Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove target for e* #2279

Merged
merged 3 commits into from
Dec 22, 2023
Merged

Remove target for e* #2279

merged 3 commits into from
Dec 22, 2023

Conversation

nicholasdille
Copy link
Contributor

No description provided.

Copy link

github-actions bot commented Dec 22, 2023

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/etcdadm:0.1.5

📦 Image Reference ghcr.io/uniget-org/tools/etcdadm:0.1.5
digestsha256:d9f92143447ca61445bc1d0d8654d2322b784079a7085c7b52c3c60dcab555d2
vulnerabilitiescritical: 4 high: 53 medium: 21 low: 1 unspecified: 1
platformlinux/amd64
size9.7 MB
packages44
critical: 3 high: 39 medium: 16 low: 1 stdlib 1.16.4 (golang)

pkg:golang/[email protected]

critical : CVE--2023--24540

Affected range<1.19.9
Fixed version1.19.9
Description

Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

critical : CVE--2023--24538

Affected range<1.19.8
Fixed version1.19.8
Description

Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected.

Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template.

As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml.

With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21.

Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution.

critical : CVE--2022--23806

Affected range<1.16.14
Fixed version1.16.14
Description

Some big.Int values that are not valid field elements (negative or overflowing) might cause Curve.IsOnCurve to incorrectly return true. Operating on those values may cause a panic or an invalid curve operation. Note that Unmarshal will never return such values.

high : CVE--2023--29403

Affected range<1.19.10
Fixed version1.19.10
Description

On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors.

If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.

high : CVE--2022--30580

Affected range<1.17.11
Fixed version1.17.11
Description

On Windows, executing Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset will unintentionally trigger execution of any binaries in the working directory named either "..com" or "..exe".

high : CVE--2023--45287

Affected range<1.20.0
Fixed version1.20.0
Description

Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits.

In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.

high : CVE--2023--39325

Affected range<1.20.10
Fixed version1.20.10
Description

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.

With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection.

This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2.

The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

high : CVE--2023--24537

Affected range<1.19.8
Fixed version1.19.8
Description

Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.

high : CVE--2023--24536

Affected range<1.19.8
Fixed version1.19.8
Description

Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts.

This stems from several causes:

  1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended.
  2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts.
  3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector.

The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue.

With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations.

In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms:

  1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=.
  2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.

high : CVE--2023--24534

Affected range<1.19.8
Fixed version1.19.8
Description

HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service.

Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service.

With fix, header parsing now correctly allocates only the memory required to hold parsed headers.

high : CVE--2022--41725

Affected range<1.19.6
Fixed version1.19.6
Description

A denial of service is possible from excessive resource consumption in net/http and mime/multipart.

Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue.

ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files.

With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous.

In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, "If stored on disk, the File's underlying concrete type will be an *os.File.". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct.

Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader.

high : CVE--2022--41724

Affected range<1.19.6
Fixed version1.19.6
Description

Large handshake records may cause panics in crypto/tls.

Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses.

This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).

high : CVE--2022--41723

Affected range<1.19.6
Fixed version1.19.6
Description

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

high : CVE--2022--41722

Affected range<1.19.6
Fixed version1.19.6
Description

A path traversal vulnerability exists in filepath.Clean on Windows.

On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack.

After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".\c:\b".

high : CVE--2022--41720

Affected range<1.18.9
Fixed version1.18.9
Description

On Windows, restricted files can be accessed via os.DirFS and http.Dir.

The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access.

In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system.

With fix applied, the behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error.

high : CVE--2022--41716

Affected range<1.18.8
Fixed version1.18.8
Description

Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows.

In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

high : CVE--2022--41715

Affected range<1.18.7
Fixed version1.18.7
Description

Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service.

The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory.

After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.

high : CVE--2022--32189

Affected range<1.17.13
Fixed version1.17.13
Description

Decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service.

high : CVE--2022--30635

Affected range<1.17.12
Fixed version1.17.12
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.

high : CVE--2022--30634

Affected range<1.17.11
Fixed version1.17.11
Description

On Windows, rand.Read will hang indefinitely if passed a buffer larger than 1 << 32 - 1 bytes.

high : CVE--2022--30633

Affected range<1.17.12
Fixed version1.17.12
Description

Unmarshaling an XML document into a Go struct which has a nested field that uses the 'any' field tag can panic due to stack exhaustion.

high : CVE--2022--30632

Affected range<1.17.12
Fixed version1.17.12
Description

Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.

high : CVE--2022--30631

Affected range<1.17.12
Fixed version1.17.12
Description

Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion.

high : CVE--2022--30630

Affected range<1.17.12
Fixed version1.17.12
Description

Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.

high : CVE--2022--29804

Affected range<1.17.11
Fixed version1.17.11
Description

On Windows, the filepath.Clean function can convert certain invalid paths to valid, absolute paths, potentially allowing a directory traversal attack.

