search

nats-io / nats-streaming-server

NATS Streaming System Server
https://nats.io
Apache License 2.0
2.51k stars 283 forks source link

Security issue in latest nats-streaming image #1306

Open vr2388 opened 3 months ago

vr2388 commented 3 months ago

When we scan the nats-streaming latest image we following CRITICAL and HIGH severity issues

nats-streaming-server (gobinary)
================================
Total: 11 (UNKNOWN: 0, LOW: 0, MEDIUM: 9, HIGH: 1, CRITICAL: 1)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2023-48795 │ MEDIUM   │ fixed  │ v0.15.0           │ 0.17.0          │ ssh: Prefix truncation attack on Binary Packet Protocol      │
│                     │                │          │        │                   │                 │ (BPP)                                                        │
│                     │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-48795                   │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib              │ CVE-2024-24790 │ CRITICAL │        │ 1.20.11           │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for   │
│                     │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                   │
│                     │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                   │
│                     ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-45288 │ HIGH     │        │                   │ 1.21.9, 1.22.2  │ golang: net/http, x/net/http2: unlimited number of           │
│                     │                │          │        │                   │                 │ CONTINUATION frames causes DoS                               │
│                     │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
│                     ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
NAME                 INSTALLED  FIXED-IN  TYPE       VULNERABILITY        SEVERITY 
golang.org/x/crypto  v0.15.0    0.17.0    go-module  GHSA-45x7-px36-x8w8  Medium    
stdlib               go1.20.11            go-module  CVE-2024-24790       Critical  
stdlib               go1.20.11            go-module  CVE-2024-24791       High      
stdlib               go1.20.11            go-module  CVE-2023-45285       High

Please provide fix for these security issues.

ripienaar commented 3 months ago 
The NATS Streaming Server is being deprecated. Critical bug fixes and security fixes will be applied until June of 2023.

This is now unsupported, no one should be using it anymore if security fixes are critical.