philipabed / renovate Goto Github PK
View Code? Open in Web Editor NEWThis project forked from renovatebot/renovate
Universal dependency update tool that fits into your workflows.
Home Page: https://renovatebot.com
License: Other
This project forked from renovatebot/renovate
Universal dependency update tool that fits into your workflows.
Home Page: https://renovatebot.com
License: Other
This issue provides visibility into Renovate updates and their statuses. Learn more
These problems occurred while renovating this repository.
These updates are awaiting their schedule. Click on a checkbox to get an update now.
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2020-8559 | Medium | 6.8 | github.com/kubernetes/apimachinery-v0.17.3 | Direct | v1.18.6,v1.17.9,v1.16.13 | ❌ |
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.
Publish Date: 2020-07-22
URL: CVE-2020-8559
Base Score Metrics:
Type: Upgrade version
Origin: kubernetes/kubernetes#92914
Release Date: 2020-07-21
Fix Resolution: v1.18.6,v1.17.9,v1.16.13
Docker machine driver for VMware Fusion and Workstation.
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-27191 | High | 7.5 | github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1 | Direct | N/A | ❌ |
CVE-2020-9283 | High | 7.5 | github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1 | Direct | github.com/golang/crypto - bac4c82f69751a6dd76e702d54b3ceb88adab236 | ❌ |
CVE-2020-29652 | High | 7.5 | github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1 | Direct | v0.0.0-20201216223049-8b5274cf687f | ❌ |
CVE-2021-43565 | High | 7.5 | github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1 | Direct | N/A | ❌ |
Docker machine driver for VMware Fusion and Workstation.
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
Publish Date: 2022-03-18
URL: CVE-2022-27191
Base Score Metrics:
Docker machine driver for VMware Fusion and Workstation.
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
Publish Date: 2020-02-20
URL: CVE-2020-9283
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9283
Release Date: 2020-02-20
Fix Resolution: github.com/golang/crypto - bac4c82f69751a6dd76e702d54b3ceb88adab236
Docker machine driver for VMware Fusion and Workstation.
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.
Publish Date: 2020-12-17
URL: CVE-2020-29652
Base Score Metrics:
Type: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1
Release Date: 2020-12-17
Fix Resolution: v0.0.0-20201216223049-8b5274cf687f
Docker machine driver for VMware Fusion and Workstation.
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
There's an input validation flaw in golang.org/x/crypto's readCipherPacket() function. An unauthenticated attacker who sends an empty plaintext packet to a program linked with golang.org/x/crypto/ssh could cause a panic, potentially leading to denial of service.
Publish Date: 2021-11-10
URL: CVE-2021-43565
Base Score Metrics:
Latest Scan: 2022-05-09 01:39pm
Total Findings: 41
Tested Project Files: 1316
Detected Programming Languages: 6
Severity | CWE | Vulnerability Type | Count |
---|---|---|---|
Low | CWE-798 | Hardcoded Password/Credentials | 6 |
Low | CWE-338 | Weak Pseudo-Random | 4 |
No high vulnerability findings detected. To view information on the remaining findings, navigate to the WhiteSource SAST Application.
No vulnerability findings detected.
No vulnerability findings detected.
No vulnerability findings detected.
Severity | CWE | Vulnerability Type | Count |
---|---|---|---|
Low | CWE-916 | Weak Hash Strength | 29 |
No high vulnerability findings detected. To view information on the remaining findings, navigate to the WhiteSource SAST Application.
Severity | CWE | Vulnerability Type | Count |
---|---|---|---|
Low | CWE-472 | Hidden HTML Input | 2 |
No high vulnerability findings detected. To view information on the remaining findings, navigate to the WhiteSource SAST Application.
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-24785 | High | 7.5 | moment-2.29.1.tgz | Transitive | N/A | ❌ |
Parse, validate, manipulate, and display dates
Library home page: https://registry.npmjs.org/moment/-/moment-2.29.1.tgz
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
Publish Date: 2022-04-04
URL: CVE-2022-24785
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-8hfj-j24r-96c4
Release Date: 2022-04-04
Fix Resolution: moment - 2.29.2,Moment.js - 2.29.2
[mirror] Go supplementary cryptography libraries
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-27191 | High | 7.5 | github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f | Direct | N/A | ❌ |
CVE-2020-29652 | High | 7.5 | github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f | Direct | v0.0.0-20201216223049-8b5274cf687f | ❌ |
CVE-2021-43565 | High | 7.5 | github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f | Direct | N/A | ❌ |
[mirror] Go supplementary cryptography libraries
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
Publish Date: 2022-03-18
URL: CVE-2022-27191
Base Score Metrics:
[mirror] Go supplementary cryptography libraries
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.
Publish Date: 2020-12-17
URL: CVE-2020-29652
Base Score Metrics:
Type: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1
Release Date: 2020-12-17
Fix Resolution: v0.0.0-20201216223049-8b5274cf687f
[mirror] Go supplementary cryptography libraries
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
There's an input validation flaw in golang.org/x/crypto's readCipherPacket() function. An unauthenticated attacker who sends an empty plaintext packet to a program linked with golang.org/x/crypto/ssh could cause a panic, potentially leading to denial of service.
Publish Date: 2021-11-10
URL: CVE-2021-43565
Base Score Metrics:
Go client for Kubernetes.
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2020-8565 | Medium | 5.5 | github.com/kubernetes/client-go-v0.17.3 | Direct | v1.20.0-alpha.2 | ❌ |
Go client for Kubernetes.
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.
Publish Date: 2020-12-07
URL: CVE-2020-8565
Base Score Metrics:
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2020-0064
Release Date: 2020-12-07
Fix Resolution: v1.20.0-alpha.2
Path to dependency file: /lib/modules/manager/nuget/__fixtures__/multiple-package-files/one/one.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2019-0820 | High | 7.5 | system.text.regularexpressions.4.3.0.nupkg | Transitive | N/A | ❌ |
Provides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...
Library home page: https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg
Path to dependency file: /lib/modules/manager/nuget/__fixtures__/multiple-package-files/one/one.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.
WhiteSource Note: After conducting further research, WhiteSource has determined that CVE-2019-0820 only affects environments with versions 4.3.0 and 4.3.1 only on netcore50 environment of system.text.regularexpressions.nupkg.
Publish Date: 2019-05-16
URL: CVE-2019-0820
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-cmhx-cq75-c4mj
Release Date: 2019-05-16
Fix Resolution: System.Text.RegularExpressions - 4.3.1
[mirror] Go text processing support
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2020-28851 | High | 7.5 | github.com/golang/text-v0.3.2 | Direct | N/A | ❌ |
CVE-2020-28852 | High | 7.5 | github.com/golang/text-v0.3.2 | Direct | Replace or update the following files: parse.go, parse_test.go | ❌ |
CVE-2021-38561 | High | 7.5 | github.com/golang/text-v0.3.2 | Direct | v0.3.7 | ❌ |
CVE-2020-14040 | High | 7.5 | github.com/golang/text-v0.3.2 | Direct | v0.3.3 | ❌ |
[mirror] Go text processing support
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)
Publish Date: 2021-01-02
URL: CVE-2020-28851
Base Score Metrics:
[mirror] Go text processing support
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)
Publish Date: 2021-01-02
URL: CVE-2020-28852
Base Score Metrics:
Type: Change files
Origin: golang/text@4482a91
Release Date: 2020-11-18
Fix Resolution: Replace or update the following files: parse.go, parse_test.go
[mirror] Go text processing support
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
Due to improper index calculation, an incorrectly formatted language tag can cause Parse
to panic, due to an out of bounds read. If Parse is used to process untrusted user inputs,
this may be used as a vector for a denial of service attack.
Publish Date: 2021-08-12
URL: CVE-2021-38561
Base Score Metrics:
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2021-0113
Release Date: 2021-08-12
Fix Resolution: v0.3.7
[mirror] Go text processing support
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
Publish Date: 2020-06-17
URL: CVE-2020-14040
Base Score Metrics:
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2020-0015
Release Date: 2020-06-17
Fix Resolution: v0.3.3
Parallels driver for Docker Machine https://github.com/docker/machine
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-27191 | High | 7.5 | github.com/parallels/docker-machine-parallels-v1.3.0 | Direct | N/A | ❌ |
CVE-2020-9283 | High | 7.5 | github.com/parallels/docker-machine-parallels-v1.3.0 | Direct | github.com/golang/crypto - bac4c82f69751a6dd76e702d54b3ceb88adab236 | ❌ |
CVE-2020-29652 | High | 7.5 | github.com/parallels/docker-machine-parallels-v1.3.0 | Direct | v0.0.0-20201216223049-8b5274cf687f | ❌ |
CVE-2021-43565 | High | 7.5 | github.com/parallels/docker-machine-parallels-v1.3.0 | Direct | N/A | ❌ |
Parallels driver for Docker Machine https://github.com/docker/machine
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
Publish Date: 2022-03-18
URL: CVE-2022-27191
Base Score Metrics:
Parallels driver for Docker Machine https://github.com/docker/machine
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
Publish Date: 2020-02-20
URL: CVE-2020-9283
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9283
Release Date: 2020-02-20
Fix Resolution: github.com/golang/crypto - bac4c82f69751a6dd76e702d54b3ceb88adab236
Parallels driver for Docker Machine https://github.com/docker/machine
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.
Publish Date: 2020-12-17
URL: CVE-2020-29652
Base Score Metrics:
Type: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1
Release Date: 2020-12-17
Fix Resolution: v0.0.0-20201216223049-8b5274cf687f
Parallels driver for Docker Machine https://github.com/docker/machine
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
There's an input validation flaw in golang.org/x/crypto's readCipherPacket() function. An unauthenticated attacker who sends an empty plaintext packet to a program linked with golang.org/x/crypto/ssh could cause a panic, potentially leading to denial of service.
Publish Date: 2021-11-10
URL: CVE-2021-43565
Base Score Metrics:
Simple GIT interface for node.js
Library home page: https://registry.npmjs.org/simple-git/-/simple-git-3.4.0.tgz
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-24066 | High | 9.8 | simple-git-3.4.0.tgz | Direct | 3.5.0 | ❌ |
Simple GIT interface for node.js
Library home page: https://registry.npmjs.org/simple-git/-/simple-git-3.4.0.tgz
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.
Publish Date: 2022-04-01
URL: CVE-2022-24066
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-28xr-mwxg-3qc8
Release Date: 2022-04-01
Fix Resolution: 3.5.0
Production-Grade Container Scheduling and Management
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2017-1002101 | High | 9.6 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | 1.7.14,1.8.9,1.9.4 | ❌ |
CVE-2020-8558 | High | 8.8 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.18.4,v1.17.7,v1.16.11 | ❌ |
CVE-2021-3121 | High | 8.6 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.3.2 | ❌ |
CVE-2021-30465 | High | 8.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.0.0-rc95 | ❌ |
CVE-2021-25741 | High | 8.1 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.19.15,v1.20.11,v1.21.5,v1.22.1 | ❌ |
CVE-2020-27813 | High | 7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.4.1 | ❌ |
CVE-2021-38561 | High | 7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v0.3.7 | ❌ |
CVE-2022-21698 | High | 7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.11.1 | ❌ |
CVE-2020-26160 | High | 7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v4.0.0-preview1 | ❌ |
CVE-2020-29652 | High | 7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v0.0.0-20201216223049-8b5274cf687f | ❌ |
CVE-2021-33194 | High | 7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | golang.org/x/net - v0.0.0-20210520170846-37e1c6afe023 | ❌ |
CVE-2021-44716 | High | 7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | github.com/golang/net - 491a49abca63de5e07ef554052d180a1b5fe2d70 | ❌ |
CVE-2021-43565 | High | 7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | N/A | ❌ |
CVE-2020-14040 | High | 7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v0.3.3 | ❌ |
CVE-2020-28851 | High | 7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | N/A | ❌ |
CVE-2020-28852 | High | 7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | Replace or update the following files: parse.go, parse_test.go | ❌ |
CVE-2020-7919 | High | 7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | go - 1.12.16,1.13.7;crypto - v0.0.0-20200128174031-69ecbb4d6d5d | ❌ |
CVE-2020-10752 | High | 7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | N/A | ❌ |
CVE-2022-27191 | High | 7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | N/A | ❌ |
CVE-2020-9283 | High | 7.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | github.com/golang/crypto - bac4c82f69751a6dd76e702d54b3ceb88adab236 | ❌ |
CVE-2021-20206 | High | 7.2 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v0.8.1 | ❌ |
CVE-2020-15113 | High | 7.1 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | 3.4.10, 3.3.23 | ❌ |
CVE-2019-19921 | High | 7.0 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.0.0-rc10 | ❌ |
CVE-2020-8559 | Medium | 6.8 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.18.6,v1.17.9,v1.16.13 | ❌ |
CVE-2019-11252 | Medium | 6.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.18.0-beta.2 | ❌ |
CVE-2020-15112 | Medium | 6.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | 3.4.10, 3.3.23 | ❌ |
CVE-2021-20329 | Medium | 6.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.5.1 | ❌ |
CVE-2020-8551 | Medium | 6.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.18.0-alpha.4 | ❌ |
CVE-2021-25735 | Medium | 6.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.18.18, v1.19.10, v1.20.6, v1.21.0 | ❌ |
CVE-2020-15106 | Medium | 6.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v3.3.23;v3.4.10 | ❌ |
CVE-2020-8555 | Medium | 6.3 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.18.1,v1.17.5,v1.16.9,v1.15.12 | ❌ |
CVE-2021-31525 | Medium | 5.9 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | golang - v1.15.12,v1.16.4,v1.17.0 | ❌ |
CVE-2019-19794 | Medium | 5.9 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.1.25 | ❌ |
CVE-2021-25736 | Medium | 5.8 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | kubernetes - 1.18.18, 1.19.10, 1.20.6, 1.21.0 | ❌ |
CVE-2020-8566 | Medium | 5.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.17.13,v1.18.10,v1.19.3 | ❌ |
CVE-2020-8565 | Medium | 5.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.20.0-alpha.2 | ❌ |
CVE-2020-8564 | Medium | 5.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.17.13,v1.18.10,v1.19.3 | ❌ |
CVE-2020-8563 | Medium | 5.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.19.3 | ❌ |
CVE-2020-8557 | Medium | 5.5 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.18.6,v1.17.9,v1.16.13 | ❌ |
CVE-2021-41190 | Medium | 5.0 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v2.8.0 | ❌ |
CVE-2021-43784 | Medium | 5.0 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.0.3 | ❌ |
CVE-2020-8554 | Medium | 5.0 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | N/A | ❌ |
CVE-2018-20699 | Medium | 4.9 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v18.09.0 | ❌ |
CVE-2021-25737 | Medium | 4.8 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.18.19, v1.19.11, v1.20.7, v1.21.1 | ❌ |
CVE-2020-8552 | Medium | 4.3 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | v1.18.0-alpha.3 | ❌ |
WS-2021-0495 | Low | 3.9 | github.com/kubernetes/kubernetes-v1.17.3 | Direct | github.com/opencontainers/runc - 1.0.0-rc91 | ❌ |
Partial details (0 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the WhiteSource Application.
Path to dependency file: /lib/modules/manager/nuget/__fixtures__/multiple-package-files/one/one.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.2/system.net.http.4.3.2.nupkg
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2018-8292 | High | 7.5 | system.net.http.4.3.2.nupkg | Transitive | N/A | ❌ |
Provides a programming interface for modern HTTP applications, including HTTP client components that...
Library home page: https://api.nuget.org/packages/system.net.http.4.3.2.nupkg
Path to dependency file: /lib/modules/manager/nuget/__fixtures__/multiple-package-files/one/one.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.net.http/4.3.2/system.net.http.4.3.2.nupkg
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.
Publish Date: 2018-10-10
URL: CVE-2018-8292
Base Score Metrics:
Type: Upgrade version
Origin: dotnet/announcements#88
Release Date: 2018-10-10
Fix Resolution: System.Net.Http - 4.3.4;Microsoft.PowerShell.Commands.Utility - 6.1.0-rc.1
Go library and CLIs for working with container registries
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2020-26160 | High | 7.5 | github.com/google/go-containerregistry-v0.1.0 | Direct | v4.0.0-preview1 | ❌ |
CVE-2021-44716 | High | 7.5 | github.com/google/go-containerregistry-v0.1.0 | Direct | github.com/golang/net - 491a49abca63de5e07ef554052d180a1b5fe2d70 | ❌ |
CVE-2020-14040 | High | 7.5 | github.com/google/go-containerregistry-v0.1.0 | Direct | v0.3.3 | ❌ |
CVE-2021-31525 | Medium | 5.9 | github.com/google/go-containerregistry-v0.1.0 | Direct | golang - v1.15.12,v1.16.4,v1.17.0 | ❌ |
CVE-2020-8565 | Medium | 5.5 | github.com/google/go-containerregistry-v0.1.0 | Direct | v1.20.0-alpha.2 | ❌ |
CVE-2020-8564 | Medium | 5.5 | github.com/google/go-containerregistry-v0.1.0 | Direct | v1.17.13,v1.18.10,v1.19.3 | ❌ |
CVE-2021-41190 | Medium | 5.0 | github.com/google/go-containerregistry-v0.1.0 | Direct | v2.8.0 | ❌ |
Go library and CLIs for working with container registries
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.
Publish Date: 2020-09-30
URL: CVE-2020-26160
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-26160
Release Date: 2020-09-30
Fix Resolution: v4.0.0-preview1
Go library and CLIs for working with container registries
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
Publish Date: 2022-01-01
URL: CVE-2021-44716
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-vc3p-29h2-gpcp
Release Date: 2022-01-01
Fix Resolution: github.com/golang/net - 491a49abca63de5e07ef554052d180a1b5fe2d70
Go library and CLIs for working with container registries
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
Publish Date: 2020-06-17
URL: CVE-2020-14040
Base Score Metrics:
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2020-0015
Release Date: 2020-06-17
Fix Resolution: v0.3.3
Go library and CLIs for working with container registries
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
Publish Date: 2021-05-27
URL: CVE-2021-31525
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1958341
Release Date: 2021-05-27
Fix Resolution: golang - v1.15.12,v1.16.4,v1.17.0
Go library and CLIs for working with container registries
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.
Publish Date: 2020-12-07
URL: CVE-2020-8565
Base Score Metrics:
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2020-0064
Release Date: 2020-12-07
Fix Resolution: v1.20.0-alpha.2
Go library and CLIs for working with container registries
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials. This affects < v1.19.3, < v1.18.10, < v1.17.13.
Publish Date: 2020-12-07
URL: CVE-2020-8564
Base Score Metrics:
Type: Upgrade version
Origin: kubernetes/kubernetes#95622
Release Date: 2020-12-07
Fix Resolution: v1.17.13,v1.18.10,v1.19.3
Go library and CLIs for working with container registries
Dependency Hierarchy:
Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3
Found in base branch: main
The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are unable to update to version 1.0.1 of the spec.
Publish Date: 2021-11-17
URL: CVE-2021-41190
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-qq97-vm5h-rrhg
Release Date: 2021-11-17
Fix Resolution: v2.8.0
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.