For example, Clean(".\c:") returns "c:".

high : CVE--2022--2880

Affected range<1.18.7
Fixed version1.18.7
Description

Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value.

After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.

high : CVE--2022--2879

Affected range<1.18.7
Fixed version1.18.7
Description

Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.

high : CVE--2022--28327

Affected range<1.17.9
Fixed version1.17.9
Description

A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.

high : CVE--2022--28131

Affected range<1.17.12
Fixed version1.17.12
Description

Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion.

high : CVE--2022--27664

Affected range<1.18.6
Fixed version1.18.6
Description

HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.

high : CVE--2022--24921

Affected range<1.16.15
Fixed version1.16.15
Description

On 64-bit platforms, an extremely deeply nested expression can cause regexp.Compile to cause goroutine stack exhaustion, forcing the program to exit. Note this applies to very large expressions, on the order of 2MB.

high : CVE--2022--24675

Affected range<1.17.9
Fixed version1.17.9
Description

encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.

high : CVE--2022--23772

Affected range<1.16.14
Fixed version1.16.14
Description

Rat.SetString had an overflow issue that can lead to uncontrolled memory consumption.

high : CVE--2021--44716

Affected range<1.16.12
Fixed version1.16.12
Description

An attacker can cause unbounded memory growth in servers accepting HTTP/2 requests.

high : CVE--2021--41772

Affected range<1.16.10
Fixed version1.16.10
Description

Previously, opening a zip with (*Reader).Open could result in a panic if the zip contained a file whose name was exclusively made up of slash characters or ".." path elements.

Open could also panic if passed the empty string directly as an argument.

Now, any files in the zip whose name could not be made valid for fs.FS.Open will be skipped, and no longer added to the fs.FS file list, although they are still accessible through (*Reader).File.

Note that it was already the case that a file could be accessible from (*Reader).Open with a name different from the one in (*Reader).File, as the former is the cleaned name, while the latter is the original one.

Finally, the actual panic site was made robust as a defense-in-depth measure.

high : CVE--2021--41771

Affected range<1.16.10
Fixed version1.16.10
Description

Calling File.ImportedSymbols on a loaded file which contains an invalid dynamic symbol table command can cause a panic, in particular if the encoded number of undefined symbols is larger than the number of symbols in the symbol table.

high : CVE--2021--39293

Affected range<1.16.8
Fixed version1.16.8
Description

The NewReader and OpenReader functions in archive/zip can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size. This is caused by an incomplete fix for CVE-2021-33196.

high : CVE--2021--33198

Affected range>=1.16.0-0
<1.16.5
Fixed version1.16.5
Description

Rat.SetString and Rat.UnmarshalText may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents.

high : CVE--2021--33196

Affected range>=1.16.0-0
<1.16.5
Fixed version1.16.5
Description

NewReader and OpenReader can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size.

high : CVE--2023--29400

Affected range<1.19.9
Fixed version1.19.9
Description

Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.

high : CVE--2023--24539

Affected range<1.19.9
Fixed version1.19.9
Description

Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.

high : CVE--2021--33195

Affected range>=1.16.0-0
<1.16.5
Fixed version1.16.5
Description

The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions and their respective methods on the Resolver type may return arbitrary values retrieved from DNS which do not follow the established RFC 1035 rules for domain names. If these names are used without further sanitization, for instance unsafely included in HTML, they may allow for injection of unexpected content. Note that LookupTXT may still return arbitrary values that could require sanitization before further use.

medium : CVE--2023--29406

Affected range<1.19.11
Fixed version1.19.11
Description

The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests.

With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.

medium : CVE--2022--32148

Affected range<1.17.12
Fixed version1.17.12
Description

Client IP adresses may be unintentionally exposed via X-Forwarded-For headers.

