azcopy has vulnerability CVE-2022-41723 due to a library it uses #2084
Labels
Milestone
Comments
Michael-Sinz
added a commit
to Michael-Sinz/azure-storage-azcopy
that referenced
this issue
Feb 24, 2023
This temporary override is needed to address the vulnerability in golang.org/x/net which is pulled indirectly but with a version that has the vulnerability. See GHSA-vvpx-j8f3-3w6h This is to address issue Azure#2084 Azure#2084
|
This has already been taken care of in 'dev' branch, changes will be merged to main on next release. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Which version of the AzCopy was used?
Latest (10.17.0)
Note: The version is visible when running AzCopy without any argument
AzCopy 10.17.0
Which platform are you using? (ex: Windows, Mac, Linux)
Linux
What problem was encountered?
AzCopy is built with go and the golang.org/x/net package has a vulnerability: GHSA-vvpx-j8f3-3w6h
We need a build of AzCopy that uses 0.7.0 or better.
How can we reproduce the problem in the simplest way?
Get a deep security scan of the azcopy binary.
Have you found a mitigation/solution?
Yes - build AzCopy with
go mod edit --replace golang.org/x/net=golang.org/x/[email protected] && go mod tidyThe text was updated successfully, but these errors were encountered: