Closed dulajra closed 2 weeks ago
This is full report on waved
mlops-wave/venv/waved (gobinary)
================================
Total: 6 (UNKNOWN: 2, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0)
┌────────────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬─────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-45288 │ MEDIUM │ fixed │ v0.22.0 │ 0.23.0 │ golang: net/http, x/net/http2: unlimited number of │
│ │ │ │ │ │ │ CONTINUATION frames causes DoS │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288 │
├────────────────────────────┼────────────────┤ ├──────────┼───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ gopkg.in/square/go-jose.v2 │ CVE-2024-28180 │ │ affected │ v2.6.0 │ │ jose-go: improper handling of highly compressed data │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-28180 │
├────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2023-45288 │ HIGH │ fixed │ 1.22.1 │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │
│ │ │ │ │ │ │ CONTINUATION frames causes DoS │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288 │
│ ├────────────────┤ │ │ ├─────────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24788 │ │ │ │ 1.22.3 │ golang: net: malformed DNS message can cause infinite loop │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24788 │
│ ├────────────────┼──────────┤ │ ├─────────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24789 │ UNKNOWN │ │ │ 1.21.11, 1.22.4 │ The archive/zip package's handling of certain types of │
│ │ │ │ │ │ │ invalid zip fil ...... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24789 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24790 │ │ │ │ │ The various Is methods (IsPrivate, IsLoopback, etc) did not │
│ │ │ │ │ │ │ work as ex... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │
└────────────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴─────────────────┴─────────────────────────────────────────────────────────────┘
More we can fix the better
Fixed in https://github.com/h2oai/wave/commit/a90b902d4e153fc9eddc4ef7fe0ee5b0ad58b75b.
Bumped Go to 1.22.4 which should mitigate all the CVEs mentioned above. If not, let me know.
Edit: Didn't notice your comment @jakubhava.
gopkg.in/square/go-jose.v2
Has no fix atm if I read it correctly.
golang.org/x/net
Will bump and cut one more release.
Thanks a lot @mturoci.
Wave SDK Version, OS
1.3.1
Actual behavior
The following HIGH security vulnerability is present in the latest Wave version.
Expected behavior
0 HIGH and CRITICAL vulnerabilities.