Open andrew-solace opened 2 years ago
I have also tested with 1.13.2 using the consul image in github, and there are still two issues:
https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2952714 and https://github.com/advisories/GHSA-gv9j-4w24-q7vx
Overview of the Issue
Amazon Inspector is detecting GO and CoreDNS vulnerabilities in consul version 1.11.4
Reproduction Steps
Steps to reproduce this issue, eg:
Consul info for both Client and Server
version 1.11.4
Operating system and Environment details
UBI 8
Log Fragments
CVE-2020-26160 - github.com/dgrijalva/jwt-go, github.com/dgrijalva/jwt-go A vulnerability was found in jwt-go where it is vulnerable to Access Restriction Bypass if m["aud"] happens to be []string{}, as allowed by the spec, the type assertion fails and the value of aud is "". This can cause audience verification to succeed even if the audiences being passed are incorrect if required is set to false.
CVE-2022-28948 - gopkg.in/yaml.v3, gopkg.in/yaml.v3 A flaw was found in the Unmarshal function in Go-Yaml. The issue causes the program to crash when attempting to deserialize invalid input.
gopkg.in/yaml.v3 is a YAML support package for the Go language. Affected versions of this package are vulnerable to NULL Pointer Dereference when parsing
#\n-\n-\n0
via theparserc.go
parser.GHSA-gv9j-4w24-q7vx - github.com/coredns/coredns, github.com/coredns/coredns
Impact CoreDNS before 1.6.6 (using go DNS package < 1.1.25) improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries. ### Patches The problem has been fixed in 1.6.6+. ### References - CVE-2019-19794 ### For more information Please consult our security guide for more information regarding our security process.