Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Various CVEs reported by trivy scanner #217

Closed
noorul opened this issue Jan 9, 2025 · 4 comments
Closed

Various CVEs reported by trivy scanner #217

noorul opened this issue Jan 9, 2025 · 4 comments

Comments

@noorul
Copy link
Contributor

noorul commented Jan 9, 2025 

Total: 20 (UNKNOWN: 0, LOW: 0, MEDIUM: 13, HIGH: 5, CRITICAL: 2)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version           │                            Title                             │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2024-45337 │ CRITICAL │ fixed  │ v0.17.0           │ 0.31.0                           │ golang.org/x/crypto/ssh: Misuse of                           │
│                     │                │          │        │                   │                                  │ ServerConfig.PublicKeyCallback may cause authorization       │
│                     │                │          │        │                   │                                  │ bypass in golang.org/x/crypto                                │
│                     │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-45337                   │
├─────────────────────┼────────────────┤          │        ├───────────────────┼──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib              │ CVE-2024-24790 │          │        │ v1.19.13          │ 1.21.11, 1.22.4                  │ golang: net/netip: Unexpected behavior from Is methods for   │
│                     │                │          │        │                   │                                  │ IPv4-mapped IPv6 addresses                                   │
│                     │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-24790                   │
│                     ├────────────────┼──────────┤        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-39325 │ HIGH     │        │                   │ 1.20.10, 1.21.3                  │ golang: net/http, x/net/http2: rapid stream resets can cause │
│                     │                │          │        │                   │                                  │ excessive work (CVE-2023-44487)                              │
│                     │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
│                     ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-45283 │          │        │                   │ 1.20.11, 1.21.4, 1.20.12, 1.21.5 │ The filepath package does not recognize paths with a \??\    │
│                     │                │          │        │                   │                                  │ prefix as...                                                 │
│                     │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45283                   │
│                     ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-45287 │          │        │                   │ 1.20.0                           │ golang: crypto/tls: Timing Side Channel attack in RSA based  │
│                     │                │          │        │                   │                                  │ TLS key exchanges....                                        │
│                     │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45287                   │
│                     ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-45288 │          │        │                   │ 1.21.9, 1.22.2                   │ golang: net/http, x/net/http2: unlimited number of           │
│                     │                │          │        │                   │                                  │ CONTINUATION frames causes DoS                               │
│                     │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
│                     ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-34156 │          │        │                   │ 1.22.7, 1.23.1                   │ encoding/gob: golang: Calling Decoder.Decode on a message    │
│                     │                │          │        │                   │                                  │ which contains deeply nested structures...                   │
│                     │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-34156                   │
│                     ├────────────────┼──────────┤        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-39318 │ MEDIUM   │        │                   │ 1.20.8, 1.21.1                   │ golang: html/template: improper handling of HTML-like        │
│                     │                │          │        │                   │                                  │ comments within script contexts                              │
│                     │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-39318                   │
│                     ├────────────────┤          │        │                   │                                  ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-39319 │          │        │                   │                                  │ golang: html/template: improper handling of special tags     │
│                     │                │          │        │                   │                                  │ within script contexts                                       │
│                     │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-39319                   │
│                     ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-39326 │          │        │                   │ 1.20.12, 1.21.5                  │ golang: net/http/internal: Denial of Service (DoS) via       │
│                     │                │          │        │                   │                                  │ Resource Consumption via HTTP requests...                    │
│                     │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-39326                   │
│                     ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-45284 │          │        │                   │ 1.20.11, 1.21.4                  │ On Windows, The IsLocal function does not correctly detect   │
│                     │                │          │        │                   │                                  │ reserved de ......                                           │
│                     │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45284                   │
│                     ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-45289 │          │        │                   │ 1.21.8, 1.22.1                   │ golang: net/http/cookiejar: incorrect forwarding of          │
│                     │                │          │        │                   │                                  │ sensitive headers and cookies on HTTP redirect...            │
│                     │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45289                   │
│                     ├────────────────┤          │        │                   │                                  ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-45290 │          │        │                   │                                  │ golang: net/http: golang: mime/multipart: golang:            │
│                     │                │          │        │                   │                                  │ net/textproto: memory exhaustion in                          │
│                     │                │          │        │                   │                                  │ Request.ParseMultipartForm                                   │
│                     │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45290                   │
│                     ├────────────────┤          │        │                   │                                  ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24783 │          │        │                   │                                  │ golang: crypto/x509: Verify panics on certificates with an   │
│                     │                │          │        │                   │                                  │ unknown public key algorithm...                              │
│                     │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-24783                   │
│                     ├────────────────┤          │        │                   │                                  ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24784 │          │        │                   │                                  │ golang: net/mail: comments in display names are incorrectly  │
│                     │                │          │        │                   │                                  │ handled                                                      │
│                     │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-24784                   │
│                     ├────────────────┤          │        │                   │                                  ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24785 │          │        │                   │                                  │ golang: html/template: errors returned from MarshalJSON      │
│                     │                │          │        │                   │                                  │ methods may break template escaping                          │
│                     │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-24785                   │
│                     ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24789 │          │        │                   │ 1.21.11, 1.22.4                  │ golang: archive/zip: Incorrect handling of certain ZIP files │
│                     │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-24789                   │
│                     ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24791 │          │        │                   │ 1.21.12, 1.22.5                  │ net/http: Denial of service due to improper 100-continue     │
│                     │                │          │        │                   │                                  │ handling in net/http                                         │
│                     │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-24791                   │
│                     ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-34155 │          │        │                   │ 1.22.7, 1.23.1                   │ go/parser: golang: Calling any of the Parse functions        │
│                     │                │          │        │                   │                                  │ containing deeply nested literals...                         │
│                     │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-34155                   │
│                     ├────────────────┤          │        │                   │                                  ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-34158 │          │        │                   │                                  │ go/build/constraint: golang: Calling Parse on a "// +build"  │
│                     │                │          │        │                   │                                  │ build tag line with...                                       │
│                     │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-34158                   │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴──────────────────────────────────────────────────────────────┘
@petedannemann
Copy link
Contributor

Hi, the best way to get this completed quickly is to submit a pull request

@noorul
Copy link
Contributor Author

noorul commented Jan 9, 2025

I see that dependabot is enabled. This might be already fixed if the PRs are merged. Not sure when the next release will take place.

@petedannemann
Copy link
Contributor

Trivy is significantly more strict than dependabot - dependabot only reported one of these. Anyways this should be fixed via #218 and #212

@noorul
Copy link
Contributor Author

noorul commented Jan 9, 2025

Unfortunately the last release was in July.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@noorul @petedannemann