github.com/intelops/go-common-v1.0.23: 4 vulnerabilities (highest severity is: 7.5)

[mend-bolt-for-github]

Vulnerable Library - github.com/intelops/go-common-v1.0.23

Path to dependency file: /capten/go.mod

Path to vulnerable library: /go/pkg/mod/cache/download/golang.org/x/net/@v/v0.21.0.mod

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (github.com/intelops/go-common-v1.0.23 version)	Remediation Possible**
CVE-2023-45288	High	7.5	golang.org/x/net-v0.21.0	Transitive	N/A*	❌
CVE-2024-6104	Medium	6.0	github.com/hashiCorp/go-retryablehttp-v0.7.5	Transitive	N/A*	❌
CVE-2024-45338	Medium	5.3	golang.org/x/net-v0.21.0	Transitive	N/A*	❌
CVE-2024-28180	Medium	4.3	github.com/go-jose/go-jose/v3-v3.0.2	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-45288

Vulnerable Library - golang.org/x/net-v0.21.0

Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.21.0.zip

Path to dependency file: /capten/go.mod

Path to vulnerable library: /go/pkg/mod/cache/download/golang.org/x/net/@v/v0.21.0.mod

Dependency Hierarchy:

• github.com/intelops/go-common-v1.0.23 (Root Library)
  • github.com/HashiCorp/vault/api-v1.10.0
    • ❌ golang.org/x/net-v0.21.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

Publish Date: 2024-04-04

URL: CVE-2023-45288

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-10-06

Fix Resolution: golang/net - v0.23.0

Step up your Open Source Security Game with Mend here

CVE-2024-6104

Vulnerable Library - github.com/hashiCorp/go-retryablehttp-v0.7.5

Library home page: https://proxy.golang.org/github.com/hashi!corp/go-retryablehttp/@v/v0.7.5.zip

Path to dependency file: /capten/go.mod

Path to vulnerable library: /go/pkg/mod/cache/download/github.com/hashicorp/go-retryablehttp/@v/v0.7.5.mod

Dependency Hierarchy:

• github.com/intelops/go-common-v1.0.23 (Root Library)
  • ❌ github.com/hashiCorp/go-retryablehttp-v0.7.5 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

Publish Date: 2024-06-24

URL: CVE-2024-6104

CVSS 3 Score Details (6.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-6104

Release Date: 2024-06-24

Fix Resolution: github.com/hashicorp/go-retryablehttp-v0.7.7

Step up your Open Source Security Game with Mend here

CVE-2024-45338

Vulnerable Library - golang.org/x/net-v0.21.0

Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.21.0.zip

Path to dependency file: /capten/go.mod

Path to vulnerable library: /go/pkg/mod/cache/download/golang.org/x/net/@v/v0.21.0.mod

Dependency Hierarchy:

• github.com/intelops/go-common-v1.0.23 (Root Library)
  • github.com/HashiCorp/vault/api-v1.10.0
    • ❌ golang.org/x/net-v0.21.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

Publish Date: 2024-12-18

URL: CVE-2024-45338

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-12-18

Fix Resolution: github.com/golang/net-v0.33.0

Step up your Open Source Security Game with Mend here

CVE-2024-28180

Vulnerable Library - github.com/go-jose/go-jose/v3-v3.0.2

An implementation of JOSE standards (JWE, JWS, JWT) in Go

Library home page: https://proxy.golang.org/github.com/go-jose/go-jose/v3/@v/v3.0.2.zip

Path to dependency file: /capten/go.mod

Path to vulnerable library: /go/pkg/mod/cache/download/github.com/go-jose/go-jose/v3/@v/v3.0.2.mod

Dependency Hierarchy:

• github.com/intelops/go-common-v1.0.23 (Root Library)
  • github.com/HashiCorp/vault/api-v1.10.0
    • ❌ github.com/go-jose/go-jose/v3-v3.0.2 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.

Publish Date: 2024-03-09

URL: CVE-2024-28180

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-28180

Release Date: 2024-03-09

Fix Resolution: v2.6.3,v3.0.3,v4.0.1

Step up your Open Source Security Game with Mend here