When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy sets the client IP as the value of the X-Forwarded-For header, contrary to its documentation.

In the more usual case where a Director function sets the X-Forwarded-For header value to nil, ReverseProxy leaves the header unmodified as expected.

medium : CVE--2022--1705

Affected range<1.17.12
Fixed version1.17.12
Description

The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.

medium : CVE--2021--34558

Affected range>=1.16.0-0
<1.16.6
Fixed version1.16.6
Description

crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters. net/http clients performing HTTPS requests are also affected.

medium : CVE--2023--39319

Affected range<1.20.8
Fixed version1.20.8
Description

The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.

medium : CVE--2023--39318

Affected range<1.20.8
Fixed version1.20.8
Description

The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.

medium : CVE--2021--36221

Affected range>=1.16.0-0
<1.16.7
Fixed version1.16.7
Description

ReverseProxy can panic after encountering a problem copying a proxied response body.

medium : CVE--2022--1962

Affected range<1.17.12
Fixed version1.17.12
Description

Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion.

medium : CVE--2023--45284

Affected range<1.20.11
Fixed version1.20.11
Description

On Windows, The IsLocal function does not correctly detect reserved device names in some cases.

Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local.

With fix, IsLocal now correctly reports these names as non-local.

medium : CVE--2023--39326

Affected range<1.20.12
Fixed version1.20.12
Description

A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body.

A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request.

Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.

medium : CVE--2023--29409

Affected range<1.19.12
Fixed version1.19.12
Description

Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures.

With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits.

Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.

medium : CVE--2023--24532

Affected range<1.19.7
Fixed version1.19.7
Description

The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve).

This does not impact usages of crypto/ecdsa or crypto/ecdh.

medium : CVE--2022--41717

Affected range<1.18.9
Fixed version1.18.9
Description

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.

HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

medium : CVE--2022--29526

Affected range<1.17.10
Fixed version1.17.10
Description

When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

medium : CVE--2021--33197

Affected range>=1.16.0-0
<1.16.5
Fixed version1.16.5
Description

ReverseProxy can be made to forward certain hop-by-hop headers, including Connection. If the target of the ReverseProxy is itself a reverse proxy, this lets an attacker drop arbitrary headers, including those set by the ReverseProxy.Director.

medium : CVE--2021--44717

Affected range<1.16.12
Fixed version1.16.12
Description

When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one.

For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

low : CVE--2022--30629

Affected range<1.17.11
Fixed version1.17.11
Description

An attacker can correlate a resumed TLS session with a previous connection.

Session tickets generated by crypto/tls do not contain a randomly generated ticket_age_add, which allows an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

critical: 1 high: 0 medium: 0 low: 0 github.com/satori/go.uuid 1.2.0 (golang)

pkg:golang/github.com/satori/[email protected]

critical : CVE--2021--3538

Affected range<1.2.1-0.20181016170032-d91630c85102
Fixed version1.2.1-0.20181016170032-d91630c85102
Description

UUIDs generated using NewV1 and NewV4 may not read the expected
number of random bytes. These UUIDs may contain a significantly smaller
amount of entropy than expected, possibly leading to collisions.

critical: 0 high: 5 medium: 0 low: 0 golang.org/x/crypto 0.0.0-20190820162420-60c769a6c586 (golang)

pkg:golang/golang.org/x/[email protected]

high 7.5: CVE--2022--27191 Use of a Broken or Risky Cryptographic Algorithm

Affected range<0.0.0-20220314234659-1baeb1ce4c0b
Fixed version0.0.0-20220314234659-1baeb1ce4c0b
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description

The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.

high 7.5: CVE--2021--43565

Affected range<0.0.0-20211202192323-5770296d904e
Fixed version0.0.0-20211202192323-5770296d904e
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description

The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an unauthenticated attacker to panic an SSH server. When using AES-GCM or ChaCha20Poly1305, consuming a malformed packet which contains an empty plaintext causes a panic.

high 7.5: CVE--2020--9283 Improper Verification of Cryptographic Signature

Affected range<0.0.0-20200220183623-bac4c82f6975
Fixed version0.0.0-20200220183623-bac4c82f6975
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description

golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.

high 7.5: CVE--2020--7919 Improper Certificate Validation

Affected range<0.0.0-20200124225646-8b5121be2f68
Fixed version0.0.0-20200124225646-8b5121be2f68
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description

The Helm core maintainers have identified a high severity security vulnerability in Go's crypto package affecting all versions prior to Helm 2.16.8 and Helm 3.1.0.

