*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Parsing invalid messages can panic.
Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.
Found in HEAD commit: 2af5bf4b2261d6701b78451084d2d82d9cdd9875
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2023-24535
### Vulnerable Library - google.golang.org/protobuf-v1.29.0Library home page: https://proxy.golang.org/google.golang.org/protobuf/@v/v1.29.0.zip
Dependency Hierarchy: - go.temporal.io/sdk-v1.21.2-0.20230313212213-3d009e0d1f24 (Root Library) - :x: **google.golang.org/protobuf-v1.29.0** (Vulnerable Library)
Found in HEAD commit: 2af5bf4b2261d6701b78451084d2d82d9cdd9875
Found in base branch: master
### Vulnerability DetailsParsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.
Publish Date: 2023-01-26
URL: CVE-2023-24535
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-hw7c-3rfg-p46j
Release Date: 2023-01-26
Fix Resolution: v1.29.1