search

hashicorp / consul

Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.
https://www.consul.io
Other
28.29k stars 4.42k forks source link

PRISMA-2023-0056 Reported from Twistlock #20605

Open dpericaxon opened 7 months ago

dpericaxon commented 7 months ago

Hello, we ran a twistlock scan and got this finding:

CVE: PRISMA-2023-0056 Image: hashicorp/consul:1.17.2 Description: The github.com/sirupsen/logrus module of all versions is vulnerable to denial of service. Logging more than 64kb of data in a single entry without newlines causes the log writer function to hang indefinitely. Distro: alpine-3.18.5 Package: github.com/sirupsen/logrus v1.9.0 Package Path: /bin/consul Info: https://github.com/sirupsen/logrus/issues/1370

I think its coming from here: https://github.com/hashicorp/consul/blob/main/go.mod#L250

Are there plans to bump this dependency?

sarah-oloumi commented 2 weeks ago

Its been sometime and this is still being detected in v1.19.x of consul. I wanted to see if there are any updates on this?