Closed grantliu3 closed 2 years ago
Refs https://github.com/hashicorp/go-discover/pull/174
We've determined that Consul is not affected by this vulnerability (jwt-go
is pulled in as a nested dependency under the Azure provider for go-discover
and the vulnerable code is not called by any Consul functionality), but do still want to get it cleaned up to remove the false positive.
$ go mod why -m github.com/dgrijalva/jwt-go
# github.com/dgrijalva/jwt-go
github.com/hashicorp/consul/agent
github.com/hashicorp/go-discover
github.com/hashicorp/go-discover/provider/azure
github.com/Azure/go-autorest/autorest
github.com/Azure/go-autorest/autorest/adal
github.com/dgrijalva/jwt-go
@mikemorris thanks a lot for your confirmation! I'm going to mark this CVE as false positive for Consul image in our security scan as well, look forward to remove the false positive in future release, thanks!
Overview of the Issue
Our security scan tool found an vulnerability regarding jwt-go in Consul image. The CVE link: https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-26160
Is it possible to bump up the version of jwt-go to
v4.0.0-preview1
to address the CVE? Or could you please confirm whether Consul is affected by this CVE of jwt-go or not? Thanks in advance!Reproduction Steps
Steps to reproduce this issue, eg:
Consul info for both Client and Server
Consul version: v1.10.2
Log Fragments