net/http: Denial of service due to improper 100-continue handling in
net/http
stdlib
1.18.2
1.21.12, 1.22.5
https://avd.aquasec.com/nvd/cve-2024-24791
CVE-2024-34155
MEDIUM
go/parser: golang: Calling any of the Parse functions containing deeply
nested literals can cause a panic/stack exhaustion
stdlib
1.18.2
1.22.7, 1.23.1
https://avd.aquasec.com/nvd/cve-2024-34155
CVE-2024-34158
MEDIUM
go/build/constraint: golang: Calling Parse on a \// +build\" build tag line
with deeply nested expressions can cause a panic due to stack exhaustion"
stdlib
1.18.2
1.22.7, 1.23.1
https://avd.aquasec.com/nvd/cve-2024-34158
CVE-2022-30629
LOW
3.1
golang: crypto/tls: session tickets lack random ticket_age_add
stdlib
1.18.2
1.17.11, 1.18.3
https://avd.aquasec.com/nvd/cve-2022-30629

Thanks,
Sathyendran