scm-automation-project / go-mod-simple-project

0 stars 0 forks source link

github.com/miekg/dns-v1.0.14: 12 vulnerabilities (highest severity is: 7.5) #6

Open dev-mend-for-github-com[bot] opened 1 year ago

dev-mend-for-github-com[bot] commented 1 year ago
Vulnerable Library - github.com/miekg/dns-v1.0.14

DNS library in Go

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Found in HEAD commit: d84c7024cb8f50e05bf9ef82c5d0e6df8328d7a0

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (github.com/miekg/dns-v1.0.14 version) Remediation Possible**
CVE-2021-27918 High 7.5 github.com/miekg/dns-v1.0.14 Direct 1.15.9, 1.16.1
CVE-2018-17847 High 7.5 github.com/miekg/dns-v1.0.14 Direct N/A
CVE-2018-17848 High 7.5 github.com/miekg/dns-v1.0.14 Direct github.com/golang/net/html - 309822c5b9b9f80db67f016069a12628d94fad34;github.com/psiphon-labs/net/html - 309822c5b9b9f80db67f016069a12628d94fad34
CVE-2018-17846 High 7.5 github.com/miekg/dns-v1.0.14 Direct github.com/matishsiao/net/html - 5c9495a32797e34e9bf5ac91e69eb447443b78fd;github.com/pweil-/net/html - 3053e46bf4d836639f474dd738a58070463890e9,5c9495a32797e34e9bf5ac91e69eb447443b78fd,63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/psiphon-labs/net/html - 161cd47e91fd58ac17490ef4d742dc98bb4cf60e,2b459478774d488f63f6b8e8ec2429c502a43dd1;github.com/shekhei/net/html - b1ee7b3fbbb773e8e4b649ade000633fb867ba77,66b3e5ee27f66da79cc3695f293932920e946d87;github.com/alexsaveliev/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/foreversmart/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/suedadam/net/html - fbe893ddcdf0e847ed928b77e4b17ff5ec3b8a32;github.com/fangdingjun/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/crmackay/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/jfcote87/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/chris-ramon/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/johnsto/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/rsms/golang-net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/rainkid/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2,7ad508c2a7acafff7c6c8522d7e6efda5311476c,2a8eb9119c34470d7ecc9fb846e6ae3da2512cdd,3eb064ebfe6b9b907715cf7eeda05c367c55f32d,2e20f33919de098ec28d48d93b0735cc76567f6e,23996681074122163cfa22b185668f84935be9a9,a33e90a7ecf9022ea7e3e42bb05bd5a5cca71f35;github.com/subuk/net/html - 66b3e5ee27f66da79cc3695f293932920e946d87;github.com/hugomfernandes/net/html - 67f25490433376b5f7da086c0b9283fcdeca3a7b,a33e90a7ecf9022ea7e3e42bb05bd5a5cca71f35,6f62f426de90c0ed6a55207b51476115fcb17237,63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/letsencrypt/net/html - 153a6a61520e23dabb758b4a612bff144e5e28eb,1cd7b7179478daf1f19f8b4b4f08106ef411619b,ca657d0bd9d9b4f73523118b59af79e5374b9908,5b4754d96d73efe14f882d2f14ae3d29f7b2a67d,b56b60992857e77db9472023aaef7a33881d130b,8bc62b7ce1723e0e686c39f8fe3c5e8d03c8524c,d8b496d92df37acaa5a038846651d41f7cbe6326,3748d8c2fdc5600797e1200ed7ca82358bbeadeb,947224908606a5aa6af4427c3a2cea51387aa38a;github.com/nodirt/net/html - 66b3e5ee27f66da79cc3695f293932920e946d87,ec18079348e79eb393866e87d402a1a8cc580d7f;github.com/jash16/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/bountylabs/net/html - 2a8eb9119c34470d7ecc9fb846e6ae3da2512cdd,59b0df9b1f7abda5aab0495ee54f408daf182ce7,63ee83b038e98e5716bfdd1a94178718cff506d2,9f8bef6b5998053643dca00058a0938278e882ab,1db34d83398887aa887306d261882f799bee3678,46077d3c5415f800cd8105911d4ed880c1db2138;github.com/suifengrock/golang-net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2,40ad15caf30bbcbd0cb852523ec4dfabc440d37b,5058c78c3627b31e484a81463acd51c7cecc06f3;github.com/petermattis/x-net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/bradleyfalzon/net/html - 1cd7b7179478daf1f19f8b4b4f08106ef411619b,ca657d0bd9d9b4f73523118b59af79e5374b9908,153a6a61520e23dabb758b4a612bff144e5e28eb,5b4754d96d73efe14f882d2f14ae3d29f7b2a67d,b56b60992857e77db9472023aaef7a33881d130b,8bc62b7ce1723e0e686c39f8fe3c5e8d03c8524c;github.com/radioinmyhead/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2,3053e46bf4d836639f474dd738a58070463890e9;github.com/jelmersnoeck/go.net/html - 104dcad90073cd8d1e6828b2af19185b60cf3e29;github.com/jackmiller334/net/html - d96e6bbf425715f2bd00806e45fbbd5a54870397,63ee83b038e98e5716bfdd1a94178718cff506d2,5b76c8047cfbdbe90fdc031267d2144555ad63e3;github.com/owner888/net/html - 66b3e5ee27f66da79cc3695f293932920e946d87;github.com/golang/net/html - 97775bb4655419e5ab44c1f918c5bed052130f1b,161cd47e91fd58ac17490ef4d742dc98bb4cf60e;github.com/cesanta/goxnet/html - 23996681074122163cfa22b185668f84935be9a9,63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/fanatic/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/8090boy/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/niniwzw/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/smithfox/gonet/html - 835a8501270a5b32645da11de6ee20e02f57e10e;github.com/matishsiao/net/html - 67f25490433376b5f7da086c0b9283fcdeca3a7b,8bc62b7ce1723e0e686c39f8fe3c5e8d03c8524c,405a8afa2d839d68dbd0481db63e49356af19650,2e20f33919de098ec28d48d93b0735cc76567f6e;github.com/donovanhide/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2,5b4754d96d73efe14f882d2f14ae3d29f7b2a67d,1cd7b7179478daf1f19f8b4b4f08106ef411619b
CVE-2021-33194 High 7.5 github.com/miekg/dns-v1.0.14 Direct N/A
CVE-2020-9283 High 7.5 github.com/miekg/dns-v1.0.14 Direct github.com/golang/crypto - bac4c82f69751a6dd76e702d54b3ceb88adab236
CVE-2020-29652 High 7.5 github.com/miekg/dns-v1.0.14 Direct v0.0.0-20201216223049-8b5274cf687f
CVE-2020-7919 High 7.5 github.com/miekg/dns-v1.0.14 Direct go - 1.12.16,1.13.7;crypto - v0.0.0-20200128174031-69ecbb4d6d5d
CVE-2021-31525 Medium 5.9 github.com/miekg/dns-v1.0.14 Direct golang - v1.15.12,v1.16.4,v1.17.0
CVE-2019-11841 Medium 5.9 github.com/miekg/dns-v1.0.14 Direct
CVE-2019-19794 Medium 5.9 github.com/miekg/dns-v1.0.14 Direct v1.1.25
WS-2019-0030 Medium 5.0 github.com/miekg/dns-v1.0.14 Direct commit b7391e95e576cacdcdd422573063bc057239113d

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-27918 ### Vulnerable Library - github.com/miekg/dns-v1.0.14

DNS library in Go

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - :x: **github.com/miekg/dns-v1.0.14** (Vulnerable Library)

Found in HEAD commit: d84c7024cb8f50e05bf9ef82c5d0e6df8328d7a0

Found in base branch: main

### Vulnerability Details

encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.

Publish Date: 2021-03-11

URL: CVE-2021-27918

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw

Release Date: 2021-03-11

Fix Resolution: 1.15.9, 1.16.1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2018-17847 ### Vulnerable Library - github.com/miekg/dns-v1.0.14

DNS library in Go

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - :x: **github.com/miekg/dns-v1.0.14** (Vulnerable Library)

Found in HEAD commit: d84c7024cb8f50e05bf9ef82c5d0e6df8328d7a0

Found in base branch: main

### Vulnerability Details

The html package (aka x/net/html) through 2018-09-25 in Go mishandles