Open mix4242 opened 1 year ago
Hi there ππ»
There exists a high rated vulnerability in golang.org/x/text at v0.3.7 which is fixed in v0.3.8. The CVE is CVE-2022-32149.
golang.org/x/text
v0.3.7
v0.3.8
To reproduce scan the latest 6.7.11 docker image with trivy as follows:
6.7.11
Please could version v0.3.8 be used to fix this vulnerability :)
Thank you
P.S. Never used golang but if someone could confirm it's just a case of adding
golang
golang.org/x/text v0.3.8 // indirect
in go.mod I'd be happy to open a PR :)
go.mod
Hi there ππ»
There exists a high rated vulnerability in
golang.org/x/text
atv0.3.7
which is fixed inv0.3.8
. The CVE is CVE-2022-32149.To reproduce scan the latest
6.7.11
docker image with trivy as follows:Trivy vulnerability scan
``` /Users/max > trivy image --scanners vuln --ignore-unfixed --severity high rwynn/monstache:6.7.11 2023-04-28T08:08:45.886+0100 INFO Vulnerability scanning is enabled 2023-04-28T08:08:45.908+0100 INFO Detected OS: alpine 2023-04-28T08:08:45.908+0100 INFO Detecting Alpine vulnerabilities... 2023-04-28T08:08:45.909+0100 INFO Number of language-specific files: 1 2023-04-28T08:08:45.909+0100 INFO Detecting gobinary vulnerabilities... rwynn/monstache:6.7.11 (alpine 3.15.0) Total: 34 (HIGH: 34) (...OMITTED...) bin/monstache (gobinary) Total: 1 (HIGH: 1) βββββββββββββββββββββ¬βββββββββββββββββ¬βββββββββββ¬ββββββββββββββββββββ¬ββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β Library β Vulnerability β Severity β Installed Version β Fixed Version β Title β βββββββββββββββββββββΌβββββββββββββββββΌβββββββββββΌββββββββββββββββββββΌββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β golang.org/x/text β CVE-2022-32149 β HIGH β v0.3.7 β 0.3.8 β golang: golang.org/x/text/language: ParseAcceptLanguage β β β β β β β takes a long time to parse complex tags β β β β β β β https://avd.aquasec.com/nvd/cve-2022-32149 β βββββββββββββββββββββ΄βββββββββββββββββ΄βββββββββββ΄ββββββββββββββββββββ΄ββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ```Please could version
v0.3.8
be used to fix this vulnerability :)Thank you
P.S. Never used
golang
but if someone could confirm it's just a case of addingin
go.mod
I'd be happy to open a PR :)