Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2020-26160 vulnerability #1386

Closed
ekj1711 opened this issue May 3, 2021 · 2 comments · Fixed by #1433
Closed

CVE-2020-26160 vulnerability #1386

ekj1711 opened this issue May 3, 2021 · 2 comments · Fixed by #1433

Comments

@ekj1711
Copy link

ekj1711 commented May 3, 2021

Is your feature request related to a problem? Please describe.
Viper has dgrijalva/jwt-go (actually v 3.2.0) as a dependency. This library has a known vulnerability CVE-2020-26160.
dgrijalva/jwt-go seem to have a fix for this issue in version release-4.0.0 but it's been abandoned since January 2020.

This issue intends to ensure that go.sum does not have any entries on github.com/dgrijalva/jwt-go once spf13/viper#1115 is merged
@yangp18 yangp18 mentioned this issue May 24, 2021
Closed
@jpmcb
Copy link
Collaborator

jpmcb commented Jun 2, 2021

Thanks for surfacing this. I would call this non-critical since this is not a possible code path in cobra.

Dependency tree in spf13/viper:

❯ go mod why github.com/dgrijalva/jwt-go
go: downloading github.com/mitchellh/mapstructure v1.3.3
go: downloading github.com/spf13/afero v1.5.1
go: downloading github.com/spf13/pflag v1.0.3
go: downloading golang.org/x/sys v0.0.0-20210309074719-68d13333faf2
go: downloading gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15
go: downloading golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
go: downloading google.golang.org/appengine v1.6.1
go: downloading golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb
go: downloading github.com/soheilhy/cmux v0.1.5
go: downloading go.opencensus.io v0.22.2
go: downloading golang.org/x/tools v0.0.0-20200103221440-774c71fcf114
go: downloading github.com/mitchellh/go-homedir v1.0.0
go: downloading github.com/prometheus/client_golang v1.10.0
go: downloading github.com/gogo/protobuf v1.2.1
go: downloading go.uber.org/zap v1.13.0
go: downloading github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c
go: downloading github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6
go: downloading github.com/miekg/dns v1.0.14
go: downloading github.com/prometheus/common v0.18.0
go: downloading github.com/prometheus/procfs v0.6.0
go: downloading go.uber.org/atomic v1.5.0
go: downloading go.uber.org/multierr v1.3.0
# github.com/dgrijalva/jwt-go
github.com/spf13/viper/remote
github.com/bketelsen/crypt/config
github.com/bketelsen/crypt/backend/etcd
github.com/coreos/etcd/client
github.com/coreos/etcd/client.test
github.com/coreos/etcd/integration
github.com/coreos/etcd/etcdserver
github.com/coreos/etcd/auth
github.com/dgrijalva/jwt-go

Does cobra use the spf13/viper/remote module?

❯ go mod why github.com/spf13/viper/remote
go: downloading google.golang.org/grpc v1.21.1
go: downloading golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5
go: downloading github.com/json-iterator/go v1.1.6
go: downloading golang.org/x/net v0.0.0-20190620200207-3b0461eec859
# github.com/spf13/viper/remote
(main module does not need package github.com/spf13/viper/remote)

Doesn't look like it.

While (of course) we want to get this CVE fix in, users of cobra are not directly affected by it since the viper/remote package is not used in cobra.

@elfahxh
Copy link

elfahxh commented Jun 21, 2021

There also many CVEs found, can refer to ticket: #1421

@jpmcb jpmcb mentioned this issue Jun 30, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump to viper 1.8.1 spf13/cobra
Update Viper to address CVE-2020-26160 yangp18/cobra
3 participants
@elfahxh @jpmcb @ekj1711