Pio1006 / envoy

Cloud-native high-performance edge/middle/service proxy
https://www.envoyproxy.io
Apache License 2.0
0 stars 0 forks source link

CVE-2022-29526 (Medium) detected in github.com/golang/sys-v0.0.0-20190502141530-050d97668623, github.com/golang/sys-v0.0.0-20190302025430-12036c158aa7 - autoclosed #31

Closed mend-for-github-com[bot] closed 6 months ago

mend-for-github-com[bot] commented 9 months ago

CVE-2022-29526 - Medium Severity Vulnerability

Vulnerable Libraries - github.com/golang/sys-v0.0.0-20190502141530-050d97668623, github.com/golang/sys-v0.0.0-20190302025430-12036c158aa7

github.com/golang/sys-v0.0.0-20190502141530-050d97668623

[mirror] Go packages for low-level interaction with the operating system

Library home page: https://proxy.golang.org/github.com/golang/sys/@v/v0.0.0-20190502141530-050d97668623.zip

Path to dependency file: /examples/load-reporting-service/go.mod

Path to vulnerable library: /examples/load-reporting-service/go.mod

Dependency Hierarchy: - github.com/grpc/grpc-go-v1.25.1 (Root Library) - :x: **github.com/golang/sys-v0.0.0-20190502141530-050d97668623** (Vulnerable Library)

github.com/golang/sys-v0.0.0-20190302025430-12036c158aa7

[mirror] Go packages for low-level interaction with the operating system

Library home page: https://proxy.golang.org/github.com/golang/sys/@v/v0.0.0-20190302025430-12036c158aa7.zip

Path to dependency file: /examples/ext_authz/auth/grpc-service/go.mod

Path to vulnerable library: /examples/ext_authz/auth/grpc-service/go.mod

Dependency Hierarchy: - github.com/grpc/grpc-go-v1.25.1 (Root Library) - :x: **github.com/golang/sys-v0.0.0-20190302025430-12036c158aa7** (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.

Publish Date: 2022-06-23

URL: CVE-2022-29526

CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-29526

Release Date: 2022-06-23

Fix Resolution: go1.17.10,go1.18.2,go1.19

mend-for-github-com[bot] commented 6 months ago

:information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #51