philipabed / renovate Goto Github PK
View Code? Open in Web Editor NEWThis project forked from renovatebot/renovate
Universal dependency update tool that fits into your workflows.
Home Page: https://renovatebot.com
License: Other
renovate's People
Contributors
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "github-actions[bot]")
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "renovate[bot]")
Stargazers
renovate's Issues
Dependency Dashboard
This issue provides visibility into Renovate updates and their statuses. Learn more
Repository problems
These problems occurred while renovating this repository.
- WARN: packageVersion is not a valid version so cannot compare/upgrade
Awaiting Schedule
These updates are awaiting their schedule. Click on a checkbox to get an update now.
- chore(deps): lock file maintenance
github.com/kubernetes/apimachinery-v0.17.3: 1 vulnerabilities (highest severity is: 6.8)
Vulnerable Library - github.com/kubernetes/apimachinery-v0.17.3
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2020-8559 |  Medium |
6.8 | github.com/kubernetes/apimachinery-v0.17.3 | Direct | v1.18.6,v1.17.9,v1.16.13 | ❌ |
Details
CVE-2020-8559
Vulnerable Library - github.com/kubernetes/apimachinery-v0.17.3
Dependency Hierarchy:
- ❌ github.com/kubernetes/apimachinery-v0.17.3 (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.
Publish Date: 2020-07-22
URL: CVE-2020-8559
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: kubernetes/kubernetes#92914
Release Date: 2020-07-21
Fix Resolution: v1.18.6,v1.17.9,v1.16.13
github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1: 4 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1
Docker machine driver for VMware Fusion and Workstation.
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-27191 |  High |
7.5 | github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1 | Direct | N/A | ❌ |
| CVE-2020-9283 | High |
7.5 | github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1 | Direct | github.com/golang/crypto - bac4c82f69751a6dd76e702d54b3ceb88adab236 | ❌ |
| CVE-2020-29652 | High |
7.5 | github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1 | Direct | v0.0.0-20201216223049-8b5274cf687f | ❌ |
| CVE-2021-43565 | High |
7.5 | github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1 | Direct | N/A | ❌ |
Details
CVE-2022-27191
Vulnerable Library - github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1
Docker machine driver for VMware Fusion and Workstation.
Dependency Hierarchy:
- ❌ github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1 (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
Publish Date: 2022-03-18
URL: CVE-2022-27191
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
CVE-2020-9283
Vulnerable Library - github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1
Docker machine driver for VMware Fusion and Workstation.
Dependency Hierarchy:
- ❌ github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1 (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
Publish Date: 2020-02-20
URL: CVE-2020-9283
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9283
Release Date: 2020-02-20
Fix Resolution: github.com/golang/crypto - bac4c82f69751a6dd76e702d54b3ceb88adab236
CVE-2020-29652
Vulnerable Library - github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1
Docker machine driver for VMware Fusion and Workstation.
Dependency Hierarchy:
- ❌ github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1 (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.
Publish Date: 2020-12-17
URL: CVE-2020-29652
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1
Release Date: 2020-12-17
Fix Resolution: v0.0.0-20201216223049-8b5274cf687f
CVE-2021-43565
Vulnerable Library - github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1
Docker machine driver for VMware Fusion and Workstation.
Dependency Hierarchy:
- ❌ github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1 (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
There's an input validation flaw in golang.org/x/crypto's readCipherPacket() function. An unauthenticated attacker who sends an empty plaintext packet to a program linked with golang.org/x/crypto/ssh could cause a panic, potentially leading to denial of service.
Publish Date: 2021-11-10
URL: CVE-2021-43565
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Code Security Report: 41 total findings
Code Security Report
Latest Scan: 2022-05-09 01:39pm
Total Findings: 41
Tested Project Files: 1316
Detected Programming Languages: 6
- Check this box to manually trigger a scan
Language: TypeScript
| Severity | CWE | Vulnerability Type | Count |
|---|---|---|---|
 Low |
CWE-798 | Hardcoded Password/Credentials | 6 |
| Low |
CWE-338 | Weak Pseudo-Random | 4 |
Details
No high vulnerability findings detected. To view information on the remaining findings, navigate to the WhiteSource SAST Application.
Language: JavaScript / Node.js
No vulnerability findings detected.
Language: Go
No vulnerability findings detected.
Language: Swift
No vulnerability findings detected.
Language: Ruby
| Severity | CWE | Vulnerability Type | Count |
|---|---|---|---|
| Low |
CWE-916 | Weak Hash Strength | 29 |
Details
No high vulnerability findings detected. To view information on the remaining findings, navigate to the WhiteSource SAST Application.
Language: Python
| Severity | CWE | Vulnerability Type | Count |
|---|---|---|---|
| Low |
CWE-472 | Hidden HTML Input | 2 |
Details
No high vulnerability findings detected. To view information on the remaining findings, navigate to the WhiteSource SAST Application.
bunyan-1.8.15.tgz: 1 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - bunyan-1.8.15.tgz
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-24785 | High |
7.5 | moment-2.29.1.tgz | Transitive | N/A | ❌ |
Details
CVE-2022-24785
Vulnerable Library - moment-2.29.1.tgz
Parse, validate, manipulate, and display dates
Library home page: https://registry.npmjs.org/moment/-/moment-2.29.1.tgz
Dependency Hierarchy:
- bunyan-1.8.15.tgz (Root Library)
- ❌ moment-2.29.1.tgz (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
Publish Date: 2022-04-04
URL: CVE-2022-24785
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-8hfj-j24r-96c4
Release Date: 2022-04-04
Fix Resolution: moment - 2.29.2,Moment.js - 2.29.2
github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f: 3 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f
[mirror] Go supplementary cryptography libraries
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-27191 | High |
7.5 | github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f | Direct | N/A | ❌ |
| CVE-2020-29652 | High |
7.5 | github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f | Direct | v0.0.0-20201216223049-8b5274cf687f | ❌ |
| CVE-2021-43565 | High |
7.5 | github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f | Direct | N/A | ❌ |
Details
CVE-2022-27191
Vulnerable Library - github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f
[mirror] Go supplementary cryptography libraries
Dependency Hierarchy:
- ❌ github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
Publish Date: 2022-03-18
URL: CVE-2022-27191
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
CVE-2020-29652
Vulnerable Library - github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f
[mirror] Go supplementary cryptography libraries
Dependency Hierarchy:
- ❌ github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.
Publish Date: 2020-12-17
URL: CVE-2020-29652
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1
Release Date: 2020-12-17
Fix Resolution: v0.0.0-20201216223049-8b5274cf687f
CVE-2021-43565
Vulnerable Library - github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f
[mirror] Go supplementary cryptography libraries
Dependency Hierarchy:
- ❌ github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
There's an input validation flaw in golang.org/x/crypto's readCipherPacket() function. An unauthenticated attacker who sends an empty plaintext packet to a program linked with golang.org/x/crypto/ssh could cause a panic, potentially leading to denial of service.
Publish Date: 2021-11-10
URL: CVE-2021-43565
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
github.com/kubernetes/client-go-v0.17.3: 1 vulnerabilities (highest severity is: 5.5)
Vulnerable Library - github.com/kubernetes/client-go-v0.17.3
Go client for Kubernetes.
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2020-8565 | Medium |
5.5 | github.com/kubernetes/client-go-v0.17.3 | Direct | v1.20.0-alpha.2 | ❌ |
Details
CVE-2020-8565
Vulnerable Library - github.com/kubernetes/client-go-v0.17.3
Go client for Kubernetes.
Dependency Hierarchy:
- ❌ github.com/kubernetes/client-go-v0.17.3 (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.
Publish Date: 2020-12-07
URL: CVE-2020-8565
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2020-0064
Release Date: 2020-12-07
Fix Resolution: v1.20.0-alpha.2
system.componentmodel.annotations.4.3.0.nupkg: 1 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - system.componentmodel.annotations.4.3.0.nupkg
Path to dependency file: /lib/modules/manager/nuget/__fixtures__/multiple-package-files/one/one.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2019-0820 | High |
7.5 | system.text.regularexpressions.4.3.0.nupkg | Transitive | N/A | ❌ |
Details
CVE-2019-0820
Vulnerable Library - system.text.regularexpressions.4.3.0.nupkg
Provides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...
Library home page: https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg
Path to dependency file: /lib/modules/manager/nuget/__fixtures__/multiple-package-files/one/one.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg
Dependency Hierarchy:
- system.componentmodel.annotations.4.3.0.nupkg (Root Library)
- ❌ system.text.regularexpressions.4.3.0.nupkg (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.
WhiteSource Note: After conducting further research, WhiteSource has determined that CVE-2019-0820 only affects environments with versions 4.3.0 and 4.3.1 only on netcore50 environment of system.text.regularexpressions.nupkg.
Publish Date: 2019-05-16
URL: CVE-2019-0820
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-cmhx-cq75-c4mj
Release Date: 2019-05-16
Fix Resolution: System.Text.RegularExpressions - 4.3.1
github.com/golang/text-v0.3.2: 4 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - github.com/golang/text-v0.3.2
[mirror] Go text processing support
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2020-28851 | High |
7.5 | github.com/golang/text-v0.3.2 | Direct | N/A | ❌ |
| CVE-2020-28852 | High |
7.5 | github.com/golang/text-v0.3.2 | Direct | Replace or update the following files: parse.go, parse_test.go | ❌ |
| CVE-2021-38561 | High |
7.5 | github.com/golang/text-v0.3.2 | Direct | v0.3.7 | ❌ |
| CVE-2020-14040 | High |
7.5 | github.com/golang/text-v0.3.2 | Direct | v0.3.3 | ❌ |
Details
CVE-2020-28851
Vulnerable Library - github.com/golang/text-v0.3.2
[mirror] Go text processing support
Dependency Hierarchy:
- ❌ github.com/golang/text-v0.3.2 (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)
Publish Date: 2021-01-02
URL: CVE-2020-28851
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
CVE-2020-28852
Vulnerable Library - github.com/golang/text-v0.3.2
[mirror] Go text processing support
Dependency Hierarchy:
- ❌ github.com/golang/text-v0.3.2 (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)
Publish Date: 2021-01-02
URL: CVE-2020-28852
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Change files
Origin: golang/text@4482a91
Release Date: 2020-11-18
Fix Resolution: Replace or update the following files: parse.go, parse_test.go
CVE-2021-38561
Vulnerable Library - github.com/golang/text-v0.3.2
[mirror] Go text processing support
Dependency Hierarchy:
- ❌ github.com/golang/text-v0.3.2 (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
Due to improper index calculation, an incorrectly formatted language tag can cause Parse
to panic, due to an out of bounds read. If Parse is used to process untrusted user inputs,
this may be used as a vector for a denial of service attack.
Publish Date: 2021-08-12
URL: CVE-2021-38561
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2021-0113
Release Date: 2021-08-12
Fix Resolution: v0.3.7
CVE-2020-14040
Vulnerable Library - github.com/golang/text-v0.3.2
[mirror] Go text processing support
Dependency Hierarchy:
- ❌ github.com/golang/text-v0.3.2 (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
Publish Date: 2020-06-17
URL: CVE-2020-14040
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2020-0015
Release Date: 2020-06-17
Fix Resolution: v0.3.3
github.com/parallels/docker-machine-parallels-v1.3.0: 4 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - github.com/parallels/docker-machine-parallels-v1.3.0
Parallels driver for Docker Machine https://github.com/docker/machine
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-27191 | High |
7.5 | github.com/parallels/docker-machine-parallels-v1.3.0 | Direct | N/A | ❌ |
| CVE-2020-9283 | High |
7.5 | github.com/parallels/docker-machine-parallels-v1.3.0 | Direct | github.com/golang/crypto - bac4c82f69751a6dd76e702d54b3ceb88adab236 | ❌ |
| CVE-2020-29652 | High |
7.5 | github.com/parallels/docker-machine-parallels-v1.3.0 | Direct | v0.0.0-20201216223049-8b5274cf687f | ❌ |
| CVE-2021-43565 | High |
7.5 | github.com/parallels/docker-machine-parallels-v1.3.0 | Direct | N/A | ❌ |
Details
CVE-2022-27191
Vulnerable Library - github.com/parallels/docker-machine-parallels-v1.3.0
Parallels driver for Docker Machine https://github.com/docker/machine
Dependency Hierarchy:
- ❌ github.com/parallels/docker-machine-parallels-v1.3.0 (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
Publish Date: 2022-03-18
URL: CVE-2022-27191
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
CVE-2020-9283
Vulnerable Library - github.com/parallels/docker-machine-parallels-v1.3.0
Parallels driver for Docker Machine https://github.com/docker/machine
Dependency Hierarchy:
- ❌ github.com/parallels/docker-machine-parallels-v1.3.0 (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
Publish Date: 2020-02-20
URL: CVE-2020-9283
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9283
Release Date: 2020-02-20
Fix Resolution: github.com/golang/crypto - bac4c82f69751a6dd76e702d54b3ceb88adab236
CVE-2020-29652
Vulnerable Library - github.com/parallels/docker-machine-parallels-v1.3.0
Parallels driver for Docker Machine https://github.com/docker/machine
Dependency Hierarchy:
- ❌ github.com/parallels/docker-machine-parallels-v1.3.0 (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.
Publish Date: 2020-12-17
URL: CVE-2020-29652
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1
Release Date: 2020-12-17
Fix Resolution: v0.0.0-20201216223049-8b5274cf687f
CVE-2021-43565
Vulnerable Library - github.com/parallels/docker-machine-parallels-v1.3.0
Parallels driver for Docker Machine https://github.com/docker/machine
Dependency Hierarchy:
- ❌ github.com/parallels/docker-machine-parallels-v1.3.0 (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
There's an input validation flaw in golang.org/x/crypto's readCipherPacket() function. An unauthenticated attacker who sends an empty plaintext packet to a program linked with golang.org/x/crypto/ssh could cause a panic, potentially leading to denial of service.
Publish Date: 2021-11-10
URL: CVE-2021-43565
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
simple-git-3.4.0.tgz: 1 vulnerabilities (highest severity is: 9.8) - autoclosed
Vulnerable Library - simple-git-3.4.0.tgz
Simple GIT interface for node.js
Library home page: https://registry.npmjs.org/simple-git/-/simple-git-3.4.0.tgz
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-24066 | High |
9.8 | simple-git-3.4.0.tgz | Direct | 3.5.0 | ❌ |
Details
CVE-2022-24066
Vulnerable Library - simple-git-3.4.0.tgz
Simple GIT interface for node.js
Library home page: https://registry.npmjs.org/simple-git/-/simple-git-3.4.0.tgz
Dependency Hierarchy:
- ❌ simple-git-3.4.0.tgz (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.
Publish Date: 2022-04-01
URL: CVE-2022-24066
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-28xr-mwxg-3qc8
Release Date: 2022-04-01
Fix Resolution: 3.5.0
github.com/kubernetes/kubernetes-v1.17.3: 46 vulnerabilities (highest severity is: 9.6)
Vulnerable Library - github.com/kubernetes/kubernetes-v1.17.3
Production-Grade Container Scheduling and Management
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2017-1002101 | High |
9.6 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | 1.7.14,1.8.9,1.9.4 | ❌ |
| CVE-2020-8558 | High |
8.8 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.18.4,v1.17.7,v1.16.11 | ❌ |
| CVE-2021-3121 | High |
8.6 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.3.2 | ❌ |
| CVE-2021-30465 | High |
8.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.0.0-rc95 | ❌ |
| CVE-2021-25741 | High |
8.1 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.19.15,v1.20.11,v1.21.5,v1.22.1 | ❌ |
| CVE-2020-27813 | High |
7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.4.1 | ❌ |
| CVE-2021-38561 | High |
7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v0.3.7 | ❌ |
| CVE-2022-21698 | High |
7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.11.1 | ❌ |
| CVE-2020-26160 | High |
7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v4.0.0-preview1 | ❌ |
| CVE-2020-29652 | High |
7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v0.0.0-20201216223049-8b5274cf687f | ❌ |
| CVE-2021-33194 | High |
7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | golang.org/x/net - v0.0.0-20210520170846-37e1c6afe023 | ❌ |
| CVE-2021-44716 | High |
7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | github.com/golang/net - 491a49abca63de5e07ef554052d180a1b5fe2d70 | ❌ |
| CVE-2021-43565 | High |
7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | N/A | ❌ |
| CVE-2020-14040 | High |
7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v0.3.3 | ❌ |
| CVE-2020-28851 | High |
7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | N/A | ❌ |
| CVE-2020-28852 | High |
7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | Replace or update the following files: parse.go, parse_test.go | ❌ |
| CVE-2020-7919 | High |
7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | go - 1.12.16,1.13.7;crypto - v0.0.0-20200128174031-69ecbb4d6d5d | ❌ |
| CVE-2020-10752 | High |
7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | N/A | ❌ |
| CVE-2022-27191 | High |
7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | N/A | ❌ |
| CVE-2020-9283 | High |
7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | github.com/golang/crypto - bac4c82f69751a6dd76e702d54b3ceb88adab236 | ❌ |
| CVE-2021-20206 | High |
7.2 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v0.8.1 | ❌ |
| CVE-2020-15113 | High |
7.1 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | 3.4.10, 3.3.23 | ❌ |
| CVE-2019-19921 | High |
7.0 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.0.0-rc10 | ❌ |
| CVE-2020-8559 | Medium |
6.8 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.18.6,v1.17.9,v1.16.13 | ❌ |
| CVE-2019-11252 | Medium |
6.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.18.0-beta.2 | ❌ |
| CVE-2020-15112 | Medium |
6.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | 3.4.10, 3.3.23 | ❌ |
| CVE-2021-20329 | Medium |
6.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.5.1 | ❌ |
| CVE-2020-8551 | Medium |
6.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.18.0-alpha.4 | ❌ |
| CVE-2021-25735 | Medium |
6.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.18.18, v1.19.10, v1.20.6, v1.21.0 | ❌ |
| CVE-2020-15106 | Medium |
6.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v3.3.23;v3.4.10 | ❌ |
| CVE-2020-8555 | Medium |
6.3 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.18.1,v1.17.5,v1.16.9,v1.15.12 | ❌ |
| CVE-2021-31525 | Medium |
5.9 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | golang - v1.15.12,v1.16.4,v1.17.0 | ❌ |
| CVE-2019-19794 | Medium |
5.9 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.1.25 | ❌ |
| CVE-2021-25736 | Medium |
5.8 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | kubernetes - 1.18.18, 1.19.10, 1.20.6, 1.21.0 | ❌ |
| CVE-2020-8566 | Medium |
5.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.17.13,v1.18.10,v1.19.3 | ❌ |
| CVE-2020-8565 | Medium |
5.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.20.0-alpha.2 | ❌ |
| CVE-2020-8564 | Medium |
5.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.17.13,v1.18.10,v1.19.3 | ❌ |
| CVE-2020-8563 | Medium |
5.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.19.3 | ❌ |
| CVE-2020-8557 | Medium |
5.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.18.6,v1.17.9,v1.16.13 | ❌ |
| CVE-2021-41190 | Medium |
5.0 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v2.8.0 | ❌ |
| CVE-2021-43784 | Medium |
5.0 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.0.3 | ❌ |
| CVE-2020-8554 | Medium |
5.0 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | N/A | ❌ |
| CVE-2018-20699 | Medium |
4.9 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v18.09.0 | ❌ |
| CVE-2021-25737 | Medium |
4.8 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.18.19, v1.19.11, v1.20.7, v1.21.1 | ❌ |
| CVE-2020-8552 | Medium |
4.3 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.18.0-alpha.3 | ❌ |
| WS-2021-0495 | Low |
3.9 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | github.com/opencontainers/runc - 1.0.0-rc91 | ❌ |
Details
Partial details (0 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the WhiteSource Application.
system.net.requests.4.3.0.nupkg: 1 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - system.net.requests.4.3.0.nupkg
Path to dependency file: /lib/modules/manager/nuget/__fixtures__/multiple-package-files/one/one.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.2/system.net.http.4.3.2.nupkg
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2018-8292 | High |
7.5 | system.net.http.4.3.2.nupkg | Transitive | N/A | ❌ |
Details
CVE-2018-8292
Vulnerable Library - system.net.http.4.3.2.nupkg
Provides a programming interface for modern HTTP applications, including HTTP client components that...
Library home page: https://api.nuget.org/packages/system.net.http.4.3.2.nupkg
Path to dependency file: /lib/modules/manager/nuget/__fixtures__/multiple-package-files/one/one.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.2/system.net.http.4.3.2.nupkg
Dependency Hierarchy:
- system.net.requests.4.3.0.nupkg (Root Library)
- ❌ system.net.http.4.3.2.nupkg (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.
Publish Date: 2018-10-10
URL: CVE-2018-8292
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: dotnet/announcements#88
Release Date: 2018-10-10
Fix Resolution: System.Net.Http - 4.3.4;Microsoft.PowerShell.Commands.Utility - 6.1.0-rc.1
github.com/google/go-containerregistry-v0.1.0: 7 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - github.com/google/go-containerregistry-v0.1.0
Go library and CLIs for working with container registries
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2020-26160 | High |
7.5 | github.com/google/go-containerregistry-v0.1.0 | Direct | v4.0.0-preview1 | ❌ |
| CVE-2021-44716 | High |
7.5 | github.com/google/go-containerregistry-v0.1.0 | Direct | github.com/golang/net - 491a49abca63de5e07ef554052d180a1b5fe2d70 | ❌ |
| CVE-2020-14040 | High |
7.5 | github.com/google/go-containerregistry-v0.1.0 | Direct | v0.3.3 | ❌ |
| CVE-2021-31525 | Medium |
5.9 | github.com/google/go-containerregistry-v0.1.0 | Direct | golang - v1.15.12,v1.16.4,v1.17.0 | ❌ |
| CVE-2020-8565 | Medium |
5.5 | github.com/google/go-containerregistry-v0.1.0 | Direct | v1.20.0-alpha.2 | ❌ |
| CVE-2020-8564 | Medium |
5.5 | github.com/google/go-containerregistry-v0.1.0 | Direct | v1.17.13,v1.18.10,v1.19.3 | ❌ |
| CVE-2021-41190 | Medium |
5.0 | github.com/google/go-containerregistry-v0.1.0 | Direct | v2.8.0 | ❌ |
Details
CVE-2020-26160
Vulnerable Library - github.com/google/go-containerregistry-v0.1.0
Go library and CLIs for working with container registries
Dependency Hierarchy:
- ❌ github.com/google/go-containerregistry-v0.1.0 (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.
Publish Date: 2020-09-30
URL: CVE-2020-26160
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-26160
Release Date: 2020-09-30
Fix Resolution: v4.0.0-preview1
CVE-2021-44716
Vulnerable Library - github.com/google/go-containerregistry-v0.1.0
Go library and CLIs for working with container registries
Dependency Hierarchy:
- ❌ github.com/google/go-containerregistry-v0.1.0 (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
Publish Date: 2022-01-01
URL: CVE-2021-44716
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-vc3p-29h2-gpcp
Release Date: 2022-01-01
Fix Resolution: github.com/golang/net - 491a49abca63de5e07ef554052d180a1b5fe2d70
CVE-2020-14040
Vulnerable Library - github.com/google/go-containerregistry-v0.1.0
Go library and CLIs for working with container registries
Dependency Hierarchy:
- ❌ github.com/google/go-containerregistry-v0.1.0 (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
Publish Date: 2020-06-17
URL: CVE-2020-14040
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2020-0015
Release Date: 2020-06-17
Fix Resolution: v0.3.3
CVE-2021-31525
Vulnerable Library - github.com/google/go-containerregistry-v0.1.0
Go library and CLIs for working with container registries
Dependency Hierarchy:
- ❌ github.com/google/go-containerregistry-v0.1.0 (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
Publish Date: 2021-05-27
URL: CVE-2021-31525
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1958341
Release Date: 2021-05-27
Fix Resolution: golang - v1.15.12,v1.16.4,v1.17.0
CVE-2020-8565
Vulnerable Library - github.com/google/go-containerregistry-v0.1.0
Go library and CLIs for working with container registries
Dependency Hierarchy:
- ❌ github.com/google/go-containerregistry-v0.1.0 (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.
Publish Date: 2020-12-07
URL: CVE-2020-8565
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2020-0064
Release Date: 2020-12-07
Fix Resolution: v1.20.0-alpha.2
CVE-2020-8564
Vulnerable Library - github.com/google/go-containerregistry-v0.1.0
Go library and CLIs for working with container registries
Dependency Hierarchy:
- ❌ github.com/google/go-containerregistry-v0.1.0 (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials. This affects < v1.19.3, < v1.18.10, < v1.17.13.
Publish Date: 2020-12-07
URL: CVE-2020-8564
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: kubernetes/kubernetes#95622
Release Date: 2020-12-07
Fix Resolution: v1.17.13,v1.18.10,v1.19.3
CVE-2021-41190
Vulnerable Library - github.com/google/go-containerregistry-v0.1.0
Go library and CLIs for working with container registries
Dependency Hierarchy:
- ❌ github.com/google/go-containerregistry-v0.1.0 (Vulnerable Library)
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Vulnerability Details
The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are unable to update to version 1.0.1 of the spec.
Publish Date: 2021-11-17
URL: CVE-2021-41190
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-qq97-vm5h-rrhg
Release Date: 2021-11-17
Fix Resolution: v2.8.0
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.