search

pulumi / pulumi-std

Standard library functions implemented as a native Pulumi provider to be consumed from all Pulumi supported languages
Apache License 2.0
3 stars 2 forks source link

CVE-2024-24791 in v1.7.2 #69

Closed SivaneshLogandurai closed 4 months ago

SivaneshLogandurai commented 4 months ago

What happened?

Our scanning jobs have identified a new CVE "CVE-2024-24791" in the pulumi-std v1.7.2. This is an issue with the Go standard library net/http.

Example

CVE scan result

    {
      "Target": "home/sl/.pulumi/plugins/resource-std-v1.7.2/pulumi-resource-std",
      "Class": "lang-pkgs",
      "Type": "gobinary",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2024-24791",
          "PkgName": "stdlib",
          "PkgIdentifier": {
            "PURL": "pkg:golang/stdlib@1.21.11",
            "UID": "c34ab9ada49cc727"
          },
          "InstalledVersion": "1.21.11",
          "FixedVersion": "1.21.12, 1.22.5",
          "Status": "fixed",
          "Layer": {
            "Digest": "sha256:12b42ef700cd619bf6b070c29488e45d2706debd29cc072b6c70cfc476aba9bb",
            "DiffID": "sha256:c01c35830eba6aa5d25006afdecebf6a3ed84701acf2ab573180bd5dc488c3c0"
          },
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-24791",
          "DataSource": {
            "ID": "govulndb",
            "Name": "The Go Vulnerability Database",
            "URL": "https://pkg.go.dev/vuln/"
          },
          "Description": "The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an \"Expect: 100-continue\" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending \"Expect: 100-continue\" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.",
          "Severity": "UNKNOWN",
          "References": [
            "https://go.dev/cl/591255",
            "https://go.dev/issue/67555",
            "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ",
            "https://pkg.go.dev/vuln/GO-2024-2963"
          ],
          "PublishedDate": "2024-07-02T22:15:04.833Z",
          "LastModifiedDate": "2024-07-02T22:15:04.833Z"
        }
      ]
    }

Output of pulumi about

Using pulumi v3.122.0 and pulumi-std v1.7.2

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

justinvp commented 4 months ago

v1.7.2 was built with go1.21.11. Looks like it just missed the go1.21.12 release, which was released the same day on 2024-07-02. We can release a new version that uses go1.21.12.

SivaneshLogandurai commented 4 months ago

Yes, it was on the same day unfortunately. I will wait for the new version.

SivaneshLogandurai commented 4 months ago

@justinvp Can I get an ETA on this ticket?

justinvp commented 4 months ago

Fixed in v1.7.3