Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: bump dependencies to eliminate CVEs #274

Closed
wants to merge 1 commit into from
Closed

fix: bump dependencies to eliminate CVEs #274

wants to merge 1 commit into from

Conversation

erikgb
Copy link

@erikgb erikgb commented Nov 3, 2022

This bumps a few dependencies to fix CVEs reported by Trivy.

Fixes #273

Before:

D:~/projects/github/prometheus-msteams (master) $ trivy fs --security-checks vuln .
2022-11-03T21:36:23.458+0100    INFO    Vulnerability scanning is enabled
2022-11-03T21:36:23.463+0100    INFO    Number of language-specific files: 1
2022-11-03T21:36:23.463+0100    INFO    Detecting gomod vulnerabilities...

go.mod (gomod)

Total: 16 (UNKNOWN: 8, LOW: 0, MEDIUM: 2, HIGH: 4, CRITICAL: 2)

┌─────────────────────────────────────┬─────────────────────┬──────────┬───────────────────────────────────┬───────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│               Library               │    Vulnerability    │ Severity │         Installed Version         │           Fixed Version           │                            Title                             │
├─────────────────────────────────────┼─────────────────────┼──────────┼───────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/Masterminds/goutils      │ CVE-2021-4238       │ UNKNOWN  │ 1.1.0                             │ 1.1.1                             │ Randomly-generated alphanumeric strings contain              │
│                                     │                     │          │                                   │                                   │ significantly less entropy                                   │
│                                     │                     │          │                                   │                                   │ than expected.                                               │
│                                     │                     │          │                                   │                                   │                                                              │
│                                     │                     │          │                                   │                                   │ The RandomAlphaNumeric and CryptoRandomAlphaNumeric          │
│                                     │                     │          │                                   │                                   │ functions...                                                 │
│                                     │                     │          │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2021-4238                    │
│                                     ├─────────────────────┤          │                                   │                                   ├──────────────────────────────────────────────────────────────┤
│                                     │ GHSA-xg2h-wx96-xgxr │          │                                   │                                   │ RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as   │
│                                     │                     │          │                                   │                                   │ random as they should be                                     │
│                                     │                     │          │                                   │                                   │ https://github.com/advisories/GHSA-xg2h-wx96-xgxr            │
├─────────────────────────────────────┼─────────────────────┼──────────┼───────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/emicklei/go-restful      │ CVE-2022-1996       │ CRITICAL │ 0.0.0-20170410110728-ff4f55a20633 │ 2.16.0                            │ go-restful: Authorization Bypass Through User-Controlled Key │
│                                     │                     │          │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2022-1996                    │
│                                     ├─────────────────────┼──────────┤                                   │                                   ├──────────────────────────────────────────────────────────────┤
│                                     │ GHSA-r48q-9g5r-8q2h │ UNKNOWN  │                                   │                                   │ CORS filters that use an AllowedDomains configuration        │
│                                     │                     │          │                                   │                                   │ parameter can match domains outside...                       │
│                                     │                     │          │                                   │                                   │ https://github.com/advisories/GHSA-r48q-9g5r-8q2h            │
├─────────────────────────────────────┼─────────────────────┼──────────┼───────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/labstack/echo/v4         │ CVE-2022-40083      │ CRITICAL │ 4.6.1                             │ 4.9.0                             │ URL Redirection to Untrusted Site ('Open Redirect')          │
│                                     │                     │          │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2022-40083                   │
│                                     ├─────────────────────┼──────────┤                                   │                                   ├──────────────────────────────────────────────────────────────┤
│                                     │ GHSA-crxj-hrmp-4rwf │ UNKNOWN  │                                   │                                   │ Labstack Echo contains an open redirect vulnerability via    │
│                                     │                     │          │                                   │                                   │ the Static Handler component....                             │
│                                     │                     │          │                                   │                                   │ https://github.com/advisories/GHSA-crxj-hrmp-4rwf            │
├─────────────────────────────────────┼─────────────────────┼──────────┼───────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/prometheus/client_golang │ CVE-2022-21698      │ HIGH     │ 1.4.0                             │ 1.11.1                            │ prometheus/client_golang: Denial of service using            │
│                                     │                     │          │                                   │                                   │ InstrumentHandlerCounter                                     │
