Open mend-for-github-com[bot] opened 10 months ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
Library home page: https://proxy.golang.org/golang.org/x/crypto/@v/v0.0.0-20210322153248-0c34fe9e7dc2.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/golang.org/x/crypto/@v/v0.0.0-20210322153248-0c34fe9e7dc2.mod
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-27191
### Vulnerable Library - golang.org/x/crypto-v0.0.0-20210322153248-0c34fe9e7dc2Library home page: https://proxy.golang.org/golang.org/x/crypto/@v/v0.0.0-20210322153248-0c34fe9e7dc2.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/golang.org/x/crypto/@v/v0.0.0-20210322153248-0c34fe9e7dc2.mod
Dependency Hierarchy: - :x: **golang.org/x/crypto-v0.0.0-20210322153248-0c34fe9e7dc2** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsThe golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
Publish Date: 2022-03-18
URL: CVE-2022-27191
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.3%
### CVSS 4 Score Details (8.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-27191
Release Date: 2022-03-18
Fix Resolution: golang-golang-x-crypto-dev - 1:0.0~git20220315.3147a52-1;golang-go.crypto-dev - 1:0.0~git20220315.3147a52-1
In order to enable automatic remediation, please create workflow rules
CVE-2021-43565
### Vulnerable Library - golang.org/x/crypto-v0.0.0-20210322153248-0c34fe9e7dc2Library home page: https://proxy.golang.org/golang.org/x/crypto/@v/v0.0.0-20210322153248-0c34fe9e7dc2.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/golang.org/x/crypto/@v/v0.0.0-20210322153248-0c34fe9e7dc2.mod
Dependency Hierarchy: - :x: **golang.org/x/crypto-v0.0.0-20210322153248-0c34fe9e7dc2** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsThe x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.
Publish Date: 2022-09-06
URL: CVE-2021-43565
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 4 Score Details (8.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43565
Release Date: 2021-11-10
Fix Resolution: golang-golang-x-crypto-dev - 1:0.0~git20211202.5770296-1;golang-go.crypto-dev - 1:0.0~git20211202.5770296-1
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules