vipinsun / fabric Goto Github PK

Vulnerable Library - github.com/golang/tools-gopls/v0.3.1-pre1

[mirror] Go Tools

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ github.com/golang/tools-gopls/v0.3.1-pre1 (Vulnerable Library)

Found in HEAD commit: 100aa9cb3f6ca90af54ab74f992aadf31d36380e

Found in base branch: master

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Vulnerability Details

Zstandard in versions v1.3.5 to v1.4.9 is vulnerable to unknown read in MEM_read32.

Publish Date: 2021-05-04

URL: WS-2021-0184

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/OSV-2021-727

Release Date: 2021-05-04

Fix Resolution: v1.5.0

integration/lifecycle/testdata/docker-compose.yaml

• hyperledger/fabric-tools 1.4

images/baseos/Dockerfile

images/ccenv/Dockerfile

images/orderer/Dockerfile

images/peer/Dockerfile

images/tools/Dockerfile

.github/workflows/codeql-analysis.yml

• actions/checkout v2
• github/codeql-action v1
• github/codeql-action v1
• github/codeql-action v1

.github/workflows/slash-commands.yml

• lindluni/issue-manager v1.0.0
• lindluni/issue-manager v1.0.0

.github/workflows/trigger.yml

core/chaincode/platforms/golang/testdata/ccmodule/go.mod

• go 1.12

core/chaincode/platforms/golang/testdata/src/chaincodes/noop/go.mod

• go 1.13

go.mod

• go 1.14
• code.cloudfoundry.org/clock v1.0.0
• github.com/IBM/idemix v0.0.0-20210930104432-e4a1410f5353@e4a1410f5353
• github.com/Knetic/govaluate v3.0.0+incompatible
• github.com/Shopify/sarama v1.20.1
• github.com/VictoriaMetrics/fastcache v1.5.7
• github.com/davecgh/go-spew v1.1.1
• github.com/fsouza/go-dockerclient v1.7.0
• github.com/go-kit/kit v0.9.0
• github.com/golang/protobuf v1.3.3
• github.com/gorilla/handlers v1.4.0
• github.com/gorilla/mux v1.8.0
• github.com/grpc-ecosystem/go-grpc-middleware v1.1.0
• github.com/hashicorp/go-version v1.2.0
• github.com/hyperledger/fabric-chaincode-go v0.0.0-20201119163726-f8ef75b17719@f8ef75b17719
• github.com/hyperledger/fabric-config v0.1.0
• github.com/hyperledger/fabric-lib-go v1.0.0
• github.com/hyperledger/fabric-protos-go v0.0.0-20210911123859-041d13f0980c@041d13f0980c
• github.com/kr/pretty v0.2.1
• github.com/miekg/pkcs11 v1.0.3
• github.com/mitchellh/mapstructure v1.3.2
• github.com/onsi/ginkgo v1.14.0
• github.com/onsi/gomega v1.10.1
• github.com/pkg/errors v0.9.1
• github.com/prometheus/client_golang v1.5.1
• github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475@cf1acfcdf475
• github.com/spf13/cobra v0.0.3
• github.com/spf13/pflag v1.0.5
• github.com/spf13/viper v1.1.1
• github.com/stretchr/testify v1.7.1-0.20210116013205-6990a05d54c2@6990a05d54c2
• github.com/sykesm/zap-logfmt v0.0.2
• github.com/syndtr/goleveldb v1.0.1-0.20210305035536-64b5b1c73954@64b5b1c73954
• github.com/tedsuo/ifrit v0.0.0-20180802180643-bea94bb476cc@bea94bb476cc
• github.com/willf/bitset v1.1.10
• go.uber.org/zap v1.16.0
• golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2@0c34fe9e7dc2
• golang.org/x/tools v0.0.0-20200131233409-575de47986ce@575de47986ce
• google.golang.org/grpc v1.31.0
• gopkg.in/alecthomas/kingpin.v2 v2.2.6
• gopkg.in/cheggaaa/pb.v1 v1.0.28
• gopkg.in/yaml.v2 v2.4.0
• github.com/onsi/gomega v1.9.0

integration/chaincode/module/go.mod

• go 1.12
• github.com/hyperledger/fabric-chaincode-go v0.0.0-20190823162523-04390e015b85@04390e015b85
• github.com/hyperledger/fabric-protos-go v0.0.0-20190823190507-26c33c998676@26c33c998676

tools/go.mod

• go 1.13
• github.com/AlekSi/gocov-xml v0.0.0-20190121064608-3a14fb1c4737@3a14fb1c4737
• github.com/axw/gocov v1.0.0
• github.com/client9/misspell v0.3.4
• github.com/go-swagger/go-swagger v0.25.0
• github.com/golang/protobuf v1.4.2
• github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2
• github.com/onsi/ginkgo v1.11.0
• github.com/vektra/mockery v0.0.0-20181123154057-e78b021dcbb5@e78b021dcbb5
• golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f@fdd1cda4f05f
• golang.org/x/tools v0.1.0
• honnef.co/go/tools v0.1.1
• mvdan.cc/gofumpt v0.1.0
• github.com/golang/protobuf v1.3.3

