Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE in v1.0.0 #1209

Closed
AbsoLouie opened this issue Aug 26, 2020 · 3 comments
Closed

CVE in v1.0.0 #1209

AbsoLouie opened this issue Aug 26, 2020 · 3 comments
Labels
kind/bug A bug in cobra; unintended behavior

Comments

@AbsoLouie
Copy link

AbsoLouie commented Aug 26, 2020
edited
Loading

Hello we recently ran a CVE scan on a project that requires [email protected] and it seems like it is the result of this dependency:

github.com/spf13/[email protected] github.com/coreos/[email protected]+incompatible

It looks like it is related to CVE-2020-15114 The current go.mod on master doesn't require [email protected] anymore and I was wondering if it would be possible to do a patch release.

EDIT: Used JIRA linking syntax instead of markdown
@AbsoLouie
Copy link
Author

Running nancy on repo tag v1.0.0:

go list -json -m all | nancy
 __  __
/\ \/\ \
\ \ `\\ \      __       ___      ___    __  __
 \ \ , ` \   /'__`\   /' _ `\   /'___\ /\ \/\ \
  \ \ \`\ \ /\ \L\.\_ /\ \/\ \ /\ \__/ \ \ \_\ \
   \ \_\ \_\\ \__/.\_\\ \_\ \_\\ \____\ \/`____ \
    \/_/\/_/ \/__/\/_/ \/_/\/_/ \/____/  `/___/> \
                                            /\___/
                                            \/__/
  _        _                           _    _
 /_)      /_` _  _  _ _/_     _  _    (/   /_` _ . _  _   _/  _
/_) /_/  ._/ /_// //_|/  /_/ /_//_'  (_X  /   / / /_'/ //_/ _\
    _/                   _/ /
Nancy version: 0.3.1

Non Vulnerable Packages

[1/94]	pkg:golang/cloud.google.com/[email protected]
[2/94]	pkg:golang/github.com/BurntSushi/[email protected]
[3/94]	pkg:golang/github.com/OneOfOne/[email protected]
[4/94]	pkg:golang/github.com/alecthomas/[email protected]
[5/94]	pkg:golang/github.com/alecthomas/[email protected]
[6/94]	pkg:golang/github.com/armon/[email protected]
[7/94]	pkg:golang/github.com/beorn7/[email protected]
[8/94]	pkg:golang/github.com/cespare/[email protected]
[9/94]	pkg:golang/github.com/client9/[email protected]
[10/94]	pkg:golang/github.com/coreos/[email protected]
[11/94]	pkg:golang/github.com/coreos/[email protected]
[12/94]	pkg:golang/github.com/coreos/[email protected]
[13/94]	pkg:golang/github.com/coreos/[email protected]
[14/94]	pkg:golang/github.com/cpuguy83/go-md2man/[email protected]
[15/94]	pkg:golang/github.com/davecgh/[email protected]
[16/94]	pkg:golang/github.com/dgrijalva/[email protected]
[17/94]	pkg:golang/github.com/dgryski/[email protected]
[18/94]	pkg:golang/github.com/fsnotify/[email protected]
[19/94]	pkg:golang/github.com/ghodss/[email protected]
[20/94]	pkg:golang/github.com/go-kit/[email protected]
[21/94]	pkg:golang/github.com/go-logfmt/[email protected]
[22/94]	pkg:golang/github.com/go-stack/[email protected]
[23/94]	pkg:golang/github.com/gogo/[email protected]
[24/94]	pkg:golang/github.com/golang/[email protected]
[25/94]	pkg:golang/github.com/golang/[email protected]
[26/94]	pkg:golang/github.com/golang/[email protected]
[27/94]	pkg:golang/github.com/golang/[email protected]
[28/94]	pkg:golang/github.com/google/[email protected]
[29/94]	pkg:golang/github.com/google/[email protected]
[30/94]	pkg:golang/github.com/grpc-ecosystem/[email protected]
[31/94]	pkg:golang/github.com/grpc-ecosystem/[email protected]
[32/94]	pkg:golang/github.com/grpc-ecosystem/[email protected]
[33/94]	pkg:golang/github.com/hashicorp/[email protected]
[34/94]	pkg:golang/github.com/inconshreveable/[email protected]
[35/94]	pkg:golang/github.com/jonboulle/[email protected]
[36/94]	pkg:golang/github.com/julienschmidt/[email protected]
[37/94]	pkg:golang/github.com/kisielk/[email protected]
[38/94]	pkg:golang/github.com/kisielk/[email protected]
[39/94]	pkg:golang/github.com/konsorten/[email protected]
[40/94]	pkg:golang/github.com/kr/[email protected]
[41/94]	pkg:golang/github.com/kr/[email protected]
[42/94]	pkg:golang/github.com/kr/[email protected]
[43/94]	pkg:golang/github.com/kr/[email protected]
[44/94]	pkg:golang/github.com/magiconair/[email protected]
[45/94]	pkg:golang/github.com/matttproud/[email protected]
[46/94]	pkg:golang/github.com/mitchellh/[email protected]
[47/94]	pkg:golang/github.com/mitchellh/[email protected]
[48/94]	pkg:golang/github.com/mwitkow/[email protected]
[49/94]	pkg:golang/github.com/oklog/[email protected]
[50/94]	pkg:golang/github.com/pelletier/[email protected]
[51/94]	pkg:golang/github.com/pkg/[email protected]
[52/94]	pkg:golang/github.com/pmezard/[email protected]
[53/94]	pkg:golang/github.com/prometheus/[email protected]
[54/94]	pkg:golang/github.com/prometheus/[email protected]
[55/94]	pkg:golang/github.com/prometheus/[email protected]
[56/94]	pkg:golang/github.com/prometheus/[email protected]
[57/94]	pkg:golang/github.com/prometheus/[email protected]
[58/94]	pkg:golang/github.com/rogpeppe/[email protected]
[59/94]	pkg:golang/github.com/russross/blackfriday/[email protected]
[60/94]	pkg:golang/github.com/shurcooL/[email protected]
[61/94]	pkg:golang/github.com/sirupsen/[email protected]
[62/94]	pkg:golang/github.com/soheilhy/[email protected]
[63/94]	pkg:golang/github.com/spaolacci/[email protected]
[64/94]	pkg:golang/github.com/spf13/[email protected]
[65/94]	pkg:golang/github.com/spf13/[email protected]
[66/94]	pkg:golang/github.com/spf13/[email protected]
[67/94]	pkg:golang/github.com/spf13/[email protected]
[68/94]	pkg:golang/github.com/spf13/[email protected]
[69/94]	pkg:golang/github.com/stretchr/[email protected]
[70/94]	pkg:golang/github.com/stretchr/[email protected]
[71/94]	pkg:golang/github.com/tmc/[email protected]
[72/94]	pkg:golang/github.com/ugorji/[email protected]
[73/94]	pkg:golang/github.com/xiang90/[email protected]
[74/94]	pkg:golang/github.com/xordataexchange/[email protected]
[75/94]	pkg:golang/go.etcd.io/[email protected]
[76/94]	pkg:golang/go.uber.org/[email protected]
[77/94]	pkg:golang/go.uber.org/[email protected]
[78/94]	pkg:golang/go.uber.org/[email protected]
[79/94]	pkg:golang/golang.org/x/[email protected]
[80/94]	pkg:golang/golang.org/x/[email protected]
[81/94]	pkg:golang/golang.org/x/[email protected]
[82/94]	pkg:golang/golang.org/x/[email protected]
[83/94]	pkg:golang/golang.org/x/[email protected]
[84/94]	pkg:golang/golang.org/x/[email protected]
[85/94]	pkg:golang/golang.org/x/[email protected]
[86/94]	pkg:golang/golang.org/x/[email protected]
[87/94]	pkg:golang/google.golang.org/[email protected]
[88/94]	pkg:golang/google.golang.org/[email protected]
[89/94]	pkg:golang/google.golang.org/[email protected]
[90/94]	pkg:golang/github.com/alecthomas/[email protected]
[91/94]	pkg:golang/github.com/go-check/[email protected]
[92/94]	pkg:golang/github.com/go-resty/[email protected]
[93/94]	pkg:golang/github.com/go-yaml/[email protected]
[94/94]	pkg:golang/honnef.co/go/[email protected]

Vulnerable Packages

[1/3]	pkg:golang/github.com/coreos/[email protected]
3 known vulnerabilities affecting installed version
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2020-15114] In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP prox...                                                         ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP                                                             ┃
┃                    ┃ proxy to allow for basic service discovery and access. However, it is                                                                   ┃
┃                    ┃ possible to include the gateway address as an endpoint. This results in a                                                               ┃
┃                    ┃ denial of service, since the endpoint can become stuck in a loop of                                                                     ┃
┃                    ┃ requesting itself until there are no more available file descriptors to                                                                 ┃
┃                    ┃ accept connections on the gateway.                                                                                                      ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID       ┃ bba60acb-c7b5-4621-af69-f4085a8301d0                                                                                                    ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score         ┃ 7.7/10 (High)                                                                                                                           ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector        ┃ CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H                                                                                            ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vuln/bba60acb-c7b5-4621-af69-f4085a8301d0?component-type=golang&component-name=github.com%2Fcoreos%2Fetcd ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2020-15136] In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only ap...                                                         ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is                                                                ┃
┃                    ┃ only applied to endpoints detected in DNS SRV records. When starting a                                                                  ┃
┃                    ┃ gateway, TLS authentication will only be attempted on endpoints identified                                                              ┃
┃                    ┃ in DNS SRV records for a given domain, which occurs in the                                                                              ┃
┃                    ┃ discoverEndpoints function. No authentication is performed against                                                                      ┃
┃                    ┃ endpoints provided in the --endpoints flag. This has been fixed in versions                                                             ┃
┃                    ┃ 3.4.10 and 3.3.23 with improved documentation and deprecation of the                                                                    ┃
┃                    ┃ functionality.                                                                                                                          ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID       ┃ d373dc3f-aa88-483b-b501-20fe5382cc80                                                                                                    ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score         ┃ 6.5/10 (Medium)                                                                                                                         ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector        ┃ CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N                                                                                            ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vuln/d373dc3f-aa88-483b-b501-20fe5382cc80?component-type=golang&component-name=github.com%2Fcoreos%2Fetcd ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2020-15115] etcd before versions 3.3.23 and 3.4.10 does not perform any password length vali...                                                         ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ etcd before versions 3.3.23 and 3.4.10 does not perform any password length                                                             ┃
┃                    ┃ validation, which allows for very short passwords, such as those with a                                                                 ┃
┃                    ┃ length of one. This may allow an attacker to guess or brute-force users'                                                                ┃
┃                    ┃ passwords with little computational effort.                                                                                             ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID       ┃ 5def94e5-b89c-4a94-b9c6-ae0e120784c2                                                                                                    ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score         ┃ 5.8/10 (Medium)                                                                                                                         ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector        ┃ CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N                                                                                            ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vuln/5def94e5-b89c-4a94-b9c6-ae0e120784c2?component-type=golang&component-name=github.com%2Fcoreos%2Fetcd ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
[2/3]	pkg:golang/github.com/gorilla/[email protected]
1 known vulnerabilities affecting installed version
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ CWE-190: Integer Overflow or Wraparound                                                                                                                            ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ The software performs a calculation that can produce an integer overflow or                                                                   ┃
┃                    ┃ wraparound, when the logic assumes that the resulting value will always be                                                                    ┃
┃                    ┃ larger than the original value. This can introduce other weaknesses when                                                                      ┃
┃                    ┃ the calculation is used for resource management or execution control.                                                                         ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID       ┃ 5f259e63-3efb-4c47-b593-d175dca716b0                                                                                                          ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score         ┃ 7.5/10 (High)                                                                                                                                 ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector        ┃ CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H                                                                                                  ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vuln/5f259e63-3efb-4c47-b593-d175dca716b0?component-type=golang&component-name=github.com%2Fgorilla%2Fwebsocket ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
[3/3]	pkg:golang/golang.org/x/[email protected]
1 known vulnerabilities affecting installed version
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2019-11840]  Use of Insufficiently Random Values                                                                                                     ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ An issue was discovered in supplementary Go cryptography libraries, aka                                                              ┃
┃                    ┃ golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the                                                              ┃
┃                    ┃ amd64 implementation of golang.org/x/crypto/salsa20 and                                                                              ┃
┃                    ┃ golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is                                                              ┃
┃                    ┃ generated, or if the counter otherwise grows greater than 32 bits, the                                                               ┃
┃                    ┃ amd64 implementation will first generate incorrect output, and then cycle                                                            ┃
┃                    ┃ back to previously generated keystream. Repeated keystream bytes can lead                                                            ┃
┃                    ┃ to loss of confidentiality in encryption applications, or to predictability                                                          ┃
┃                    ┃ in CSPRNG applications.                                                                                                              ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID       ┃ 5121f5ff-9831-44a6-af2e-24f7301d1df7                                                                                                 ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score         ┃ 5.9/10 (Medium)                                                                                                                      ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector        ┃ CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N                                                                                         ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vuln/5121f5ff-9831-44a6-af2e-24f7301d1df7?component-type=golang&component-name=golang.org%2Fx%2Fcrypto ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary                      ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━┫
┃ Audited Dependencies    ┃ 97 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━┫
┃ Vulnerable Dependencies ┃ 3  ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━┛

@AbsoLouie
Copy link
Author

Hmm it seems that the viper dependency moved into the cobra/cobra directory so the vulnerability still exists on master. Looks like viper is also working on a fix: spf13/viper#961

@jpmcb
Copy link
Collaborator

jpmcb commented Aug 27, 2020

Thanks for bringing this up!

I've checked out the v1.0.0 branch and I've confirmed that cobra itself does not need or use any of these dependencies. They appear to be indirect dependencies primarily from the viper library.

coreos/etcd:

❯ go mod why -m github.com/coreos/etcd
# github.com/coreos/etcd
(main module does not need module github.com/coreos/etcd)

Usage in viper:

❯ go mod graph | rg coreos/etcd
github.com/spf13/[email protected] github.com/coreos/[email protected]+incompatible

gorilla/websocket:

❯ go mod why -m github.com/gorilla/websocket
# github.com/gorilla/websocket
(main module does not need module github.com/gorilla/websocket)

Usage in viper:

❯ go mod graph | rg gorilla/websocket
github.com/spf13/[email protected] github.com/gorilla/[email protected]

golang.org/x/crypto

❯ go mod why -m golang.org/x/crypto
# golang.org/x/crypto
(main module does not need module golang.org/x/crypto)

This one's a bit trickier, but looks like several of viper and pflag's dependencies rely on the golang.org/x/net package which has an indirect dependency on crypto.

These CVE's also appear to all be networking / web server related. So i'm not worried about exposing cobra users to these vulnerabilities. And yes, until etcd adds proper go mod support, there isn't really a way to add a replace statement. But for now, this doesn't directly affect cobra.

@jpmcb jpmcb closed this as completed Aug 27, 2020
@jpmcb jpmcb added the kind/bug A bug in cobra; unintended behavior label Aug 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug A bug in cobra; unintended behavior
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AbsoLouie @jpmcb