search

billmcchesney1 / linkerd2

Ultralight, security-first service mesh for Kubernetes. Main repo for Linkerd 2.x.
https://linkerd.io
Apache License 2.0
0 stars 0 forks source link

CVE-2021-3121 (High) detected in github.com/gogo/protobuf-v1.3.1 #156

Open mend-for-github-com[bot] opened 9 months ago

mend-for-github-com[bot] commented 9 months ago

CVE-2021-3121 - High Severity Vulnerability

Vulnerable Library - github.com/gogo/protobuf-v1.3.1

[Deprecated] Protocol Buffers for Go with Gadgets

Library home page: https://proxy.golang.org/github.com/gogo/protobuf/@v/v1.3.1.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go/pkg/mod/cache/download/github.com/gogo/protobuf/@v/v1.3.1.mod

Dependency Hierarchy: - k8s.io/kube-aggregator-v0.18.8 (Root Library) - :x: **github.com/gogo/protobuf-v1.3.1** (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.

Publish Date: 2021-01-11

URL: CVE-2021-3121

CVSS 3 Score Details (8.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121

Release Date: 2021-01-11

Fix Resolution: v1.3.2