Thanks to @ravin9249 for identifying the vulnerability.

Impact

Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients resulting in a panic via a malformed X.509 certificate. This may allow a remote attacker to cause a denial of service.

Patches

A patch to compile Helm against Go 1.14.4 has been provided for Helm 2 and is available in Helm 2.16.8. Helm 3.1.0 and newer are compiled against Go 1.13.7+.

Workarounds

No workaround is available. Users are urged to upgrade.

References

For more information

If you have any questions or comments about this advisory:

high 7.5: CVE--2020--29652 NULL Pointer Dereference

Affected range<0.0.0-20201216223049-8b5274cf687f
Fixed version0.0.0-20201216223049-8b5274cf687f
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description

A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers. An attacker can craft an authentication request message for the gssapi-with-mic method which will cause NewServerConn to panic via a nil pointer dereference if ServerConfig.GSSAPIWithMICConfig is nil.

critical: 0 high: 3 medium: 1 low: 0 golang.org/x/net 0.0.0-20191004110552-13f9640d40b9 (golang)

pkg:golang/golang.org/x/[email protected]

high 7.5: CVE--2022--27664

Affected range<0.0.0-20220906165146-f3363e06e74c
Fixed version0.0.0-20220906165146-f3363e06e74c
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

high : CVE--2021--44716

Affected range<0.0.0-20211209124913-491a49abca63
Fixed version0.0.0-20211209124913-491a49abca63
Description

An attacker can cause unbounded memory growth in servers accepting HTTP/2 requests.

high 7.5: CVE--2021--33194 Loop with Unreachable Exit Condition ('Infinite Loop')

Affected range<0.0.0-20210520170846-37e1c6afe023
Fixed version0.0.0-20210520170846-37e1c6afe023
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description

Go through 1.15.12 and 1.16.x through 1.16.4 has a golang.org/x/net/html infinite loop via crafted ParseFragment input.

medium 5.9: CVE--2021--31525 Uncontrolled Recursion

Affected range<0.0.0-20210428140749-89ef3d95e781
Fixed version0.0.0-20210428140749-89ef3d95e781
CVSS Score5.9
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Description

golang.org/x/net/http/httpguts in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.

critical: 0 high: 2 medium: 1 low: 0 golang.org/x/text 0.3.2 (golang)

pkg:golang/golang.org/x/[email protected]

high 7.5: CVE--2022--32149 Missing Release of Resource after Effective Lifetime

Affected range<0.3.8
Fixed version0.3.8
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description

The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design. Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers. The parser cannot be easily rewritten to fix this behavior for various reasons. Instead the solution implemented in this CL is to limit the total complexity of tags passed into ParseAcceptLanguage by limiting the number of dashes in the string to 1000. This should be more than enough for the majority of real world use cases, where the number of tags being sent is likely to be in the single digits.

Specific Go Packages Affected

golang.org/x/text/language

high 7.5: CVE--2021--38561 Out-of-bounds Read

Affected range<0.3.7
Fixed version0.3.7
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description

golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.

medium 7.5: CVE--2020--14040 Uncontrolled Resource Consumption

Affected range<0.3.3
Fixed version0.3.3
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Description

Go version v0.3.3 of the x/text package fixes a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

Specific Go Packages Affected

golang.org/x/text/encoding/unicode
golang.org/x/text/transform

critical: 0 high: 1 medium: 1 low: 0 unspecified: 1google.golang.org/grpc 1.19.0 (golang)

pkg:golang/google.golang.org/[email protected]

high 7.5: GHSA--m425--mq94--257g

Affected range<1.56.3
Fixed version1.56.3
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description

Impact

In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.

Patches

This vulnerability was addressed by #6703 and has been included in patch releases: 1.56.3, 1.57.1, 1.58.3. It is also included in the latest release, 1.59.0.

Along with applying the patch, users should also ensure they are using the grpc.MaxConcurrentStreams server option to apply a limit to the server's resources used for any single connection.

Workarounds

None.

References

#6703

medium 5.3: CVE--2023--44487 Uncontrolled Resource Consumption

Affected range<1.56.3
Fixed version1.56.3
CVSS Score5.3
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Description

HTTP/2 Rapid reset attack

The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed.

Abuse of this feature is called a Rapid Reset attack because it relies on the ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open.

The HTTP/2 Rapid Reset attack built on this capability is simple: The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately.

The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth.

In a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for canceled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource. For reverse proxy implementations, the request may be proxied to the backend server before the RST_STREAM frame is processed. The client on the other hand paid almost no costs for sending the requests. This creates an exploitable cost asymmetry between the server and the client.

Multiple software artifacts implementing HTTP/2 are affected. This advisory was originally ingested from the swift-nio-http2 repo advisory and their original conent follows.

swift-nio-http2 specific advisory

swift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new Channels to serve the traffic. This can easily overwhelm an EventLoop and prevent it from making forward progress.

swift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.

unspecified : GMS--2023--3788 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<1.56.3
Fixed version1.56.3, 1.57.1, 1.58.3
Description

Impact

In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.

Patches

This vulnerability was addressed by #6703 and has been included in patch releases: 1.56.3, 1.57.1, 1.58.3. It is also included in the latest release, 1.59.0.

Along with applying the patch, users should also ensure they are using the grpc.MaxConcurrentStreams server option to apply a limit to the server's resources used for any single connection.

Workarounds

None.

References

#6703

critical: 0 high: 1 medium: 0 low: 0 github.com/gogo/protobuf 1.2.2-0.20190723190241-65acae22fc9d (golang)

pkg:golang/github.com/gogo/[email protected]

high 8.6: CVE--2021--3121 Improper Validation of Array Index

Affected range<1.3.2
Fixed version1.3.2
CVSS Score8.6
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Description

An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.

critical: 0 high: 1 medium: 0 low: 0 github.com/dgrijalva/jwt-go 3.2.0+incompatible (golang)

pkg:golang/github.com/dgrijalva/[email protected]+incompatible

high 7.5: CVE--2020--26160 Improper Authentication

Affected range<=3.2.0
Fixed versionNot Fixed
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Description

jwt-go allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1

critical: 0 high: 1 medium: 0 low: 0 github.com/prometheus/client_golang 1.0.0 (golang)

pkg:golang/github.com/prometheus/[email protected]

high 7.5: CVE--2022--21698 Uncontrolled Resource Consumption

Affected range<1.11.1
Fixed version1.11.1
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description

This is the Go client library for Prometheus. It has two separate parts, one for instrumenting application code, and one for creating clients that talk to the Prometheus HTTP API. client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients.

Impact

HTTP server susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods.

Affected Configuration

In order to be affected, an instrumented software must

  • Use any of promhttp.InstrumentHandler* middleware except RequestsInFlight.
  • Do not filter any specific methods (e.g GET) before middleware.
  • Pass metric with method label name to our middleware.
  • Not have any firewall/LB/proxy that filters away requests with unknown method.

Patches

Workarounds

If you cannot upgrade to v1.11.1 or above, in order to stop being affected you can:

  • Remove method label name from counter/gauge you use in the InstrumentHandler.
  • Turn off affected promhttp handlers.
  • Add custom middleware before promhttp handler that will sanitize the request method given by Go http.Request.
  • Use a reverse proxy or web application firewall, configured to only allow a limited set of methods.

For more information

If you have any questions or comments about this advisory:

critical: 0 high: 0 medium: 1 low: 0 golang.org/x/sys 0.0.0-20190826190057-c7b8b68b1456 (golang)

pkg:golang/golang.org/x/[email protected]

medium 5.3: CVE--2022--29526 Improper Privilege Management

Affected range<0.0.0-20220412211240-33da011f77ad
Fixed version0.0.0-20220412211240-33da011f77ad
CVSS Score5.3
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Description

Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Reporting in syscall. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.

Specific Go Packages Affected

golang.org/x/sys/unix

critical: 0 high: 0 medium: 1 low: 0 gopkg.in/yaml.v2 2.2.4 (golang)

pkg:golang/gopkg.in/[email protected]

medium 6.5: CVE--2019--11254 Excessive Platform Resource Consumption within a Loop

Affected range<2.2.8
Fixed version2.2.8
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Description

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.

@nicholasdille nicholasdille merged commit ae73d67 into main Dec 22, 2023
32 checks passed
@nicholasdille nicholasdille deleted the remove-target-e branch December 22, 2023 11:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant