CVE-2024-24790: Affected software stdlib 1.21.5 present in the version of go this project is using

aws / amazon-ssm-agent

An agent to enable remote management of your EC2 instances, on-premises servers, or virtual machines (VMs).

https://aws.amazon.com/systems-manager/

Apache License 2.0

1.06k stars 324 forks source link

CVE-2024-24790: Affected software stdlib 1.21.5 present in the version of go this project is using #589

Closed razor54 closed 1 month ago

razor54 commented 2 months ago

Hello there, I was using EC2 instances with ECS, and when doing vulnerability scans I found this CVE on:

/var/lib/ecs/deps/execute-command/bin/3.2.2303.0/ssm-agent-worker
/var/lib/ecs/deps/execute-command/bin/3.2.2303.0/ssm-session-worker

According to the CVE references the go version should be updated.

cpe:2.3:a:golang:go:::::::: Show Matching CPE(s)	Up to (excluding)1.21.11
cpe:2.3:a:golang:go:::::::: Show Matching CPE(s)	From (including)1.22.0	Up to (excluding)1.22.4

Chnwanze commented 1 month ago

Hello @razor54, we have upgraded our go version to 1.22.7 in our last release (3.3.987.0) so this vulnerability shouldn't be an issue anymore. Closing this, feel free to reopen if you need to.