CVE Fixes Rollup #353
Open
CVE Fixes Rollup #353
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
unullmass
force-pushed
the
LabstackCVEFix
branch
2 times, most recently
from
27ed67b
to
62c26ca
Compare
unullmass
force-pushed
the
LabstackCVEFix
branch
from
62c26ca
to
5b9e4c4
Compare
|
@wwwdata requesting your review on this. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Addresses CVEs for the following dependencies:
Dependency go:github.com/gin-gonic/gin:v1.6.2 is vulnerable
Upgrade to 1.9.0
CVE-2023-26125, Score: 9.8
Versions of the package github.com/gin-gonic/gin prior to 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the "X-Forwarded-Prefix" header, potentially leading to cache poisoning.
Note: Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic.
Read More: https://devhub.checkmarx.com/cve-details/CVE-2023-26125?utm_source=jetbrains&utm_medium=referral
CVE-2020-28483, Score: 7.1
This affects all versions of package github.com/gin-gonic/gin. When gin is exposed directly to the internet, a client's IP can be spoofed by setting the X-Forwarded-For header.
Read More: https://devhub.checkmarx.com/cve-details/CVE-2020-28483?utm_source=jetbrains&utm_medium=referral
Results powered by Checkmarx ©
Dependency go:github.com/labstack/echo:v3.3.10+incompatible is vulnerable
Upgrade to v3.3.8+incompatible
CVE-2022-40083, Score: 9.6
Labstack Echo versions prior to 4.9.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF).
Read More: https://devhub.checkmarx.com/cve-details/CVE-2022-40083?utm_source=jetbrains&utm_medium=referral
Results powered by Checkmarx ©
Dependency go:golang.org/x/crypto:v0.0.0-20200622213623-75b288015ac9 is vulnerable
Upgrade to 0.21.0
CVE-2021-43565, Score: 7.5
The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e, and 0.0.0-20211215165025-cf75a172585e of golang.org/x/crypto allows an attacker to panic an SSH server.
Read More: https://devhub.checkmarx.com/cve-details/CVE-2021-43565?utm_source=jetbrains&utm_medium=referral
CVE-2022-27191, Score: 7.5
"golang.org/x/crypto/ssh" before 0.0.0-20220314234659-1baeb1ce4c0b in Go through 1.16.15 and 1.17.x through 1.17.8 allows an attacker to crash a server in certain circumstances involving "AddHostKey".
Read More: https://devhub.checkmarx.com/cve-details/CVE-2022-27191?utm_source=jetbrains&utm_medium=referral
CVE-2023-48795, Score: 5.9
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles the use of sequence numbers. For example, there is an effective attack against SSH's use of "ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC)". The bypass occurs in "chacha20-poly1305@openssh.com" and (if CBC is used) the "-etm@openssh.com" MAC algorithms. This vulnerability affects Go-git.luolix.top/golang/crypto package versions prior to 0.17.0, Python-paramiko package versions prior to 3.4.0 and Python-asyncssh package versions prior to 2.14.2, CPP-libssh2 package all verisons, CPP-libssh package versions prior to 0.9.8, and 0.10.x verison prior to 0.10.6, NPM-ssh2 package verisons 1.15.0, Maven-com.github.mwiede:jsch package verisons prior to 0.2.15, Php-phpseclib/phpseclib package version prior to 1.0.22 , 2.0.x prior to 2.0.46 , 3.0.x prior to 3.0.35.
Read More: https://devhub.checkmarx.com/cve-details/CVE-2023-48795?utm_source=jetbrains&utm_medium=referral
CVE-2020-29652, Score: 7.5
A Nil Pointer Dereference in the golang.org/x/crypto/ssh component prior to v0.0.0-20201216223049-8b5274cf687f for Go allows remote attackers to cause a Denial of Service against SSH servers.
