Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/Kong/kong: CVE-2020-11710 #2270

Closed
tatianab opened this issue Nov 8, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/Kong/kong: CVE-2020-11710 #2270

tatianab opened this issue Nov 8, 2023 · 1 comment
Labels
excluded: LEGACY_FALSE_POSITIVE (DO NOT USE) Vulnerability marked as false positive before we introduced the triage process

Comments

@tatianab
Copy link
Contributor

tatianab commented Nov 8, 2023

CVE-2020-11710 references github.com/Kong/kong, which may be a Go module.

Description:
** DISPUTED ** An issue was discovered in docker-kong (for Kong) through 2.0.3. The admin API port may be accessible on interfaces other than 127.0.0.1. NOTE: The vendor argue that this CVE is not a vulnerability because it has an inaccurate bug scope and patch links. “1) Inaccurate Bug Scope - The issue scope was on Kong's docker-compose template, and not Kong's docker image itself. In reality, this issue is not associated with any version of the Kong gateway. As such, the description stating ‘An issue was discovered in docker-kong (for Kong) through 2.0.3.’ is incorrect. This issue only occurs if a user decided to spin up Kong via docker-compose without following the security documentation. The docker-compose template is meant for users to quickly get started with Kong, and is meant for development purposes only. 2) Incorrect Patch Links - The CVE currently points to a documentation improvement as a “Patch” link: https://github.com/Kong/docs.konghq.com/commit/d693827c32144943a2f45abc017c1321b33ff611.This link actually points to an improvement Kong Inc made for fool-proofing. However, instructions for how to protect the admin API were already well-documented here: https://docs.konghq.com/2.0.x/secure-admin-api/#network-layer-access-restrictions , which was first published back in 2017 (as shown in this commit: Kong/docs.konghq.com@e99cf87) Lastly, the hyperlink to https://github.com/Kong/kong (an unrelated Github Repo to this issue) on the Hyperlink list does not include any meaningful information on this topic.”

References:

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/Kong/kong
      vulnerable_at: 0.0.0-20231108165846-67200823e8b5
      packages:
        - package: n/a
cves:
    - CVE-2020-11710
references:
    - web: https://github.com/Kong/kong
    - fix: https://github.com/Kong/docs.konghq.com/commit/d693827c32144943a2f45abc017c1321b33ff611
    - fix: https://github.com/Kong/docker-kong/commit/dfa095cadf7e8309155be51982d8720daf32e31c
    - fix: https://github.com/Kong/docs.konghq.com/commit/e99cf875d875dd84fdb751079ac37882c9972949
@tatianab tatianab added the excluded: LEGACY_FALSE_POSITIVE (DO NOT USE) Vulnerability marked as false positive before we introduced the triage process label Nov 8, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
excluded: LEGACY_FALSE_POSITIVE (DO NOT USE) Vulnerability marked as false positive before we introduced the triage process
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tatianab @gopherbot