Closed knqyf263 closed 4 months ago
Since GHSA doesn't eagerly review Go runtime/toolchain vulnerabilities (see https://github.com/aquasecurity/vuln-list-update/issues/288#issuecomment-2069271945), we parse the Go Vulnerability Database for Go runtime vulnerabilities.
trivy (gobinary) Total: 17 (UNKNOWN: 0, LOW: 0, MEDIUM: 11, HIGH: 3, CRITICAL: 3) ┌────────────────────────────────┬────────────────┬──────────┬──────────┬──────────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├────────────────────────────────┼────────────────┼──────────┼──────────┼──────────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤ ... ├────────────────────────────────┼────────────────┼──────────┤ ├──────────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤ │ stdlib │ CVE-2023-45288 │ HIGH │ │ 1.21.6 │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │ │ │ │ │ │ │ │ CONTINUATION frames causes DoS │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288 │ │ ├────────────────┼──────────┤ │ ├────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-45289 │ MEDIUM │ │ │ 1.21.8, 1.22.1 │ golang: net/http/cookiejar: incorrect forwarding of │ │ │ │ │ │ │ │ sensitive headers and cookies on HTTP redirect... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45289 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-45290 │ │ │ │ │ golang: net/http: memory exhaustion in │ │ │ │ │ │ │ │ Request.ParseMultipartForm │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45290 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2024-24783 │ │ │ │ │ golang: crypto/x509: Verify panics on certificates with an │ │ │ │ │ │ │ │ unknown public key algorithm... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24783 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2024-24784 │ │ │ │ │ golang: net/mail: comments in display names are incorrectly │ │ │ │ │ │ │ │ handled │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24784 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2024-24785 │ │ │ │ │ golang: html/template: errors returned from MarshalJSON │ │ │ │ │ │ │ │ methods may break template escaping │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24785 │ └────────────────────────────────┴────────────────┴──────────┴──────────┴──────────────────────┴────────────────┴──────────────────────────────────────────────────────────────┘
@DmitriyLewen Could you play with my change and add unit tests?
@knqyf263 LGTM. I added tests.
@DmitriyLewen Thanks! Can you approve it?
@knqyf263 Done!
Description
Since GHSA doesn't eagerly review Go runtime/toolchain vulnerabilities (see https://github.com/aquasecurity/vuln-list-update/issues/288#issuecomment-2069271945), we parse the Go Vulnerability Database for Go runtime vulnerabilities.
Issue