Read More: https://devhub.checkmarx.com/cve-details/CVE-2020-29652?utm_source=jetbrains&utm_medium=referral
CVE-2023-42818, Score: 9.8
JumpServer is an open source bastion host. When users enable MFA and use a public key for authentication, the Koko SSH server does not verify the corresponding SSH private key. An attacker could exploit a vulnerability by utilizing a disclosed public key to attempt brute-force authentication against the SSH service This issue has been patched in versions 3.6.5 and 3.5.6. Users are advised to upgrade. There are no known workarounds for this issue.
Read More: https://devhub.checkmarx.com/cve-details/CVE-2023-42818?utm_source=jetbrains&utm_medium=referral
Results powered by Checkmarx ©
Dependency go:golang.org/x/net:v0.0.0-20210805182204-aaa1db679c0d is vulnerable
Upgrade to 0.17.0
CVE-2022-41723, Score: 7.5
Uncontrolled Resource Consumption in golang.org/x/net and github.com/golang/net prior to 0.7.0. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a Denial of Service from a small number of small requests.
Read More: https://devhub.checkmarx.com/cve-details/CVE-2022-41723?utm_source=jetbrains&utm_medium=referral
CVE-2021-44716, Score: 7.5
golang.org/x/net in Go before 0.0.0-20211209124913-491a49abca63 allows uncontrolled memory consumption in the header "canonicalization cache" via HTTP/2 requests.
Read More: https://devhub.checkmarx.com/cve-details/CVE-2021-44716?utm_source=jetbrains&utm_medium=referral
CVE-2022-41717, Score: 5.3
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection. This issue affects "golang.org/x/net" package versions prior to v0.4.0.
Read More: https://devhub.checkmarx.com/cve-details/CVE-2022-41717?utm_source=jetbrains&utm_medium=referral
CVE-2023-44487, Score: 5.3
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Read More: https://devhub.checkmarx.com/cve-details/CVE-2023-44487?utm_source=jetbrains&utm_medium=referral
CVE-2023-39325, Score: 7.5
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the "http2.Server.MaxConcurrentStreams" setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit ("MaxConcurrentStreams"). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the "Server.MaxConcurrentStreams" setting and the "ConfigureServer" function. This issue affects the versions through 0.16.0.
Read More: https://devhub.checkmarx.com/cve-details/CVE-2023-39325?utm_source=jetbrains&utm_medium=referral
Results powered by Checkmarx ©
Dependency go:golang.org/x/sys:v0.0.0-20210809222454-d867a43fc93e is vulnerable
Upgrade to 0.1.0
CVE-2022-29526, Score: 5.3
The packages golang.org/x/sys and github.com/golang/sys versions prior to v0.0.0-20220412211240-33da011f77ad has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the "Faccessat" function could incorrectly report that a file is accessible.
Read More: https://devhub.checkmarx.com/cve-details/CVE-2022-29526?utm_source=jetbrains&utm_medium=referral
Results powered by Checkmarx ©
Dependency go:golang.org/x/text:v0.3.6 is vulnerable
Upgrade to 0.3.8
CVE-2022-32149, Score: 7.5
In golang.org/x/text package versions prior to 0.3.8, an attacker may cause a denial of service by crafting an Accept-Language header which "ParseAcceptLanguage" will take significant time to parse.
Read More: https://devhub.checkmarx.com/cve-details/CVE-2022-32149?utm_source=jetbrains&utm_medium=referral
CVE-2021-38561, Score: 7.5
golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.
Read More: https://devhub.checkmarx.com/cve-details/CVE-2021-38561?utm_source=jetbrains&utm_medium=referral
Results powered by Checkmarx ©
Dependency go:golang.org/x/text:v0.3.6 is vulnerable
Upgrade to 0.3.8
CVE-2022-32149, Score: 7.5
In golang.org/x/text package versions prior to 0.3.8, an attacker may cause a denial of service by crafting an Accept-Language header which "ParseAcceptLanguage" will take significant time to parse.
Read More: https://devhub.checkmarx.com/cve-details/CVE-2022-32149?utm_source=jetbrains&utm_medium=referral
CVE-2021-38561, Score: 7.5
golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.
Read More: https://devhub.checkmarx.com/cve-details/CVE-2021-38561?utm_source=jetbrains&utm_medium=referral
Results powered by Checkmarx ©