github.com/pulumi/pulumi-terraform-bridge/v3-v3.24.1: 18 vulnerabilities (highest severity is: 9.8) #5
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to dependency file: /provider/go.mod
Path to vulnerable library: /provider/go.mod
Found in HEAD commit: 0c811af9bdbbdda9ef7bb75ceb86ee6642fce161
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - github.com/hashicorp/go-getter-v1.6.1
Package for downloading things from a string URL using a variety of protocols.
Library home page: https://proxy.golang.org/github.com/hashicorp/go-getter/@v/v1.6.1.zip
Path to dependency file: /provider/go.mod
Path to vulnerable library: /provider/go.mod
Dependency Hierarchy:
Found in HEAD commit: 0c811af9bdbbdda9ef7bb75ceb86ee6642fce161
Found in base branch: main
Vulnerability Details
HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches.
This vulnerability does not affect the go-getter/v2 branch and package.
Publish Date: 2024-04-17
URL: CVE-2024-3817
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040
Release Date: 2024-04-17
Fix Resolution: v1.7.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/hashicorp/go-getter-v1.6.1
Package for downloading things from a string URL using a variety of protocols.
Library home page: https://proxy.golang.org/github.com/hashicorp/go-getter/@v/v1.6.1.zip
Path to dependency file: /provider/go.mod
Path to vulnerable library: /provider/go.mod
Dependency Hierarchy:
Found in HEAD commit: 0c811af9bdbbdda9ef7bb75ceb86ee6642fce161
Found in base branch: main
Vulnerability Details
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.
Publish Date: 2024-06-25
URL: CVE-2024-6257
CVSS 3 Score Details (8.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081
Release Date: 2024-06-25
Fix Resolution: github.com/hashicorp/go-getter-v1.7.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/hashicorp/vault/api-v1.1.1
A tool for secrets management, encryption as a service, and privileged access management
Library home page: https://proxy.golang.org/github.com/hashicorp/vault/api/@v/v1.1.1.zip
Path to dependency file: /provider/go.mod
Path to vulnerable library: /provider/go.mod
Dependency Hierarchy:
Found in HEAD commit: 0c811af9bdbbdda9ef7bb75ceb86ee6642fce161
Found in base branch: main
Vulnerability Details
HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.
Publish Date: 2020-08-26
URL: CVE-2020-16251
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-16251
Release Date: 2020-08-01
Fix Resolution: v1.2.5,v1.3.8,v1.4.4,v1.5.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - google.golang.org/protobuf-v1.28.0
Go support for Google's protocol buffers
Library home page: https://proxy.golang.org/google.golang.org/protobuf/@v/v1.28.0.zip
Path to dependency file: /provider/go.mod
Path to vulnerable library: /provider/go.mod
Dependency Hierarchy:
Found in HEAD commit: 0c811af9bdbbdda9ef7bb75ceb86ee6642fce161
Found in base branch: main
Vulnerability Details
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
Publish Date: 2024-03-05
URL: CVE-2024-24786
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://pkg.go.dev/vuln/GO-2024-2611
Release Date: 2024-03-05
Fix Resolution: v1.33.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - google.golang.org/grpc-v1.46.0
The Go language implementation of gRPC. HTTP/2 based RPC
Library home page: https://proxy.golang.org/google.golang.org/grpc/@v/v1.46.0.zip
Path to dependency file: /provider/go.mod
Path to vulnerable library: /provider/go.mod
Dependency Hierarchy:
Found in HEAD commit: 0c811af9bdbbdda9ef7bb75ceb86ee6642fce161
Found in base branch: main
Vulnerability Details
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Publish Date: 2023-10-10
URL: CVE-2023-44487
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487
Release Date: 2023-10-10
Fix Resolution: org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3,v1.57.1,v1.58.3, kubernetes/kubernetes - v1.25.15,v1.26.10,v1.27.7,v1.28.3,v1.29.0, kubernetes/apimachinery - v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - golang.org/x/net-v0.0.0-20220412020605-290c469a71a5
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.0.0-20220412020605-290c469a71a5.zip
Path to dependency file: /provider/go.mod
Path to vulnerable library: /provider/go.mod
Dependency Hierarchy:
Found in HEAD commit: 0c811af9bdbbdda9ef7bb75ceb86ee6642fce161
Found in base branch: main
Vulnerability Details
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
Publish Date: 2023-01-13
URL: CVE-2022-41721
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2023-01-13
Fix Resolution: v0.2.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - golang.org/x/text-v0.3.7
Library home page: https://proxy.golang.org/golang.org/x/text/@v/v0.3.7.zip
Path to dependency file: /provider/go.mod
Path to vulnerable library: /provider/go.mod
Dependency Hierarchy:
Found in HEAD commit: 0c811af9bdbbdda9ef7bb75ceb86ee6642fce161
Found in base branch: main
Vulnerability Details
An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
Publish Date: 2022-10-14
URL: CVE-2022-32149
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-32149
Release Date: 2022-10-14
Fix Resolution: v0.3.8
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/zclconf/go-cty-yaml-v1.0.1
YAML marshalling and unmarshalling for go-cty
Library home page: https://proxy.golang.org/github.com/zclconf/go-cty-yaml/@v/v1.0.1.zip
Path to dependency file: /provider/go.mod
Path to vulnerable library: /provider/go.mod
Dependency Hierarchy:
Found in HEAD commit: 0c811af9bdbbdda9ef7bb75ceb86ee6642fce161
Found in base branch: main
Vulnerability Details
Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.
Publish Date: 2022-12-27
URL: CVE-2022-3064
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://pkg.go.dev/vuln/GO-2022-0956
Release Date: 2022-12-27
Fix Resolution: v2.2.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/hashicorp/vault/sdk-v0.2.1
Library home page: https://proxy.golang.org/github.com/hashicorp/vault/sdk/@v/v0.2.1.zip
Path to dependency file: /provider/go.mod
Path to vulnerable library: /provider/go.mod
Dependency Hierarchy:
Found in HEAD commit: 0c811af9bdbbdda9ef7bb75ceb86ee6642fce161
Found in base branch: main
Vulnerability Details
HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially derive the authentication subkey when using transit secrets engine without convergent encryption. Introduced in 1.6.0 and fixed in 1.14.3, 1.13.7, and 1.12.11.
Publish Date: 2023-09-14
URL: CVE-2023-4680
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-v84f-6r39-cpfc
Release Date: 2023-09-14
Fix Resolution: v1.12.11,v1.13.7,v1.14.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - gopkg.in/square/go-jose.v2-v2.6.0
An implementation of JOSE standards (JWE, JWS, JWT) in Go
Library home page: https://proxy.golang.org/gopkg.in/square/go-jose.v2/@v/v2.6.0.zip
Path to dependency file: /provider/go.mod
Path to vulnerable library: /provider/go.mod
Dependency Hierarchy:
Found in HEAD commit: 0c811af9bdbbdda9ef7bb75ceb86ee6642fce161
Found in base branch: main
Vulnerability Details
The go-jose package before 3.0.1 is subject to a "billion hashes attack" causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.
Publish Date: 2023-11-22
URL: WS-2023-0431
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2c7c-3mj9-8fqh
Release Date: 2023-11-22
Fix Resolution: v3.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/zclconf/go-cty-yaml-v1.0.1
YAML marshalling and unmarshalling for go-cty
Library home page: https://proxy.golang.org/github.com/zclconf/go-cty-yaml/@v/v1.0.1.zip
Path to dependency file: /provider/go.mod
Path to vulnerable library: /provider/go.mod
Dependency Hierarchy:
Found in HEAD commit: 0c811af9bdbbdda9ef7bb75ceb86ee6642fce161
Found in base branch: main
Vulnerability Details
The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.
Publish Date: 2020-04-01
URL: CVE-2019-11254
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2020-10-02
Fix Resolution: v2.2.8
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/hashiCorp/go-retryablehttp-v0.7.0
Retryable HTTP client in Go
Library home page: https://proxy.golang.org/github.com/hashi!corp/go-retryablehttp/@v/v0.7.0.zip
Path to dependency file: /provider/go.mod
Path to vulnerable library: /provider/go.mod
Dependency Hierarchy:
Found in HEAD commit: 0c811af9bdbbdda9ef7bb75ceb86ee6642fce161
Found in base branch: main
Vulnerability Details
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
Publish Date: 2024-06-24
URL: CVE-2024-6104
CVSS 3 Score Details (6.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-6104
Release Date: 2024-06-24
Fix Resolution: github.com/hashicorp/go-retryablehttp-v0.7.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - golang.org/x/net-v0.0.0-20220412020605-290c469a71a5
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.0.0-20220412020605-290c469a71a5.zip
Path to dependency file: /provider/go.mod
Path to vulnerable library: /provider/go.mod
Dependency Hierarchy:
Found in HEAD commit: 0c811af9bdbbdda9ef7bb75ceb86ee6642fce161
Found in base branch: main
Vulnerability Details
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
Publish Date: 2024-12-18
URL: CVE-2024-45338
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2024-12-18
Fix Resolution: github.com/golang/net-v0.33.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - golang.org/x/sys-v0.0.0-20220520151302-bc2c85ada10a
[mirror] Go packages for low-level interaction with the operating system
Library home page: https://proxy.golang.org/golang.org/x/sys/@v/v0.0.0-20220520151302-bc2c85ada10a.zip
Path to dependency file: /provider/go.mod
Path to vulnerable library: /provider/go.mod
Dependency Hierarchy:
Found in HEAD commit: 0c811af9bdbbdda9ef7bb75ceb86ee6642fce161
Found in base branch: main
Vulnerability Details
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
Publish Date: 2022-12-08
URL: CVE-2022-41717
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2022-12-08
Fix Resolution: go1.19.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/hashicorp/vault/api-v1.1.1
A tool for secrets management, encryption as a service, and privileged access management
Library home page: https://proxy.golang.org/github.com/hashicorp/vault/api/@v/v1.1.1.zip
Path to dependency file: /provider/go.mod
Path to vulnerable library: /provider/go.mod
Dependency Hierarchy:
Found in HEAD commit: 0c811af9bdbbdda9ef7bb75ceb86ee6642fce161
Found in base branch: main
Vulnerability Details
HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0.
Publish Date: 2021-08-13
URL: CVE-2021-38553
CVSS 3 Score Details (4.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38553
Release Date: 2021-08-13
Fix Resolution: v1.8.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - gopkg.in/square/go-jose.v2-v2.6.0
An implementation of JOSE standards (JWE, JWS, JWT) in Go
Library home page: https://proxy.golang.org/gopkg.in/square/go-jose.v2/@v/v2.6.0.zip
Path to dependency file: /provider/go.mod
Path to vulnerable library: /provider/go.mod
Dependency Hierarchy:
Found in HEAD commit: 0c811af9bdbbdda9ef7bb75ceb86ee6642fce161
Found in base branch: main
Vulnerability Details
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.
Publish Date: 2024-03-09
URL: CVE-2024-28180
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-28180
Release Date: 2024-03-09
Fix Resolution: v2.6.3,v3.0.3,v4.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/hashicorp/go-getter-v1.6.1
Package for downloading things from a string URL using a variety of protocols.
Library home page: https://proxy.golang.org/github.com/hashicorp/go-getter/@v/v1.6.1.zip
Path to dependency file: /provider/go.mod
Path to vulnerable library: /provider/go.mod
Dependency Hierarchy:
Found in HEAD commit: 0c811af9bdbbdda9ef7bb75ceb86ee6642fce161
Found in base branch: main
Vulnerability Details
HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
Publish Date: 2023-02-16
URL: CVE-2023-0475
CVSS 3 Score Details (4.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125
Release Date: 2023-02-16
Fix Resolution: v1.7.0,v2.2.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/golang-JWT/jwt/v4-v4.0.0
Community maintained clone of https://github.com/dgrijalva/jwt-go
Library home page: https://proxy.golang.org/github.com/golang-!j!w!t/jwt/v4/@v/v4.0.0.zip
Path to dependency file: /provider/go.mod
Path to vulnerable library: /provider/go.mod
Dependency Hierarchy:
Found in HEAD commit: 0c811af9bdbbdda9ef7bb75ceb86ee6642fce161
Found in base branch: main
Vulnerability Details
golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in
ParseWithClaimscan lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned byParseWithClaimsreturn both error codes. If users only check for thejwt.ErrTokenExpiredusingerror.Is, they will ignore the embeddedjwt.ErrTokenSignatureInvalidand thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from thev5branch to thev4branch. In this logic, theParseWithClaimsfunction will immediately return in "dangerous" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors ("dangerous" ones first), so that you are not running in the case detailed above.Publish Date: 2024-11-04
URL: CVE-2024-51744
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-29wx-vh33-7x7r
Release Date: 2024-11-04
Fix Resolution: github.com/golang-jwt/jwt-v4.5.1
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: