search

percona / mongodb_exporter

A Prometheus exporter for MongoDB including sharding, replication and storage engines
Apache License 2.0
1.16k stars 425 forks source link

mongodb_exporter affected by CVE-2024-24790 #879

Open bpfoster opened 1 month ago

bpfoster commented 1 month ago

Describe the bug mongodb_exporter v0.40.0 appears to be affected by critical CVE-2024-24790 aka GO-2024-2887 - a vulnerability in the Go stdlib.

To Reproduce Steps to reproduce the behavior:

  1. Scan the binary with govulncheck -mode binary mongodb_exporter
  2. See results. There are many but this one specifically: 
    Vulnerability #3: GO-2024-2887
Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in
net/netip
More info: https://pkg.go.dev/vuln/GO-2024-2887
Standard library
Found in: net/netip@go1.21.3
Fixed in: net/netip@go1.21.11
Vulnerable symbols found:
  #1: netip.Addr.IsGlobalUnicast
  #2: netip.Addr.IsInterfaceLocalMulticast
  #3: netip.Addr.IsLinkLocalMulticast
  #4: netip.Addr.IsLoopback
  #5: netip.Addr.IsMulticast
  #6: netip.Addr.IsPrivate

Expected behavior No critical vulnerabilities in the software.

Additional context AFAIK all you need to do is recompile with a newer version of go (1.22.4+).

BupycHuk commented 1 month ago

Hi @bpfoster it will be fixed by new release in upcoming weeks.