search

prometheus / mysqld_exporter

Exporter for MySQL server metrics
http://prometheus.io/
Apache License 2.0
2.14k stars 750 forks source link

Latest release v0.13.0 has CVE-2020-14040 (score 7.5) from dependency golang.org/x/text v0.3.1 #606

Closed dsharp-pivotal closed 1 year ago

dsharp-pivotal commented 2 years ago

Hello,

mysqld_exporter showed up in a security scan because it contains golang.org/x/text@v0.3.2

https://nvd.nist.gov/vuln/detail/CVE-2020-14040

golang.org/x/text is included in v0.13.0 by this dependency chain:

→ go mod why -m golang.org/x/text
# golang.org/x/text
github.com/prometheus/mysqld_exporter
github.com/prometheus/exporter-toolkit/web
github.com/prometheus/common/config
golang.org/x/net/http2
golang.org/x/net/idna
golang.org/x/text/secure/bidirule

Would it be possible to:

CC: @colins

ryanwittrup commented 2 years ago

bumping this based of a newer CVE, for the golang.org/x/crypto package

https://nvd.nist.gov/vuln/detail/CVE-2022-27191

+---------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+
|       LIBRARY       | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION          |           FIXED VERSION           |                 TITLE                 |
+---------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+
| golang.org/x/crypto | CVE-2022-27191   | HIGH     | v0.0.0-20210616213533-5ff15b29337e | 0.0.0-20220315160706-3147a52a75dd | golang: crash in a                    |
|                     |                  |          |                                    |                                   | golang.org/x/crypto/ssh server        |
|                     |                  |          |                                    |                                   | -->avd.aquasec.com/nvd/cve-2022-27191 |
+---------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+
→ go mod why -m golang.org/x/crypto
go: downloading github.com/go-kit/log v0.2.0
go: downloading github.com/prometheus/exporter-toolkit v0.7.1
go: downloading gopkg.in/alecthomas/kingpin.v2 v2.2.6
go: downloading gopkg.in/ini.v1 v1.66.4
go: downloading github.com/smartystreets/goconvey v1.7.2
go: downloading golang.org/x/sys v0.0.0-20220114195835-da31bd327af9
go: downloading gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15
go: downloading github.com/go-logfmt/logfmt v0.5.1
go: downloading golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e
go: downloading github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751
go: downloading github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d
go: downloading github.com/stretchr/testify v1.4.0
go: downloading github.com/matttproud/golang_protobuf_extensions v1.0.1
go: downloading golang.org/x/net v0.0.0-20210525063256-abc453219eb5
go: downloading golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c
go: downloading github.com/jtolds/gls v4.20.0+incompatible
go: downloading github.com/smartystreets/assertions v1.2.0
go: downloading google.golang.org/appengine v1.6.6
go: downloading github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1
# golang.org/x/crypto
github.com/prometheus/mysqld_exporter
github.com/prometheus/exporter-toolkit/web
golang.org/x/crypto/bcrypt

please let us know if it would be better to split these into two different issues

SuperQ commented 2 years ago

Please do not report raw vulnerability scanner results. They are prone to false positives and cause the Prometheus team toil in verifying. Please verify vulnerability reports and include specific details as to which components are directly exploitable. Please also include a reproduction case.

dpippenger commented 1 year ago

I would ask you reconsider your position. Having defects that are resolvable by upgrading components is generally good security practice. By rejecting these results simply because we can't figure out how to exploit it just proves we aren't the best hackers. I would personally not bet my company on the fact I'm a better expert on exploiting code than a teenager with a fridge full of hot pockets.

SuperQ commented 1 year ago

@dpippenger So, a good example here is reporting CVE-2022-27191. If you just read the report, it says SSH.

There is no use of SSH in this code. It's trivially verifiable that this is not a problem here. Yet, the scanner says HIGH.

The scanner is defective, as it only looks at the top level repo version dependencies and not the included code.

SuperQ commented 1 year ago

Either way, this was fixed in v0.14.0.