core/chaincode/platforms/java/testdata/gradle/settings.gradle

core/chaincode/platforms/java/testdata/gradle/build.gradle

• com.github.johnrengelman.shadow 2.0.3
• org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim 1.3.0-SNAPSHOT
• junit:junit 4.12

docs/requirements.txt

• python-markdown-math ==0.2
• alabaster ==0.7.8
• Babel ==2.9.1
• docutils ==0.12
• imagesize ==0.7.1
• Jinja2 ==2.11.3
• MarkupSafe ==0.23
• Pygments ==2.7.4
• pytz ==2016.4
• six ==1.10.0
• snowballstemmer ==1.2.1
• Sphinx ==1.7.2
• sphinx-rtd-theme ==0.2.5b2
• recommonmark ==0.4.0

docs/source/requirements.txt

• python-markdown-math ==0.2

Vulnerable Library - github.com/containerd/Containerd-v1.4.1

An open and reliable container runtime

Library home page: https://proxy.golang.org/github.com/containerd/containerd/@v/v1.4.1.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• github.com/fsouza/go-dockerclient-v1.7.0 (Root Library)
  • github.com/docker/docker-v20.10.0-beta1.0.20201113105859-b6bfff2a628f+incompatible
    • ❌ github.com/containerd/Containerd-v1.4.1 (Vulnerable Library)

Found in HEAD commit: ddd974009afe8d2f73f37b444e34d7b8084c235a

Found in base branch: master

Vulnerability Details

In the OCI Distribution Specification version 1.0.0 and prior and in the OCI Image Specification version 1.0.1 and prior, manifest and index documents are ambiguous without an accompanying Content-Type HTTP header. Versions of containerd prior to 1.4.12 and 1.5.8 treat the Content-Type header as trusted and deserialize the document according to that header. If the Content-Type header changed between pulls of the same ambiguous document (with the same digest), the document may be interpreted differently, meaning that the digest alone is insufficient to unambiguously identify the content of the image.

Publish Date: 2021-11-18

URL: WS-2021-0427

CVSS 3 Score Details (3.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-5j5w-g665-5m35

Release Date: 2021-11-18

Fix Resolution: solidus_core - 2.11.12, 3.0.3, 3.1.3

Vulnerable Libraries - golang.org/x/net-v0.0.0-20210226172049-e18ecbb05110, github.com/golang/net-v0.0.0-20190603091049-60506f45cf65

Found in HEAD commit: 100aa9cb3f6ca90af54ab74f992aadf31d36380e

Found in base branch: master

Vulnerability Details

net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.

Publish Date: 2022-01-01

URL: CVE-2021-44716

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-vc3p-29h2-gpcp

Release Date: 2022-01-01

Fix Resolution: github.com/golang/net - 491a49abca63de5e07ef554052d180a1b5fe2d70

Vulnerable Libraries - golang.org/x/net-v0.0.0-20210226172049-e18ecbb05110, github.com/golang/net-v0.0.0-20190603091049-60506f45cf65

Found in HEAD commit: 100aa9cb3f6ca90af54ab74f992aadf31d36380e

Found in base branch: master

Vulnerability Details

net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.

Publish Date: 2021-05-27

URL: CVE-2021-31525

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1958341

Release Date: 2021-05-27

Fix Resolution: golang - v1.15.12,v1.16.4,v1.17.0

Vulnerable Library - github.com/containerd/containerd-v1.4.1

An open and reliable container runtime

Dependency Hierarchy:

• github.com/fsouza/go-dockerclient-v1.7.0 (Root Library)
  • github.com/docker/docker-v17.03.2-ce
    • ❌ github.com/containerd/containerd-v1.4.1 (Vulnerable Library)

Found in HEAD commit: ddd974009afe8d2f73f37b444e34d7b8084c235a

Found in base branch: master

Vulnerability Details

An improper limitation of path name flaw was found in containernetworking/cni in versions before 0.8.1. When specifying the plugin to load in the 'type' field in the network configuration, it is possible to use special elements such as "../" separators to reference binaries elsewhere on the system. This flaw allows an attacker to execute other existing binaries other than the cni plugins/types, such as 'reboot'. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Publish Date: 2021-03-26

URL: CVE-2021-20206

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1919391

Release Date: 2020-12-18

Fix Resolution: v0.8.1

Vulnerable Library - github.com/containerd/Containerd-v1.4.1

An open and reliable container runtime

Library home page: https://proxy.golang.org/github.com/containerd/containerd/@v/v1.4.1.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• github.com/fsouza/go-dockerclient-v1.7.0 (Root Library)
  • github.com/docker/docker-v20.10.0-beta1.0.20201113105859-b6bfff2a628f+incompatible
    • ❌ github.com/containerd/Containerd-v1.4.1 (Vulnerable Library)

Found in HEAD commit: ddd974009afe8d2f73f37b444e34d7b8084c235a

Found in base branch: master

Vulnerability Details

containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This vulnerability has been fixed in containerd 1.4.11 and containerd 1.5.7. Users should update to these version when they are released and may restart containers or update directory permissions to mitigate the vulnerability. Users unable to update should limit access to the host to trusted users. Update directory permission on container bundles directories.

Publish Date: 2021-10-04

URL: CVE-2021-41103

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2h3-6mxw-7mvq

Release Date: 2021-10-04

Fix Resolution: v1.4.11,v1.5.7

Vulnerable Library - github.com/opencontainers/runc-v1.0.0-rc8

CLI tool for spawning and running containers according to the OCI specification

Dependency Hierarchy:

• github.com/fsouza/go-dockerclient-v1.7.0 (Root Library)
  • github.com/docker/docker-v17.03.2-ce
    • ❌ github.com/opencontainers/runc-v1.0.0-rc8 (Vulnerable Library)

Found in HEAD commit: ddd974009afe8d2f73f37b444e34d7b8084c235a

Found in base branch: master

Vulnerability Details

libseccomp-golang 0.9.0 and earlier incorrectly generates BPFs that OR multiple arguments rather than ANDing them. A process running under a restrictive seccomp filter that specified multiple syscall arguments could bypass intended access restrictions by specifying a single matching argument.

Publish Date: 2019-04-24

URL: CVE-2017-18367

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2020-0007

Release Date: 2019-04-24

Fix Resolution: v0.9.1

Vulnerable Library - go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/go.etcd.io/etcd/@v/v0.5.0-alpha.5.0.20181228115726-23731bf9ba55.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55 (Vulnerable Library)

Found in HEAD commit: ddd974009afe8d2f73f37b444e34d7b8084c235a

Found in base branch: master

Vulnerability Details

In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL.

Publish Date: 2020-08-05

URL: CVE-2020-15106

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-15106

Release Date: 2020-08-05

Fix Resolution: v3.3.23;v3.4.10

Vulnerable Library - github.com/opencontainers/runc-v1.0.0-rc8

CLI tool for spawning and running containers according to the OCI specification

Library home page: https://proxy.golang.org/github.com/opencontainers/runc/@v/v1.0.0-rc8.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• github.com/fsouza/go-dockerclient-v1.7.0 (Root Library)
  • github.com/docker/docker-v20.10.0-beta1.0.20201113105859-b6bfff2a628f+incompatible
    • ❌ github.com/opencontainers/runc-v1.0.0-rc8 (Vulnerable Library)

Found in HEAD commit: 100aa9cb3f6ca90af54ab74f992aadf31d36380e

Found in base branch: master

Vulnerability Details

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where runc exec --cap created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes runc exec --cap behavior such that the additional capabilities granted to the process being executed (as specified via --cap arguments) do not include inheritable capabilities. In addition, runc spec is changed to not set any inheritable capabilities in the created example OCI spec (config.json) file.

Publish Date: 2022-05-17

URL: CVE-2022-29162

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-29162

Release Date: 2022-04-14

Fix Resolution: v1.1.2

Vulnerable Library - certifi-2021.10.8-py2.py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/37/45/946c02767aabb873146011e665728b680884cd8fe70dde973c640e45b775/certifi-2021.10.8-py2.py3-none-any.whl

Path to dependency file: /docs/requirements.txt

Path to vulnerable library: /docs/requirements.txt

Dependency Hierarchy:

• Sphinx-1.7.2-py2.py3-none-any.whl (Root Library)
  • requests-2.26.0-py2.py3-none-any.whl
    • ❌ certifi-2021.10.8-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 100aa9cb3f6ca90af54ab74f992aadf31d36380e

Found in base branch: master

Vulnerability Details

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

Publish Date: 2022-12-07

URL: CVE-2022-23491

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23491

Release Date: 2022-12-07

Fix Resolution: certifi - 2022.12.07

Vulnerable Library - github.com/opencontainers/runc-v1.0.0-rc8

CLI tool for spawning and running containers according to the OCI specification

Library home page: https://proxy.golang.org/github.com/opencontainers/runc/@v/v1.0.0-rc8.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• github.com/fsouza/go-dockerclient-v1.7.0 (Root Library)
  • github.com/docker/docker-v20.10.0-beta1.0.20201113105859-b6bfff2a628f+incompatible
    • ❌ github.com/opencontainers/runc-v1.0.0-rc8 (Vulnerable Library)

Found in HEAD commit: ddd974009afe8d2f73f37b444e34d7b8084c235a

Found in base branch: master

Vulnerability Details

runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vulnerability does not affect Docker due to an implementation detail that happens to block the attack.)

Publish Date: 2020-02-12

URL: CVE-2019-19921

CVSS 3 Score Details (7.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19921

Release Date: 2020-03-11

Fix Resolution: v1.0.0-rc10

Vulnerable Library - github.com/opencontainers/runc-v1.0.0-rc8

CLI tool for spawning and running containers according to the OCI specification

Library home page: https://proxy.golang.org/github.com/opencontainers/runc/@v/v1.0.0-rc8.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• github.com/fsouza/go-dockerclient-v1.7.0 (Root Library)
  • github.com/docker/docker-v20.10.0-beta1.0.20201113105859-b6bfff2a628f+incompatible
    • ❌ github.com/opencontainers/runc-v1.0.0-rc8 (Vulnerable Library)

Found in HEAD commit: ddd974009afe8d2f73f37b444e34d7b8084c235a

Found in base branch: master

Vulnerability Details

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the C portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug.

Publish Date: 2021-12-06

URL: CVE-2021-43784

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-v95c-p5hm-xq8f

Release Date: 2021-12-06

Fix Resolution: v1.0.3

Vulnerable Library - urllib3-1.26.7-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/af/f4/524415c0744552cce7d8bf3669af78e8a069514405ea4fcbd0cc44733744/urllib3-1.26.7-py2.py3-none-any.whl

Path to dependency file: /docs/requirements.txt

Path to vulnerable library: /docs/requirements.txt

Dependency Hierarchy:

• Sphinx-1.7.2-py2.py3-none-any.whl (Root Library)
  • requests-2.26.0-py2.py3-none-any.whl
    • ❌ urllib3-1.26.7-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: ddd974009afe8d2f73f37b444e34d7b8084c235a

Found in base branch: master

Vulnerability Details

urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like POST) to GET as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with redirects=False and disable automatic redirects with redirects=False and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.

Publish Date: 2023-10-17

URL: CVE-2023-45803

CVSS 3 Score Details (4.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-g4mx-q9vg-27p4

Release Date: 2023-10-17

Fix Resolution: urllib3 - 1.26.18,2.0.7

Vulnerable Library - go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/go.etcd.io/etcd/@v/v0.5.0-alpha.5.0.20181228115726-23731bf9ba55.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55 (Vulnerable Library)

Found in HEAD commit: 100aa9cb3f6ca90af54ab74f992aadf31d36380e

Found in base branch: master

Vulnerability Details

In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already. A possible workaround is to ensure the directories have the desired permission (700).

Publish Date: 2020-08-05

URL: CVE-2020-15113

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2020-08-05

Fix Resolution: 3.4.10, 3.3.23

Vulnerable Library - github.com/golang/text-v0.3.3

[mirror] Go text processing support

Library home page: https://proxy.golang.org/github.com/golang/text/@v/v0.3.3.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• github.com/Spf13/viper-v1.1.1 (Root Library)
  • github.com/spf13/afero-v1.3.1
    • ❌ github.com/golang/text-v0.3.3 (Vulnerable Library)

Found in HEAD commit: 100aa9cb3f6ca90af54ab74f992aadf31d36380e

Found in base branch: master

Vulnerability Details

In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)

Publish Date: 2021-01-02

URL: CVE-2020-28851

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-28851

Release Date: 2021-01-02

Fix Resolution: golang-golang-x-text-dev - 0.3.6-1,0.3.6-1

Vulnerable Library - github.com/consensys/gnark-crypto-v0.4.0

gnark-crypto provides elliptic curve and pairing-based cryptography on BN, BLS12, BLS24 and BW6 curves. It also provides various algorithms (algebra, crypto) of particular interest to zero knowledge proof systems.

Library home page: https://proxy.golang.org/github.com/consensys/gnark-crypto/@v/v0.4.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• github.com/IBM/idemix (Root Library)
  • github.com/IBM/mathlib-v0.0.0-20210928081244-f5486459a290
    • ❌ github.com/consensys/gnark-crypto-v0.4.0 (Vulnerable Library)

Found in HEAD commit: 100aa9cb3f6ca90af54ab74f992aadf31d36380e

Found in base branch: master

Vulnerability Details

Consensys gnark-crypto through 0.11.2 allows Signature Malleability. This occurs because deserialisation of EdDSA and ECDSA signatures does not ensure that the data is in a certain interval.

Publish Date: 2023-09-28

URL: CVE-2023-44273

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - github.com/opencontainers/runc-v1.0.0-rc8

CLI tool for spawning and running containers according to the OCI specification

Library home page: https://proxy.golang.org/github.com/opencontainers/runc/@v/v1.0.0-rc8.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• github.com/fsouza/go-dockerclient-v1.7.0 (Root Library)
  • github.com/docker/docker-v20.10.0-beta1.0.20201113105859-b6bfff2a628f+incompatible
    • ❌ github.com/opencontainers/runc-v1.0.0-rc8 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Devices resource list treated as a blacklist by default in runc 1.0.0-rc90

Publish Date: 2021-12-20

URL: WS-2021-0495

CVSS 3 Score Details (3.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-g54h-m393-cpwq

Release Date: 2021-12-20

Fix Resolution: github.com/opencontainers/runc - 1.0.0-rc91

Vulnerable Library - github.com/opencontainers/runc-v1.0.0-rc8

CLI tool for spawning and running containers according to the OCI specification

Library home page: https://proxy.golang.org/github.com/opencontainers/runc/@v/v1.0.0-rc8.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• github.com/fsouza/go-dockerclient-v1.7.0 (Root Library)
  • github.com/docker/docker-v20.10.0-beta1.0.20201113105859-b6bfff2a628f+incompatible
    • ❌ github.com/opencontainers/runc-v1.0.0-rc8 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.

Publish Date: 2023-03-03

URL: CVE-2023-27561

CVSS 3 Score Details (7.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/go.etcd.io/etcd/@v/v0.5.0-alpha.5.0.20181228115726-23731bf9ba55.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55 (Vulnerable Library)

Found in HEAD commit: 100aa9cb3f6ca90af54ab74f992aadf31d36380e

Found in base branch: master

Vulnerability Details

In etcd before versions 3.3.23 and 3.4.10, it is possible to have an entry index greater then the number of entries in the ReadAll method in wal/wal.go. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime panic when reading the entry.

Publish Date: 2020-08-05

URL: CVE-2020-15112

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-08-05

Fix Resolution: 3.4.10, 3.3.23

Vulnerable Library - certifi-2021.10.8-py2.py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/37/45/946c02767aabb873146011e665728b680884cd8fe70dde973c640e45b775/certifi-2021.10.8-py2.py3-none-any.whl

Path to dependency file: /docs/requirements.txt

Path to vulnerable library: /docs/requirements.txt

Dependency Hierarchy:

• Sphinx-1.7.2-py2.py3-none-any.whl (Root Library)
  • requests-2.26.0-py2.py3-none-any.whl
    • ❌ certifi-2021.10.8-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 100aa9cb3f6ca90af54ab74f992aadf31d36380e

Found in base branch: master

Vulnerability Details

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.

Publish Date: 2023-07-25

URL: CVE-2023-37920

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-xqr8-7jwr-rhp7

Release Date: 2023-07-25

Fix Resolution: certifi - 2023.7.22

Vulnerable Library - requests-2.26.0-py2.py3-none-any.whl

Python HTTP for Humans.

Library home page: https://files.pythonhosted.org/packages/92/96/144f70b972a9c0eabbd4391ef93ccd49d0f2747f4f6a2a2738e99e5adc65/requests-2.26.0-py2.py3-none-any.whl

Path to dependency file: /docs/requirements.txt

Path to vulnerable library: /docs/requirements.txt

Dependency Hierarchy:

• Sphinx-1.7.2-py2.py3-none-any.whl (Root Library)
  • ❌ requests-2.26.0-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: ddd974009afe8d2f73f37b444e34d7b8084c235a

Found in base branch: master

Vulnerability Details

Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use rebuild_proxies to reattach the Proxy-Authorization header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the Proxy-Authorization header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.

Publish Date: 2023-05-26

URL: CVE-2023-32681

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-j8r2-6x86-q33q

Release Date: 2023-05-26

Fix Resolution: requests -2.31.0

Vulnerable Library - github.com/containerd/containerd-v1.4.1

An open and reliable container runtime

Dependency Hierarchy:

• github.com/fsouza/go-dockerclient-v1.7.0 (Root Library)
  • github.com/docker/docker-v17.03.2-ce
    • ❌ github.com/containerd/containerd-v1.4.1 (Vulnerable Library)

Found in HEAD commit: ddd974009afe8d2f73f37b444e34d7b8084c235a

Found in base branch: master

Vulnerability Details

In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.

Publish Date: 2020-12-07

URL: CVE-2020-8565

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2020-0064

Release Date: 2020-12-07

Fix Resolution: v1.20.0-alpha.2

Vulnerable Library - github.com/golang/crypto-v0.1.0

[mirror] Go supplementary cryptography libraries

Library home page: https://proxy.golang.org/github.com/golang/crypto/@v/v0.1.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ github.com/golang/crypto-v0.1.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

Publish Date: 2023-12-18

URL: CVE-2023-48795

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2023-48795

Release Date: 2023-12-18

Fix Resolution: putty - 0.80, openssh - V_9_6_P1, golang/crypto - v0.17.0, asyncssh - 2.14.2, libssh-0.9.8, libssh-0.10.6, teraterm - v5.1, paramiko - 3.4.0, russh - 0.40.2, com.github.mwiede:jsch:0.2.15, proftpd - v1.3.8b, thrussh - 0.35.1, teraterm - v5.1, org.connectbot:sshlib:2.2.22, mscdex/ssh2 - 1.15.0, jtesta/ssh-audit - v3.1.0, Oryx-Embedded/CycloneSSH - v2.3.4, opnsense/src - 23.7, winscp - 6.2.2, PowerShell/openssh-portable - v9.5.0.0

Vulnerable Library - github.com/containerd/Containerd-v1.4.1

An open and reliable container runtime

Library home page: https://proxy.golang.org/github.com/containerd/containerd/@v/v1.4.1.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• github.com/fsouza/go-dockerclient-v1.7.0 (Root Library)
  • github.com/docker/docker-v20.10.0-beta1.0.20201113105859-b6bfff2a628f+incompatible
    • ❌ github.com/containerd/Containerd-v1.4.1 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue.

Publish Date: 2022-03-03

URL: CVE-2022-23648

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-crp2-qrr5-8pq7

Release Date: 2022-03-03

Fix Resolution: v1.4.13, v1.5.10, v1.6.1

Vulnerable Library - github.com/containerd/containerd-v1.4.1

An open and reliable container runtime

Dependency Hierarchy:

• github.com/fsouza/go-dockerclient-v1.7.0 (Root Library)
  • github.com/docker/docker-v17.03.2-ce
    • ❌ github.com/containerd/containerd-v1.4.1 (Vulnerable Library)

Found in HEAD commit: ddd974009afe8d2f73f37b444e34d7b8084c235a

Found in base branch: master

Vulnerability Details

In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions.

Publish Date: 2021-03-10

URL: CVE-2021-21334

CVSS 3 Score Details (6.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-6g2q-w5j3-fwh4

Release Date: 2021-03-10

Fix Resolution: v1.3.10,v1.4.4

Vulnerable Library - github.com/prometheus/client_golang-v1.5.1

Prometheus instrumentation library for Go applications

Library home page: https://proxy.golang.org/github.com/prometheus/client_golang/@v/v1.5.1.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ github.com/prometheus/client_golang-v1.5.1 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of promhttp.InstrumentHandler* middleware except RequestsInFlight; not filter any specific methods (e.g GET) before middleware; pass metric with method label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown method. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the method label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.

Publish Date: 2022-02-15

URL: CVE-2022-21698

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-cg3q-j54f-5p7p

Release Date: 2022-02-15

Fix Resolution: v1.11.1

Vulnerable Libraries - github.com/golang/text-v0.3.3, github.com/golang/text-v0.3.0

Found in base branch: master

Vulnerability Details

An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.

Publish Date: 2022-10-14

URL: CVE-2022-32149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-32149

Release Date: 2022-10-14

Fix Resolution: v0.3.8

Vulnerable Library - Jinja2-2.11.3-py2.py3-none-any.whl

A very fast and expressive template engine.

Library home page: https://files.pythonhosted.org/packages/7e/c2/1eece8c95ddbc9b1aeb64f5783a9e07a286de42191b7204d67b7496ddf35/Jinja2-2.11.3-py2.py3-none-any.whl

Path to dependency file: /docs/requirements.txt

Path to vulnerable library: /docs/requirements.txt

Dependency Hierarchy:

• ❌ Jinja2-2.11.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 100aa9cb3f6ca90af54ab74f992aadf31d36380e

Found in base branch: master

Vulnerability Details

Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja xmlattr filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.

Publish Date: 2024-01-11

URL: CVE-2024-22195

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-h5c8-rqwp-cp95

Release Date: 2024-01-11

Fix Resolution: 3.1.3

Vulnerable Library - github.com/golang/tools-gopls/v0.3.1-pre1

[mirror] Go Tools

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ github.com/golang/tools-gopls/v0.3.1-pre1 (Vulnerable Library)

Found in HEAD commit: 100aa9cb3f6ca90af54ab74f992aadf31d36380e

Found in base branch: master

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - 3.0.0

Vulnerable Library - github.com/opencontainers/runc-v1.0.0-rc8

CLI tool for spawning and running containers according to the OCI specification

Library home page: https://proxy.golang.org/github.com/opencontainers/runc/@v/v1.0.0-rc8.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• github.com/fsouza/go-dockerclient-v1.7.0 (Root Library)
  • github.com/docker/docker-v20.10.0-beta1.0.20201113105859-b6bfff2a628f+incompatible
    • ❌ github.com/opencontainers/runc-v1.0.0-rc8 (Vulnerable Library)

Found in HEAD commit: ddd974009afe8d2f73f37b444e34d7b8084c235a

Found in base branch: master

Vulnerability Details

runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.

Publish Date: 2019-09-25

URL: CVE-2019-16884

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16884

Release Date: 2019-09-25

Fix Resolution: v1.0.0-rc9

Vulnerable Library - urllib3-1.26.7-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/af/f4/524415c0744552cce7d8bf3669af78e8a069514405ea4fcbd0cc44733744/urllib3-1.26.7-py2.py3-none-any.whl

Path to dependency file: /docs/requirements.txt

Path to vulnerable library: /docs/requirements.txt

Dependency Hierarchy:

• Sphinx-1.7.2-py2.py3-none-any.whl (Root Library)
  • requests-2.26.0-py2.py3-none-any.whl
    • ❌ urllib3-1.26.7-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: ddd974009afe8d2f73f37b444e34d7b8084c235a

Found in base branch: master

Vulnerability Details

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.

Publish Date: 2023-10-04

URL: CVE-2023-43804

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-43804

Release Date: 2023-10-04

Fix Resolution (urllib3): 1.26.17

Direct dependency fix Resolution (Sphinx): 1.7.3

Vulnerable Libraries - github.com/golang/net-v0.0.0-20190603091049-60506f45cf65, golang.org/x/net-v0.0.0-20210226172049-e18ecbb05110

Found in base branch: master

Vulnerability Details

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

Publish Date: 2023-01-13

URL: CVE-2022-41721

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2023-01-13

Fix Resolution: v0.2.0

Vulnerable Libraries - golang.org/x/net-v0.0.0-20210226172049-e18ecbb05110, github.com/golang/net-v0.0.0-20190603091049-60506f45cf65

Found in HEAD commit: 100aa9cb3f6ca90af54ab74f992aadf31d36380e

Found in base branch: master

Vulnerability Details

golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.

Publish Date: 2021-05-26

URL: CVE-2021-33194

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33194

Release Date: 2021-05-26

Fix Resolution: golang.org/x/net - v0.0.0-20210520170846-37e1c6afe023

Vulnerable Library - github.com/gogo/protobuf-v1.3.1

[Deprecated] Protocol Buffers for Go with Gadgets

Library home page: https://proxy.golang.org/github.com/gogo/protobuf/@v/v1.3.1.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55 (Root Library)
  • ❌ github.com/gogo/protobuf-v1.3.1 (Vulnerable Library)

Found in HEAD commit: 100aa9cb3f6ca90af54ab74f992aadf31d36380e

Found in base branch: master

Vulnerability Details

An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.

Publish Date: 2021-01-11

URL: CVE-2021-3121

CVSS 3 Score Details (8.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121

Release Date: 2021-01-11

Fix Resolution: v1.3.2

Vulnerable Library - github.com/golang/text-v0.3.3

[mirror] Go text processing support

Library home page: https://proxy.golang.org/github.com/golang/text/@v/v0.3.3.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• github.com/Spf13/viper-v1.1.1 (Root Library)
  • github.com/spf13/afero-v1.3.1
    • ❌ github.com/golang/text-v0.3.3 (Vulnerable Library)

Found in HEAD commit: 100aa9cb3f6ca90af54ab74f992aadf31d36380e

Found in base branch: master

Vulnerability Details

In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)

Publish Date: 2021-01-02

URL: CVE-2020-28852

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-28852

Release Date: 2021-01-02

Fix Resolution: golang-golang-x-text-dev - 0.3.5-1,0.3.5-1

Vulnerable Libraries - github.com/golang/text-v0.3.3, github.com/golang/text-v0.3.0

Found in base branch: master

Vulnerability Details

golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.

Publish Date: 2022-12-26

URL: CVE-2021-38561

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2021-0113

Release Date: 2021-08-12

Fix Resolution: v0.3.7

Vulnerable Library - github.com/opencontainers/Image-spec-v1.0.1

OCI Image Format

Library home page: https://proxy.golang.org/github.com/opencontainers/image-spec/@v/v1.0.1.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• github.com/fsouza/go-dockerclient-v1.7.0 (Root Library)
  • github.com/docker/docker-v20.10.0-beta1.0.20201113105859-b6bfff2a628f+incompatible
    • ❌ github.com/opencontainers/Image-spec-v1.0.1 (Vulnerable Library)

Found in HEAD commit: ddd974009afe8d2f73f37b444e34d7b8084c235a

Found in base branch: master

Vulnerability Details

The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are unable to update to version 1.0.1 of the spec.

Publish Date: 2021-11-17

URL: CVE-2021-41190

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-qq97-vm5h-rrhg

Release Date: 2021-11-17

Fix Resolution: v2.8.0

Vulnerable Library - github.com/golang/sys-v0.0.0-20190710143415-6ec70d6a5542

[mirror] Go packages for low-level interaction with the operating system

Library home page: https://proxy.golang.org/github.com/golang/sys/@v/v0.0.0-20190710143415-6ec70d6a5542.zip

Path to dependency file: /integration/chaincode/module/go.mod

Path to vulnerable library: /integration/chaincode/module/go.mod

Dependency Hierarchy:

• github.com/hyperledger/fabric-protos-go-v0.0.0-20190903152505-b42e76e96ddd (Root Library)
  • github.com/grpc/grpc-go-v1.23.0
    • ❌ github.com/golang/sys-v0.0.0-20190710143415-6ec70d6a5542 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.

Publish Date: 2022-06-23

URL: CVE-2022-29526

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-29526

Release Date: 2022-06-23

Fix Resolution: go1.17.10,go1.18.2,go1.19

Vulnerable Library - github.com/containerd/Containerd-v1.4.1

An open and reliable container runtime

Library home page: https://proxy.golang.org/github.com/containerd/containerd/@v/v1.4.1.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• github.com/fsouza/go-dockerclient-v1.7.0 (Root Library)
  • github.com/docker/docker-v20.10.0-beta1.0.20201113105859-b6bfff2a628f+incompatible
    • ❌ github.com/containerd/Containerd-v1.4.1 (Vulnerable Library)

Found in HEAD commit: 100aa9cb3f6ca90af54ab74f992aadf31d36380e

Found in base branch: master

Vulnerability Details

containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the "host" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container's privilege, regardless of what container runtime is used for running that container.

Publish Date: 2020-12-01

URL: CVE-2020-15257

CVSS 3 Score Details (5.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-36xw-fx78-c5r4

Release Date: 2020-12-01

Fix Resolution: v1.3.9,v1.4.3

Vulnerable Library - junit-4.12.jar

JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.

Library home page: http://junit.org

Path to dependency file: /core/chaincode/platforms/java/testdata/gradle/build.gradle

Path to vulnerable library: /.gradle/caches/modules-2/files-2.1/junit/junit/4.12/2973d150c0dc1fefe998f834810d68f278ea58ec/junit-4.12.jar

Dependency Hierarchy:

• ❌ junit-4.12.jar (Vulnerable Library)

Found in HEAD commit: 100aa9cb3f6ca90af54ab74f992aadf31d36380e

Found in base branch: master

Vulnerability Details

In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.

Publish Date: 2020-10-12

URL: CVE-2020-15250

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-269g-pwp5-87pp

Release Date: 2020-10-12

Fix Resolution: 4.13.1

Vulnerable Library - github.com/golang/tools-gopls/v0.3.1-pre1

[mirror] Go Tools

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ github.com/golang/tools-gopls/v0.3.1-pre1 (Vulnerable Library)

Found in HEAD commit: 100aa9cb3f6ca90af54ab74f992aadf31d36380e

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Vulnerable Library - go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/go.etcd.io/etcd/@v/v0.5.0-alpha.5.0.20181228115726-23731bf9ba55.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55 (Vulnerable Library)

Found in HEAD commit: 100aa9cb3f6ca90af54ab74f992aadf31d36380e

Found in base branch: master

Vulnerability Details

** DISPUTED ** Etcd v3.5.4 allows remote attackers to cause a denial of service via function PageWriter.write in pagewriter.go. NOTE: the vendor's position is that this is not a vulnerability.

Publish Date: 2023-08-22

URL: CVE-2022-34038

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - github.com/golang/net-v0.0.0-20190603091049-60506f45cf65

[mirror] Go supplementary network libraries

Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20190603091049-60506f45cf65.zip

Dependency Hierarchy:

• github.com/hyperledger/fabric-protos-go-v0.0.0-20190903152505-b42e76e96ddd (Root Library)
  • github.com/grpc/grpc-Go-v1.23.0
    • ❌ github.com/golang/net-v0.0.0-20190603091049-60506f45cf65 (Vulnerable Library)

Found in HEAD commit: ddd974009afe8d2f73f37b444e34d7b8084c235a

Found in base branch: master

Vulnerability Details

encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.

Publish Date: 2021-03-11

URL: CVE-2021-27918

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw

Release Date: 2021-03-11

Fix Resolution: 1.15.9, 1.16.1

Vulnerable Library - github.com/containerd/Containerd-v1.4.1

An open and reliable container runtime

Library home page: https://proxy.golang.org/github.com/containerd/containerd/@v/v1.4.1.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• github.com/fsouza/go-dockerclient-v1.7.0 (Root Library)
  • github.com/docker/docker-v20.10.0-beta1.0.20201113105859-b6bfff2a628f+incompatible
    • ❌ github.com/containerd/Containerd-v1.4.1 (Vulnerable Library)

Found in HEAD commit: ddd974009afe8d2f73f37b444e34d7b8084c235a

Found in base branch: master

Vulnerability Details

containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files.

Publish Date: 2021-07-19

URL: CVE-2021-32760

CVSS 3 Score Details (6.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-c72p-9xmj-rx3w

Release Date: 2021-07-19

Fix Resolution: v1.4.8 ,v1.5.4

Vulnerable Library - github.com/golang/text-v0.3.0

[mirror] Go text processing support

Library home page: https://proxy.golang.org/github.com/golang/text/@v/v0.3.0.zip

Path to dependency file: /integration/chaincode/module/go.mod

Path to vulnerable library: /integration/chaincode/module/go.mod

Dependency Hierarchy:

• github.com/hyperledger/fabric-protos-go-v0.0.0-20190903152505-b42e76e96ddd (Root Library)
  • github.com/grpc/grpc-go-v1.23.0
    • github.com/golang/net-v0.0.0-20190603091049-60506f45cf65
      • ❌ github.com/golang/text-v0.3.0 (Vulnerable Library)

Found in HEAD commit: 100aa9cb3f6ca90af54ab74f992aadf31d36380e

Found in base branch: master

Vulnerability Details

The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

Publish Date: 2020-06-17

URL: CVE-2020-14040

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2020-0015

Release Date: 2020-06-17

Fix Resolution: v0.3.3

Vulnerable Library - github.com/opencontainers/runc-v1.0.0-rc8

CLI tool for spawning and running containers according to the OCI specification

Library home page: https://proxy.golang.org/github.com/opencontainers/runc/@v/v1.0.0-rc8.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• github.com/fsouza/go-dockerclient-v1.7.0 (Root Library)
  • github.com/docker/docker-v20.10.0-beta1.0.20201113105859-b6bfff2a628f+incompatible
    • ❌ github.com/opencontainers/runc-v1.0.0-rc8 (Vulnerable Library)

Found in HEAD commit: ddd974009afe8d2f73f37b444e34d7b8084c235a

Found in base branch: master

Vulnerability Details

runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. To exploit the vulnerability, an attacker must be able to create multiple containers with a fairly specific mount configuration. The problem occurs via a symlink-exchange attack that relies on a race condition.

Publish Date: 2021-05-27

URL: CVE-2021-30465

CVSS 3 Score Details (8.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-c3xm-pvg7-gh7r

Release Date: 2021-05-27

Fix Resolution: v1.0.0-rc95

Vulnerable Libraries - golang.org/x/net-v0.0.0-20210226172049-e18ecbb05110, github.com/golang/net-v0.0.0-20190603091049-60506f45cf65

Found in HEAD commit: 100aa9cb3f6ca90af54ab74f992aadf31d36380e

Found in base branch: master

Vulnerability Details

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

Publish Date: 2022-09-06

URL: CVE-2022-27664

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2022-0969

Release Date: 2022-09-06

Fix Resolution: golang.org/x/net - 0.0.0-20220906165146-f3363e06e74c, go1.18.6, go1.19.1

Vulnerable Library - github.com/go-yaml/yaml-v3.0.0

YAML support for the Go language.

Dependency Hierarchy:

• github.com/stretchr/testify-a2f7dbf1509e1786c7150ad5b18999acf37b790b (Root Library)
  • ❌ github.com/go-yaml/yaml-v3.0.0 (Vulnerable Library)

Found in HEAD commit: 100aa9cb3f6ca90af54ab74f992aadf31d36380e

Found in base branch: master

Vulnerability Details

An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.

Publish Date: 2022-05-19

URL: CVE-2022-28948

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-hp87-p4gw-j4gq

Release Date: 2022-05-19

Fix Resolution: 3.0.0