search

pulumi / pulumi-aws

An Amazon Web Services (AWS) Pulumi resource package, providing multi-language access to AWS
Apache License 2.0
466 stars 157 forks source link

CVE-2024-24791 in v6.42.0 #4163

Closed SivaneshLogandurai closed 4 months ago

SivaneshLogandurai commented 4 months ago

Describe what happened

Our scanning jobs have identified a new CVE "CVE-2024-24791" in the pulumi-std v1.7.2. This is an issue with the Go standard library net/http.

Sample program

N/A

Log output

Scan result

{
      "Target": "home/appian/.pulumi/plugins/resource-aws-v6.42.0/pulumi-resource-aws",
      "Class": "lang-pkgs",
      "Type": "gobinary",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2024-24791",
          "PkgName": "stdlib",
          "PkgIdentifier": {
            "PURL": "pkg:golang/stdlib@1.22.4",
            "UID": "f2328c2729d2b74b"
          },
          "InstalledVersion": "1.22.4",
          "FixedVersion": "1.21.12, 1.22.5",
          "Status": "fixed",
          "Layer": {
            "Digest": "sha256:12b42ef700cd619bf6b070c29488e45d2706debd29cc072b6c70cfc476aba9bb",
            "DiffID": "sha256:c01c35830eba6aa5d25006afdecebf6a3ed84701acf2ab573180bd5dc488c3c0"
          },
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-24791",
          "DataSource": {
            "ID": "govulndb",
            "Name": "The Go Vulnerability Database",
            "URL": "https://pkg.go.dev/vuln/"
          },
          "Description": "The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an \"Expect: 100-continue\" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending \"Expect: 100-continue\" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.",
          "Severity": "UNKNOWN",
          "References": [
            "https://go.dev/cl/591255",
            "https://go.dev/issue/67555",
            "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ",
            "https://pkg.go.dev/vuln/GO-2024-2963"
          ],
          "PublishedDate": "2024-07-02T22:15:04.833Z",
          "LastModifiedDate": "2024-07-02T22:15:04.833Z"
        }
      ]
    }

Affected Resource(s)

No response

Output of pulumi about

Using pulumi v3.122.0 and pulumi-aws v6.42.0

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

t0yv0 commented 4 months ago

Thank you for the report! My team is looking into getting this fixed.