Security vulnerability - CVE-2023-2253 - github.com/docker/distribution #1686
Comments
|
While updating probably would do no harm, it is a false positive: that advisory only affects the registry service (i.e., when running a registry), not the library code that's used in this project; The fix for that issue was in the And that code is not used by the code in this repository; |
|
If you use govulncheck (which is aware of code that's used), it won't show that vulnerability; that said, there's an older vulnerability that is detected govulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
Using go1.20.5 and [email protected] with
vulnerability data from https://vuln.go.dev (last modified 2023-06-22 16:44:55 +0000 UTC).
Scanning your code and 350 packages across 53 dependent modules for known vulnerabilities...
Your code is affected by 1 vulnerability from 1 module.
Vulnerability #1: GO-2023-1571
A maliciously crafted HTTP/2 stream could cause excessive CPU
consumption in the HPACK decoder, sufficient to cause a denial
of service from a small number of small requests.
More info: https://pkg.go.dev/vuln/GO-2023-1571
Module: golang.org/x/net
Found in: golang.org/x/[email protected]
Fixed in: golang.org/x/[email protected]
Call stacks in your code:
cmd/escrow/config.go:21:26: github.com/theupdateframework/notary/cmd/escrow.parseConfig calls github.com/spf13/viper.Viper.ReadInConfig, which eventually calls golang.org/x/net/http2.ErrCode.String
cmd/escrow/config.go:21:26: github.com/theupdateframework/notary/cmd/escrow.parseConfig calls github.com/spf13/viper.Viper.ReadInConfig, which eventually calls golang.org/x/net/http2.FrameHeader.String
cmd/escrow/config.go:21:26: github.com/theupdateframework/notary/cmd/escrow.parseConfig calls github.com/spf13/viper.Viper.ReadInConfig, which eventually calls golang.org/x/net/http2.FrameType.String
cmd/escrow/config.go:21:26: github.com/theupdateframework/notary/cmd/escrow.parseConfig calls github.com/spf13/viper.Viper.ReadInConfig, which eventually calls golang.org/x/net/http2.Setting.String
cmd/escrow/config.go:21:26: github.com/theupdateframework/notary/cmd/escrow.parseConfig calls github.com/spf13/viper.Viper.ReadInConfig, which eventually calls golang.org/x/net/http2.SettingID.String
cmd/escrow/config.go:21:26: github.com/theupdateframework/notary/cmd/escrow.parseConfig calls github.com/spf13/viper.Viper.ReadInConfig, which eventually calls golang.org/x/net/http2.writeData.String
cmd/notary-signer/main.go:91:18: github.com/theupdateframework/notary/cmd/notary-signer.main calls google.golang.org/grpc.Server.Serve, which eventually calls golang.org/x/net/http2.Framer.ReadFrame
cmd/notary-signer/main.go:91:18: github.com/theupdateframework/notary/cmd/notary-signer.main calls google.golang.org/grpc.Server.Serve, which eventually calls golang.org/x/net/http2.Framer.WriteGoAway
cmd/notary-signer/main.go:91:18: github.com/theupdateframework/notary/cmd/notary-signer.main calls google.golang.org/grpc.Server.Serve, which eventually calls golang.org/x/net/http2.Framer.WritePing
cmd/notary-signer/main.go:91:18: github.com/theupdateframework/notary/cmd/notary-signer.main calls google.golang.org/grpc.Server.Serve, which eventually calls golang.org/x/net/http2.Framer.WriteSettings
cmd/notary-signer/main.go:91:18: github.com/theupdateframework/notary/cmd/notary-signer.main calls google.golang.org/grpc.Server.Serve, which eventually calls golang.org/x/net/http2.Framer.WriteSettingsAck
cmd/notary-signer/main.go:91:18: github.com/theupdateframework/notary/cmd/notary-signer.main calls google.golang.org/grpc.Server.Serve, which eventually calls golang.org/x/net/http2.Framer.WriteWindowUpdate
cmd/notary-signer/main.go:91:18: github.com/theupdateframework/notary/cmd/notary-signer.main calls google.golang.org/grpc.Server.Serve, which eventually calls golang.org/x/net/http2.SettingsFrame.ForeachSetting
proto/signer.pb.go:591:40: github.com/theupdateframework/notary/proto.file_proto_signer_proto_rawDescGZIP calls sync.Once.Do, which eventually calls golang.org/x/net/http2.clientStream.writeRequestBody
server/storage/rethinkdb.go:290:85: github.com/theupdateframework/notary/server/storage.RethinkDB.Delete calls golang.org/x/net/http2.ConnectionError.Error
server/storage/rethinkdb.go:290:85: github.com/theupdateframework/notary/server/storage.RethinkDB.Delete calls golang.org/x/net/http2.GoAwayError.Error
server/storage/rethinkdb.go:290:85: github.com/theupdateframework/notary/server/storage.RethinkDB.Delete calls golang.org/x/net/http2.StreamError.Error
server/storage/rethinkdb.go:290:85: github.com/theupdateframework/notary/server/storage.RethinkDB.Delete calls golang.org/x/net/http2.connError.Error
storage/httpstore.go:364:2: github.com/theupdateframework/notary/storage.HTTPStore.RotateKey calls golang.org/x/net/http2.gzipReader.Close
storage/httpstore.go:364:2: github.com/theupdateframework/notary/storage.HTTPStore.RotateKey calls golang.org/x/net/http2.transportResponseBody.Close
storage/httpstore.go:57:48: github.com/theupdateframework/notary/storage.NetworkError.Error calls github.com/docker/distribution/registry/api/errcode.Errors.Error, which eventually calls golang.org/x/net/http2.duplicatePseudoHeaderError.Error
storage/httpstore.go:57:48: github.com/theupdateframework/notary/storage.NetworkError.Error calls github.com/docker/distribution/registry/api/errcode.Errors.Error, which eventually calls golang.org/x/net/http2.headerFieldNameError.Error
storage/httpstore.go:57:48: github.com/theupdateframework/notary/storage.NetworkError.Error calls github.com/docker/distribution/registry/api/errcode.Errors.Error, which eventually calls golang.org/x/net/http2.headerFieldValueError.Error
storage/httpstore.go:57:48: github.com/theupdateframework/notary/storage.NetworkError.Error calls github.com/docker/distribution/registry/api/errcode.Errors.Error, which eventually calls golang.org/x/net/http2.pseudoHeaderError.Error
tuf/testutils/interfaces/cryptoservice.go:36:21: github.com/theupdateframework/notary/tuf/testutils/interfaces.EmptyCryptoServiceInterfaceBehaviorTests calls github.com/stretchr/testify/require.EqualValues, which eventually calls golang.org/x/net/http2.chunkWriter.Write
tuf/testutils/interfaces/cryptoservice.go:36:21: github.com/theupdateframework/notary/tuf/testutils/interfaces.EmptyCryptoServiceInterfaceBehaviorTests calls github.com/stretchr/testify/require.EqualValues, which eventually calls golang.org/x/net/http2.stickyErrWriter.Write
utils/configuration.go:234:26: github.com/theupdateframework/notary/utils.ParseViper calls github.com/spf13/viper.Viper.ReadInConfig, which eventually calls golang.org/x/net/http2.gzipReader.Read
utils/configuration.go:234:26: github.com/theupdateframework/notary/utils.ParseViper calls github.com/spf13/viper.Viper.ReadInConfig, which eventually calls golang.org/x/net/http2.transportResponseBody.Read
storage/httpstore.go:364:2: github.com/theupdateframework/notary/storage.HTTPStore.RotateKey calls golang.org/x/net/http2.transportResponseBody.Close, which eventually calls golang.org/x/net/http2/hpack.Decoder.Write
=== Informational ===
Found 6 vulnerabilities in packages that you import, but there are no call
stacks leading to the use of these vulnerabilities. You may not need to
take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.
Vulnerability #1: GO-2022-1144
An attacker can cause excessive memory growth in a Go server
accepting HTTP/2 requests. HTTP/2 server connections contain a
cache of HTTP header keys sent by the client. While the total
number of entries in this cache is capped, an attacker sending
very large keys can cause the server to allocate approximately
64 MiB per open connection.
More info: https://pkg.go.dev/vuln/GO-2022-1144
Found in: golang.org/x/[email protected]
Fixed in: golang.org/x/[email protected]
Vulnerability #2: GO-2022-0969
HTTP/2 server connections can hang forever waiting for a clean
shutdown that was preempted by a fatal error. This condition can
be exploited by a malicious client to cause a denial of service.
More info: https://pkg.go.dev/vuln/GO-2022-0969
Found in: golang.org/x/[email protected]
Fixed in: golang.org/x/[email protected]
Vulnerability #3: GO-2022-0379
Systems that rely on digest equivalence for image attestations
may be vulnerable to type confusion. A maliciously crafted OCI
Container Image can cause registry clients to parse the same
image in two different ways without modifying the image's
digest, invalidating the common pattern of relying on container
image digests for equivalence. This problem has been addressed
in newer versions by improving validation in manifest
unmarshalling.
More info: https://pkg.go.dev/vuln/GO-2022-0379
Found in: github.com/docker/[email protected]+incompatible
Fixed in: github.com/docker/[email protected]+incompatible
Vulnerability #4: GO-2022-0322
The Prometheus client_golang HTTP server is vulnerable to a
denial of service attack when handling requests with
non-standard HTTP methods. In order to be affected, an
instrumented software must use any of the
promhttp.InstrumentHandler* middleware except
`RequestsInFlight`; not filter any specific methods (e.g GET)
before middleware; pass a metric with a "method" label name to a
middleware; and not have any firewall/LB/proxy that filters away
requests with unknown "method".
More info: https://pkg.go.dev/vuln/GO-2022-0322
Found in: github.com/prometheus/[email protected]
Fixed in: github.com/prometheus/[email protected]
Vulnerability #5: GO-2022-0288
An attacker can cause unbounded memory growth in servers
accepting HTTP/2 requests.
More info: https://pkg.go.dev/vuln/GO-2022-0288
Found in: golang.org/x/[email protected]
Fixed in: golang.org/x/[email protected]
Vulnerability #6: GO-2022-0236
A malicious HTTP server or client can cause the net/http client
or server to panic. ReadRequest and ReadResponse can hit an
unrecoverable panic when reading a very large header (over 7MB
on 64-bit architectures, or over 4MB on 32-bit ones). Transport
and Client are vulnerable and the program can be made to crash
by a malicious server. Server is not vulnerable by default, but
can be if the default max header of 1MB is overridden by setting
Server.MaxHeaderBytes to a higher value, in which case the
program can be made to crash by a malicious client. This also
affects golang.org/x/net/http2/h2c and HeaderValuesContainsToken
in golang.org/x/net/http/httpguts.
More info: https://pkg.go.dev/vuln/GO-2022-0236
Found in: golang.org/x/[email protected]
Fixed in: golang.org/x/[email protected] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi Team,
Can you please fix the following security vulnerability?
Vulnerability: A flaw was found in the
/v2/_catalogendpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string:n). This vulnerability allows a malicious user to submit an unreasonably large value forn,causing the allocation of a massive string array, possibly causing a denial of service through excessive use of memory.Found in dependency: github.com/docker/distribution
Current version: v2.7.1
Security vulnerability fixed in version: 2.8.2-beta.1
Thanks,
Vishweshwar
The text was updated successfully, but these errors were encountered: