search

dunglas / frankenphp

🧟 The modern PHP app server
https://frankenphp.dev
MIT License
6.7k stars 220 forks source link

CVE-2024-22189 #829

Closed sybnex closed 3 months ago

sybnex commented 3 months ago

What happened?

Please update relevant libraries for succesfull vulnerablility scans. Version v1.1.5

Build Type

Docker (Alpine)

Worker Mode

Yes

Operating System

GNU/Linux

CPU Architecture

arm64

PHP configuration

...

Relevant log output

usr/local/bin/frankenphp (gobinary)
===================================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/quic-go/quic-go │ CVE-2024-22189 │ HIGH     │ fixed  │ v0.41.0           │ 0.42.0        │ quic-go: memory exhaustion attack against QUIC's connection │
│                            │                │          │        │                   │               │ ID mechanism                                                │
│                            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-22189                  │
└────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘```
dunglas commented 3 months ago

It's a false positive (that will be entirely gone when we will tag the next release, which is in progress).

See https://x.com/mholt6/status/1792325234470904104