│                                     │                     │          │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2022-21698                   │
│                                     ├─────────────────────┼──────────┤                                   │                                   ├──────────────────────────────────────────────────────────────┤
│                                     │ GHSA-cg3q-j54f-5p7p │ UNKNOWN  │                                   │                                   │ The Prometheus client_golang HTTP server is vulnerable to a  │
│                                     │                     │          │                                   │                                   │ denial of service...                                         │
│                                     │                     │          │                                   │                                   │ https://github.com/advisories/GHSA-cg3q-j54f-5p7p            │
├─────────────────────────────────────┼─────────────────────┼──────────┼───────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ go.mongodb.org/mongo-driver         │ CVE-2021-20329      │ MEDIUM   │ 1.0.3                             │ 1.5.1                             │ mongo-go-driver: specific cstrings input may not be properly │
│                                     │                     │          │                                   │                                   │ validated                                                    │
│                                     │                     │          │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2021-20329                   │
│                                     ├─────────────────────┼──────────┤                                   │                                   ├──────────────────────────────────────────────────────────────┤
│                                     │ GHSA-f6mq-5m25-4r72 │ UNKNOWN  │                                   │                                   │ Due to improper input sanitization when marshalling Go       │
│                                     │                     │          │                                   │                                   │ objects into BSON, a...                                      │
│                                     │                     │          │                                   │                                   │ https://github.com/advisories/GHSA-f6mq-5m25-4r72            │
├─────────────────────────────────────┼─────────────────────┼──────────┼───────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto                 │ CVE-2022-27191      │ HIGH     │ 0.0.0-20211215153901-e495a2d5b3d3 │ 0.0.0-20220314234659-1baeb1ce4c0b │ golang: crash in a golang.org/x/crypto/ssh server            │
│                                     │                     │          │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2022-27191                   │
│                                     ├─────────────────────┼──────────┤                                   │                                   ├──────────────────────────────────────────────────────────────┤
│                                     │ GHSA-8c26-wmh5-6g9v │ UNKNOWN  │                                   │                                   │ Attackers can cause a crash in SSH servers when the server   │
│                                     │                     │          │                                   │                                   │ has...                                                       │
│                                     │                     │          │                                   │                                   │ https://github.com/advisories/GHSA-8c26-wmh5-6g9v            │
├─────────────────────────────────────┼─────────────────────┼──────────┼───────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net                    │ CVE-2022-27664      │ HIGH     │ 0.0.0-20211216030914-fe4d6282115f │ 0.0.0-20220906165146-f3363e06e74c │ golang: net/http: handle server errors after sending GOAWAY  │
│                                     │                     │          │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2022-27664                   │
├─────────────────────────────────────┼─────────────────────┼──────────┼───────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/sys                    │ CVE-2022-29526      │ MEDIUM   │ 0.0.0-20211216021012-1d35b9e2eb4e │ 0.0.0-20220412211240-33da011f77ad │ golang: syscall: faccessat checks wrong group                │
│                                     │                     │          │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2022-29526                   │
├─────────────────────────────────────┼─────────────────────┼──────────┼───────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/text                   │ CVE-2022-32149      │ HIGH     │ 0.3.7                             │ 0.3.8                             │ golang: golang.org/x/text/language: ParseAcceptLanguage      │
│                                     │                     │          │                                   │                                   │ takes a long time to parse complex tags                      │
│                                     │                     │          │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2022-32149                   │
│                                     ├─────────────────────┼──────────┤                                   │                                   ├──────────────────────────────────────────────────────────────┤
│                                     │ GHSA-69ch-w2m2-3vjp │ UNKNOWN  │                                   │                                   │ An attacker may cause a denial of service by crafting an     │
│                                     │                     │          │                                   │                                   │ Accept-Language...                                           │
│                                     │                     │          │                                   │                                   │ https://github.com/advisories/GHSA-69ch-w2m2-3vjp            │
└─────────────────────────────────────┴─────────────────────┴──────────┴───────────────────────────────────┴───────────────────────────────────┴──────────────────────────────────────────────────────────────┘
D:~/projects/github/prometheus-msteams (master) $

After:

D:~/projects/github/prometheus-msteams (bump-dependencies) $ trivy fs --security-checks vuln .
2022-11-03T21:35:57.210+0100    INFO    Vulnerability scanning is enabled
2022-11-03T21:35:57.217+0100    INFO    Number of language-specific files: 1
2022-11-03T21:35:57.218+0100    INFO    Detecting gomod vulnerabilities...

go.mod (gomod)

Total: 6 (UNKNOWN: 4, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌────────────────────────────────┬─────────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│            Library             │    Vulnerability    │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/Masterminds/goutils │ CVE-2021-4238       │ UNKNOWN  │ 1.1.0             │ 1.1.1         │ Randomly-generated alphanumeric strings contain            │
│                                │                     │          │                   │               │ significantly less entropy                                 │
│                                │                     │          │                   │               │ than expected.                                             │
│                                │                     │          │                   │               │                                                            │
│                                │                     │          │                   │               │ The RandomAlphaNumeric and CryptoRandomAlphaNumeric        │
│                                │                     │          │                   │               │ functions...                                               │
│                                │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-4238                  │
│                                ├─────────────────────┤          │                   │               ├────────────────────────────────────────────────────────────┤
│                                │ GHSA-xg2h-wx96-xgxr │          │                   │               │ RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as │
│                                │                     │          │                   │               │ random as they should be                                   │
│                                │                     │          │                   │               │ https://github.com/advisories/GHSA-xg2h-wx96-xgxr          │
├────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go      │ CVE-2020-8911       │ MEDIUM   │ 1.43.11           │               │ aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto  │
│                                │                     │          │                   │               │ SDK for golang...                                          │
│                                │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8911                  │
│                                ├─────────────────────┼──────────┤                   ├───────────────┼────────────────────────────────────────────────────────────┤
│                                │ CVE-2020-8912       │ LOW      │                   │               │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
│                                │                     │          │                   │               │ SDK for golang...                                          │
│                                │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8912                  │
│                                ├─────────────────────┼──────────┤                   ├───────────────┼────────────────────────────────────────────────────────────┤
│                                │ GHSA-7f33-f4f5-xwgw │ UNKNOWN  │                   │               │ The Go AWS S3 Crypto SDK contains vulnerabilities that can │
│                                │                     │          │                   │               │ permit an...                                               │
│                                │                     │          │                   │               │ https://github.com/advisories/GHSA-7f33-f4f5-xwgw          │
│                                ├─────────────────────┤          │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│                                │ GHSA-f5pg-7wfw-84q9 │          │                   │               │ The Go AWS S3 Crypto SDK contains vulnerabilities that can │
│                                │                     │          │                   │               │ permit an...                                               │
│                                │                     │          │                   │               │ https://github.com/advisories/GHSA-f5pg-7wfw-84q9          │
└────────────────────────────────┴─────────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
D:~/projects/github/prometheus-msteams (bump-dependencies) $

@zhan9san zhan9san mentioned this pull request Feb 7, 2023
Merged
@zhan9san
Copy link
Collaborator

zhan9san commented Apr 3, 2023

This is fixed in #283

@zhan9san zhan9san closed this Apr 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] Image contains CRITICAL/HIGH vulnerabilities
2 participants
@erikgb @zhan9san