dhiaayachi / temporal

Temporal service
https://docs.temporal.io
MIT License
0 stars 0 forks source link

modernc.org/sqlite-v1.21.0: 1 vulnerabilities (highest severity is: 5.5) - autoclosed #438

Open dhiaayachi opened 2 months ago

dhiaayachi commented 2 months ago
Vulnerable Library - modernc.org/sqlite-v1.21.0

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (modernc.org/sqlite-v1.21.0 version) Remediation Available
CVE-2020-28928 Medium 5.5 modernc.org/libc-v1.22.3 Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2020-28928 ### Vulnerable Library - modernc.org/libc-v1.22.3

Library home page: https://proxy.golang.org/modernc.org/libc/@v/v1.22.3.zip

Dependency Hierarchy: - modernc.org/sqlite-v1.21.0 (Root Library) - :x: **modernc.org/libc-v1.22.3** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).

Publish Date: 2020-11-24

URL: CVE-2020-28928

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-28928

Release Date: 2020-11-24

Fix Resolution: musl - 1.2.2-1,1.2.2-1,1.1.16-3+deb9u1

dhiaayachi commented 2 months ago

Thank you for reporting this vulnerability.

The vulnerability you have reported (CVE-2020-28928) affects the modernc.org/libc library, which is a transitive dependency of modernc.org/sqlite-v1.21.0. Unfortunately, there is no version of modernc.org/sqlite that includes a fix for this vulnerability.

The suggested fix is to upgrade musl to version 1.2.2-1, 1.2.2-1, or 1.1.16-3+deb9u1. However, this may require changes to your project's build configuration.

Please let me know if you have any further questions.

dhiaayachi commented 2 months ago

This vulnerability affects the modernc.org/libc library, which is a transitive dependency of your Temporal project. As mentioned in the details section, the vulnerability is fixed in musl version 1.2.2-1, 1.2.2-1, and 1.1.16-3+deb9u1.

Unfortunately, there isn't a version of modernc.org/sqlite that includes a fixed version of modernc.org/libc. Therefore, you'll need to consider alternative solutions to mitigate this vulnerability:

Please note that these solutions have their own trade-offs and may require further investigation and implementation. You should consult the Temporal documentation and potentially contact their support for guidance on the most appropriate solution for your project.