search

0xPolygonHermez / cdk-erigon

Ethereum implementation on the efficiency frontier
GNU Lesser General Public License v3.0
35 stars 40 forks source link

Dependency vulnerability threats #199

Closed louisliu2048 closed 1 month ago

louisliu2048 commented 8 months ago

System information

There are sereval vulnerability threats exist in this project's dependency, hope solve these problems.

Dependency go:github.com/consensys/gnark-crypto:v0.10.0 is vulnerable, safe version v0.12.1
Cx42455c0d-6fe9 9.8 Incorrect Calculation vulnerability with High severity found
CVE-2023-44273 9.8 Deserialization of Untrusted Data vulnerability with High severity found
Dependency go:github.com/jackc/pgx/v4:v4.18.1 is vulnerable, safe version v4.18.2
CVE-2024-27289 8.1 Improper Neutralization of Special Elements used in an SQL Command ("SQL Injection") vulnerability with High severity found
Dependency go:github.com/libp2p/go-libp2p:v0.26.4 is vulnerable, safe version v0.33.0
CVE-2023-39533 7.5 Allocation of Resources Without Limits or Throttling vulnerability with High severity found
CVE-2023-40583 7.5 Uncontrolled Resource Consumption vulnerability with High severity found
Dependency go:golang.org/x/crypto:v0.9.0 is vulnerable, safe version v0.21.0
CVE-2023-48795 5.9 Insufficient Verification of Data Authenticity vulnerability with Medium severity found
CVE-2023-42818 9.8 Improper Restriction of Excessive Authentication Attempts vulnerability with High severity found
Dependency go:golang.org/x/net:v0.10.0 is vulnerable, safe version v0.22.0
CVE-2023-44487 5.3 Uncontrolled Resource Consumption vulnerability with Medium severity found
CVE-2023-3978 6.1 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability with Medium severity found
Dependency go:google.golang.org/grpc:v1.55.0 is vulnerable, safe version v1.62.1
CVE-2023-44487 5.3 Uncontrolled Resource Consumption vulnerability with Medium severity found
Dependency go:google.golang.org/protobuf:v1.30.0 is vulnerable, safe version v1.33.0
CVE-2024-24786 7.5 Loop with Unreachable Exit Condition ("Infinite Loop") vulnerability with High severity found
revitteth commented 8 months ago

Thanks for submitting - we're working on it! :)

afa7789 commented 1 month ago

@louisliu2048 louisliu2048, could you tell me which dependency checker you used ?