github.com/pulumi/pulumi/sdk/v3-v3.33.1: 20 vulnerabilities (highest severity is: 9.8) #8
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to dependency file: /provider/go.mod
Path to vulnerable library: /sdk/go.mod
Found in HEAD commit: 91873fcdcfc0b8bdcd1e3a12de8708e0e762ae88
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - gopkg.in/src-d/go-git.v4-v4.13.1
Project has been moved to: https://github.com/go-git/go-git
Library home page: https://proxy.golang.org/gopkg.in/src-d/go-git.v4/@v/v4.13.1.zip
Path to dependency file: /sdk/go.mod
Path to vulnerable library: /sdk/go.mod,/provider/go.mod
Dependency Hierarchy:
Found in HEAD commit: 91873fcdcfc0b8bdcd1e3a12de8708e0e762ae88
Found in base branch: main
Vulnerability Details
A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved.
Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS or in-memory filesystems are not affected by this issue.
This is a go-git implementation issue and does not affect the upstream git cli.
Publish Date: 2024-01-12
URL: CVE-2023-49569
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-449p-3h89-pw88
Release Date: 2024-01-12
Fix Resolution: v5.11.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - google.golang.org/protobuf-v1.24.0
Go support for Google's protocol buffers
Library home page: https://proxy.golang.org/google.golang.org/protobuf/@v/v1.24.0.zip
Path to dependency file: /sdk/go.mod
Path to vulnerable library: /sdk/go.mod
Dependency Hierarchy:
Found in HEAD commit: 91873fcdcfc0b8bdcd1e3a12de8708e0e762ae88
Found in base branch: main
Vulnerability Details
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
Publish Date: 2024-03-05
URL: CVE-2024-24786
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://pkg.go.dev/vuln/GO-2024-2611
Release Date: 2024-03-05
Fix Resolution: v1.33.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - gopkg.in/src-d/go-git.v4-v4.13.1
Project has been moved to: https://github.com/go-git/go-git
Library home page: https://proxy.golang.org/gopkg.in/src-d/go-git.v4/@v/v4.13.1.zip
Path to dependency file: /sdk/go.mod
Path to vulnerable library: /sdk/go.mod,/provider/go.mod
Dependency Hierarchy:
Found in HEAD commit: 91873fcdcfc0b8bdcd1e3a12de8708e0e762ae88
Found in base branch: main
Vulnerability Details
A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.
Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability.
This is a go-git implementation issue and does not affect the upstream git cli.
Publish Date: 2024-01-12
URL: CVE-2023-49568
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-449p-3h89-pw88
Release Date: 2024-01-12
Fix Resolution: v5.11.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - google.golang.org/grpc-v1.29.1
The Go language implementation of gRPC. HTTP/2 based RPC
Library home page: https://proxy.golang.org/google.golang.org/grpc/@v/v1.29.1.zip
Path to dependency file: /sdk/go.mod
Path to vulnerable library: /sdk/go.mod
Dependency Hierarchy:
Found in HEAD commit: 91873fcdcfc0b8bdcd1e3a12de8708e0e762ae88
Found in base branch: main
Vulnerability Details
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Publish Date: 2023-10-10
URL: CVE-2023-44487
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487
Release Date: 2023-10-10
Fix Resolution: org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3,v1.57.1,v1.58.3, kubernetes/kubernetes - v1.25.15,v1.26.10,v1.27.7,v1.28.3,v1.29.0, kubernetes/apimachinery - v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - golang.org/x/net-v0.0.0-20201021035429-f5854403a974
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.0.0-20201021035429-f5854403a974.zip
Path to dependency file: /sdk/go.mod
Path to vulnerable library: /sdk/go.mod
Dependency Hierarchy:
Found in HEAD commit: 91873fcdcfc0b8bdcd1e3a12de8708e0e762ae88
Found in base branch: main
Vulnerability Details
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
Publish Date: 2023-01-13
URL: CVE-2022-41721
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2023-01-13
Fix Resolution: v0.2.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - golang.org/x/text-v0.3.3
Library home page: https://proxy.golang.org/golang.org/x/text/@v/v0.3.3.zip
Path to dependency file: /sdk/go.mod
Path to vulnerable library: /sdk/go.mod
Dependency Hierarchy:
Found in HEAD commit: 91873fcdcfc0b8bdcd1e3a12de8708e0e762ae88
Found in base branch: main
Vulnerability Details
An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
Publish Date: 2022-10-14
URL: CVE-2022-32149
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-32149
Release Date: 2022-10-14
Fix Resolution: v0.3.8
Step up your Open Source Security Game with Mend here
Vulnerable Library - golang.org/x/net-v0.0.0-20201021035429-f5854403a974
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.0.0-20201021035429-f5854403a974.zip
Path to dependency file: /sdk/go.mod
Path to vulnerable library: /sdk/go.mod
Dependency Hierarchy:
Found in HEAD commit: 91873fcdcfc0b8bdcd1e3a12de8708e0e762ae88
Found in base branch: main
Vulnerability Details
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
Publish Date: 2022-09-06
URL: CVE-2022-27664
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://pkg.go.dev/vuln/GO-2022-0969
Release Date: 2022-09-06
Fix Resolution: golang.org/x/net - 0.0.0-20220906165146-f3363e06e74c, go1.18.6, go1.19.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - golang.org/x/crypto-v0.0.0-20200622213623-75b288015ac9
Library home page: https://proxy.golang.org/golang.org/x/crypto/@v/v0.0.0-20200622213623-75b288015ac9.zip
Path to dependency file: /sdk/go.mod
Path to vulnerable library: /sdk/go.mod
Dependency Hierarchy:
Found in HEAD commit: 91873fcdcfc0b8bdcd1e3a12de8708e0e762ae88
Found in base branch: main
Vulnerability Details
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
Publish Date: 2022-03-18
URL: CVE-2022-27191
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-27191
Release Date: 2022-03-18
Fix Resolution: golang-golang-x-crypto-dev - 1:0.0~git20220315.3147a52-1;golang-go.crypto-dev - 1:0.0~git20220315.3147a52-1
Step up your Open Source Security Game with Mend here
Vulnerable Library - golang.org/x/net-v0.0.0-20201021035429-f5854403a974
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.0.0-20201021035429-f5854403a974.zip
Path to dependency file: /sdk/go.mod
Path to vulnerable library: /sdk/go.mod
Dependency Hierarchy:
Found in HEAD commit: 91873fcdcfc0b8bdcd1e3a12de8708e0e762ae88
Found in base branch: main
Vulnerability Details
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
Publish Date: 2022-01-01
URL: CVE-2021-44716
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-vc3p-29h2-gpcp
Release Date: 2022-01-01
Fix Resolution: github.com/golang/net - 491a49abca63de5e07ef554052d180a1b5fe2d70
Step up your Open Source Security Game with Mend here
Vulnerable Library - golang.org/x/crypto-v0.0.0-20200622213623-75b288015ac9
Library home page: https://proxy.golang.org/golang.org/x/crypto/@v/v0.0.0-20200622213623-75b288015ac9.zip
Path to dependency file: /sdk/go.mod
Path to vulnerable library: /sdk/go.mod
Dependency Hierarchy:
Found in HEAD commit: 91873fcdcfc0b8bdcd1e3a12de8708e0e762ae88
Found in base branch: main
Vulnerability Details
The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.
Publish Date: 2022-09-06
URL: CVE-2021-43565
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43565
Release Date: 2021-11-10
Fix Resolution: golang-golang-x-crypto-dev - 1:0.0~git20211202.5770296-1;golang-go.crypto-dev - 1:0.0~git20211202.5770296-1
Step up your Open Source Security Game with Mend here
Vulnerable Library - golang.org/x/text-v0.3.3
Library home page: https://proxy.golang.org/golang.org/x/text/@v/v0.3.3.zip
Path to dependency file: /sdk/go.mod
Path to vulnerable library: /sdk/go.mod
Dependency Hierarchy:
Found in HEAD commit: 91873fcdcfc0b8bdcd1e3a12de8708e0e762ae88
Found in base branch: main
Vulnerability Details
golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.
Publish Date: 2022-12-26
URL: CVE-2021-38561
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2021-0113
Release Date: 2021-08-12
Fix Resolution: v0.3.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - golang.org/x/net-v0.0.0-20201021035429-f5854403a974
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.0.0-20201021035429-f5854403a974.zip
Path to dependency file: /sdk/go.mod
Path to vulnerable library: /sdk/go.mod
Dependency Hierarchy:
Found in HEAD commit: 91873fcdcfc0b8bdcd1e3a12de8708e0e762ae88
Found in base branch: main
Vulnerability Details
golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
Publish Date: 2021-05-26
URL: CVE-2021-33194
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33194
Release Date: 2021-05-26
Fix Resolution: golang.org/x/net - v0.0.0-20210520170846-37e1c6afe023
Step up your Open Source Security Game with Mend here
Vulnerable Library - golang.org/x/crypto-v0.0.0-20200622213623-75b288015ac9
Library home page: https://proxy.golang.org/golang.org/x/crypto/@v/v0.0.0-20200622213623-75b288015ac9.zip
Path to dependency file: /sdk/go.mod
Path to vulnerable library: /sdk/go.mod
Dependency Hierarchy:
Found in HEAD commit: 91873fcdcfc0b8bdcd1e3a12de8708e0e762ae88
Found in base branch: main
Vulnerability Details
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.
Publish Date: 2020-12-17
URL: CVE-2020-29652
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1
Release Date: 2020-12-17
Fix Resolution: v0.0.0-20201216223049-8b5274cf687f
Step up your Open Source Security Game with Mend here
Vulnerable Library - golang.org/x/text-v0.3.3
Library home page: https://proxy.golang.org/golang.org/x/text/@v/v0.3.3.zip
Path to dependency file: /sdk/go.mod
Path to vulnerable library: /sdk/go.mod
Dependency Hierarchy:
Found in HEAD commit: 91873fcdcfc0b8bdcd1e3a12de8708e0e762ae88
Found in base branch: main
Vulnerability Details
In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)
Publish Date: 2021-01-02
URL: CVE-2020-28852
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-28852
Release Date: 2021-01-02
Fix Resolution: golang-golang-x-text-dev - 0.3.5-1,0.3.5-1
Step up your Open Source Security Game with Mend here
Vulnerable Library - golang.org/x/text-v0.3.3
Library home page: https://proxy.golang.org/golang.org/x/text/@v/v0.3.3.zip
Path to dependency file: /sdk/go.mod
Path to vulnerable library: /sdk/go.mod
Dependency Hierarchy:
Found in HEAD commit: 91873fcdcfc0b8bdcd1e3a12de8708e0e762ae88
Found in base branch: main
Vulnerability Details
In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)
Publish Date: 2021-01-02
URL: CVE-2020-28851
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-28851
Release Date: 2021-01-02
Fix Resolution: golang-golang-x-text-dev - 0.3.6-1,0.3.6-1
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/uber/jaeger-client-go-v2.22.1+incompatible
Jaeger Bindings for Go OpenTracing API.
Library home page: https://proxy.golang.org/github.com/uber/jaeger-client-go/@v/v2.22.1+incompatible.zip
Path to dependency file: /sdk/go.mod
Path to vulnerable library: /sdk/go.mod
Dependency Hierarchy:
Found in HEAD commit: 91873fcdcfc0b8bdcd1e3a12de8708e0e762ae88
Found in base branch: main
Vulnerability Details
In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.
Publish Date: 2019-10-28
URL: CVE-2019-0205
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0205
Release Date: 2019-10-28
Fix Resolution: org.apache.thrift:libthrift:0.13.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - golang.org/x/net-v0.0.0-20201021035429-f5854403a974
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.0.0-20201021035429-f5854403a974.zip
Path to dependency file: /sdk/go.mod
Path to vulnerable library: /sdk/go.mod
Dependency Hierarchy:
Found in HEAD commit: 91873fcdcfc0b8bdcd1e3a12de8708e0e762ae88
Found in base branch: main
Vulnerability Details
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
Publish Date: 2021-05-27
URL: CVE-2021-31525
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1958341
Release Date: 2021-05-27
Fix Resolution: golang - v1.15.12,v1.16.4,v1.17.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - golang.org/x/net-v0.0.0-20201021035429-f5854403a974
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.0.0-20201021035429-f5854403a974.zip
Path to dependency file: /sdk/go.mod
Path to vulnerable library: /sdk/go.mod
Dependency Hierarchy:
Found in HEAD commit: 91873fcdcfc0b8bdcd1e3a12de8708e0e762ae88
Found in base branch: main
Vulnerability Details
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
Publish Date: 2024-12-18
URL: CVE-2024-45338
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2024-12-18
Fix Resolution: github.com/golang/net-v0.33.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - golang.org/x/crypto-v0.0.0-20200622213623-75b288015ac9
Library home page: https://proxy.golang.org/golang.org/x/crypto/@v/v0.0.0-20200622213623-75b288015ac9.zip
Path to dependency file: /sdk/go.mod
Path to vulnerable library: /sdk/go.mod
Dependency Hierarchy:
Found in HEAD commit: 91873fcdcfc0b8bdcd1e3a12de8708e0e762ae88
Found in base branch: main
Vulnerability Details
httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/....\asd becomes ....\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.
Publish Date: 2024-07-02
URL: CVE-2022-30636
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-30636
Release Date: 2024-07-02
Fix Resolution: github.com/golang/crypto-v0.1.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - golang.org/x/sys-v0.0.0-20210817190340-bfb29a6856f2
Library home page: https://proxy.golang.org/golang.org/x/sys/@v/v0.0.0-20210817190340-bfb29a6856f2.zip
Path to dependency file: /sdk/go.mod
Path to vulnerable library: /sdk/go.mod
Dependency Hierarchy:
Found in HEAD commit: 91873fcdcfc0b8bdcd1e3a12de8708e0e762ae88
Found in base branch: main
Vulnerability Details
Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.
Publish Date: 2022-06-22
URL: CVE-2022-29526
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2022-29526
Release Date: 2022-06-23
Fix Resolution: go1.17.10,go1.18.2,go1.19
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: