xmidt-org / arrange Goto Github PK

Vulnerable Library - golang.org/x/sys-v0.0.0-20220520151302-bc2c85ada10a

[mirror] Go packages for low-level interaction with the operating system

Library home page: https://proxy.golang.org/golang.org/x/sys/@v/v0.0.0-20220520151302-bc2c85ada10a.zip

Dependency Hierarchy:

• go.uber.org/fx-v1.18.1 (Root Library)
  • ❌ golang.org/x/sys-v0.0.0-20220520151302-bc2c85ada10a (Vulnerable Library)

Found in HEAD commit: 451664259ff0829a88426acfd243e9a7c6027d62

Found in base branch: main

Vulnerability Details

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

Publish Date: 2022-12-08

URL: CVE-2022-41717

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2022-12-08

Fix Resolution: go1.19.4

Vulnerable Library - golang.org/x/text-v0.3.7

Library home page: https://proxy.golang.org/golang.org/x/text/@v/v0.3.7.zip

Dependency Hierarchy:

• github.com/spf13/viper-v1.12.0 (Root Library)
  • github.com/spf13/afero-v1.8.2
    • ❌ golang.org/x/text-v0.3.7 (Vulnerable Library)

Found in HEAD commit: 451664259ff0829a88426acfd243e9a7c6027d62

Found in base branch: main

Vulnerability Details

An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.

Publish Date: 2022-10-14

URL: CVE-2022-32149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-32149

Release Date: 2022-10-14

Fix Resolution: v0.3.8

Vulnerable Library - github.com/go-yaml/yaml-v3.0.0

YAML support for the Go language.

Dependency Hierarchy:

• github.com/stretchr/testify/require-v1.7.0 (Root Library)
  • github.com/stretchr/testify/assert-v1.7.0
    • ❌ github.com/go-yaml/yaml-v3.0.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.

Publish Date: 2022-05-19

URL: CVE-2022-28948

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-hp87-p4gw-j4gq

Release Date: 2022-05-19

Fix Resolution: 3.0.0

Vulnerable Library - golang.org/x/text-v0.3.5

Library home page: https://proxy.golang.org/golang.org/x/text/@v/v0.3.5.zip

Dependency Hierarchy:

• github.com/spf13/viper-v1.7.1 (Root Library)
  • github.com/spf13/afero-v1.6.0
    • ❌ golang.org/x/text-v0.3.5 (Vulnerable Library)

Found in HEAD commit: f0d954e4dcc0f29c683f57fb0129ebcf7631ba75

Found in base branch: main

Vulnerability Details

Due to improper index calculation, an incorrectly formatted language tag can cause Parse
to panic, due to an out of bounds read. If Parse is used to process untrusted user inputs,
this may be used as a vector for a denial of service attack.

Publish Date: 2021-08-12

URL: CVE-2021-38561

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2021-0113

Release Date: 2021-08-12

Fix Resolution: v0.3.7

Vulnerable Library - github.com/golang/sys-43e1dd70ce54ee5b1711930029ae5b4926f78f72

[mirror] Go packages for low-level interaction with the operating system

Dependency Hierarchy:

• github.com/spf13/viper-v1.7.1 (Root Library)
  • github.com/fsnotify/fsnotify-v1.4.9
    • ❌ github.com/golang/sys-43e1dd70ce54ee5b1711930029ae5b4926f78f72 (Vulnerable Library)

Found in HEAD commit: f0d954e4dcc0f29c683f57fb0129ebcf7631ba75

Found in base branch: main

Vulnerability Details

Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.

Publish Date: 2022-06-23

URL: CVE-2022-29526

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None