encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.
golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.
Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message can contain one or more optional "Hash" Armor Headers. The "Hash" Armor Header specifies the message digest algorithm(s) used for the signature. However, the Go clearsign package ignores the value of this header, which allows an attacker to spoof it. Consequently, an attacker can lead a victim to believe the signature was generated using a different message digest algorithm than what was actually used. Moreover, since the library skips Armor Header parsing in general, an attacker can not only embed arbitrary Armor Headers, but also prepend arbitrary text to cleartext messages without invalidating the signatures.
The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.
Commit b7391e95 fixes a vulnerability in the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa packages that affects large message sizes or high counter values.
Vulnerable Library - github.com/miekg/dns-v1.0.14
DNS library in Go
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Found in HEAD commit: d84c7024cb8f50e05bf9ef82c5d0e6df8328d7a0
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-27918
### Vulnerable Library - github.com/miekg/dns-v1.0.14DNS library in Go
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - :x: **github.com/miekg/dns-v1.0.14** (Vulnerable Library)
Found in HEAD commit: d84c7024cb8f50e05bf9ef82c5d0e6df8328d7a0
Found in base branch: main
### Vulnerability Detailsencoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.
Publish Date: 2021-03-11
URL: CVE-2021-27918
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw
Release Date: 2021-03-11
Fix Resolution: 1.15.9, 1.16.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2018-17847
### Vulnerable Library - github.com/miekg/dns-v1.0.14DNS library in Go
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - :x: **github.com/miekg/dns-v1.0.14** (Vulnerable Library)
Found in HEAD commit: d84c7024cb8f50e05bf9ef82c5d0e6df8328d7a0
Found in base branch: main
### Vulnerability DetailsThe html package (aka x/net/html) through 2018-09-25 in Go mishandles
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.CVE-2018-17848
### Vulnerable Library - github.com/miekg/dns-v1.0.14DNS library in Go
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - :x: **github.com/miekg/dns-v1.0.14** (Vulnerable Library)
Found in HEAD commit: d84c7024cb8f50e05bf9ef82c5d0e6df8328d7a0
Found in base branch: main
### Vulnerability DetailsThe html package (aka x/net/html) through 2018-09-25 in Go mishandles
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-17848
Release Date: 2018-10-01
Fix Resolution: github.com/golang/net/html - 309822c5b9b9f80db67f016069a12628d94fad34;github.com/psiphon-labs/net/html - 309822c5b9b9f80db67f016069a12628d94fad34
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2018-17846
### Vulnerable Library - github.com/miekg/dns-v1.0.14DNS library in Go
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - :x: **github.com/miekg/dns-v1.0.14** (Vulnerable Library)
Found in HEAD commit: d84c7024cb8f50e05bf9ef82c5d0e6df8328d7a0
Found in base branch: main
### Vulnerability DetailsThe html package (aka x/net/html) through 2018-09-25 in Go mishandles
Publish Date: 2018-10-01
URL: CVE-2018-17846
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-17846
Release Date: 2018-10-01
Fix Resolution: github.com/matishsiao/net/html - 5c9495a32797e34e9bf5ac91e69eb447443b78fd;github.com/pweil-/net/html - 3053e46bf4d836639f474dd738a58070463890e9,5c9495a32797e34e9bf5ac91e69eb447443b78fd,63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/psiphon-labs/net/html - 161cd47e91fd58ac17490ef4d742dc98bb4cf60e,2b459478774d488f63f6b8e8ec2429c502a43dd1;github.com/shekhei/net/html - b1ee7b3fbbb773e8e4b649ade000633fb867ba77,66b3e5ee27f66da79cc3695f293932920e946d87;github.com/alexsaveliev/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/foreversmart/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/suedadam/net/html - fbe893ddcdf0e847ed928b77e4b17ff5ec3b8a32;github.com/fangdingjun/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/crmackay/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/jfcote87/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/chris-ramon/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/johnsto/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/rsms/golang-net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/rainkid/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2,7ad508c2a7acafff7c6c8522d7e6efda5311476c,2a8eb9119c34470d7ecc9fb846e6ae3da2512cdd,3eb064ebfe6b9b907715cf7eeda05c367c55f32d,2e20f33919de098ec28d48d93b0735cc76567f6e,23996681074122163cfa22b185668f84935be9a9,a33e90a7ecf9022ea7e3e42bb05bd5a5cca71f35;github.com/subuk/net/html - 66b3e5ee27f66da79cc3695f293932920e946d87;github.com/hugomfernandes/net/html - 67f25490433376b5f7da086c0b9283fcdeca3a7b,a33e90a7ecf9022ea7e3e42bb05bd5a5cca71f35,6f62f426de90c0ed6a55207b51476115fcb17237,63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/letsencrypt/net/html - 153a6a61520e23dabb758b4a612bff144e5e28eb,1cd7b7179478daf1f19f8b4b4f08106ef411619b,ca657d0bd9d9b4f73523118b59af79e5374b9908,5b4754d96d73efe14f882d2f14ae3d29f7b2a67d,b56b60992857e77db9472023aaef7a33881d130b,8bc62b7ce1723e0e686c39f8fe3c5e8d03c8524c,d8b496d92df37acaa5a038846651d41f7cbe6326,3748d8c2fdc5600797e1200ed7ca82358bbeadeb,947224908606a5aa6af4427c3a2cea51387aa38a;github.com/nodirt/net/html - 66b3e5ee27f66da79cc3695f293932920e946d87,ec18079348e79eb393866e87d402a1a8cc580d7f;github.com/jash16/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/bountylabs/net/html - 2a8eb9119c34470d7ecc9fb846e6ae3da2512cdd,59b0df9b1f7abda5aab0495ee54f408daf182ce7,63ee83b038e98e5716bfdd1a94178718cff506d2,9f8bef6b5998053643dca00058a0938278e882ab,1db34d83398887aa887306d261882f799bee3678,46077d3c5415f800cd8105911d4ed880c1db2138;github.com/suifengrock/golang-net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2,40ad15caf30bbcbd0cb852523ec4dfabc440d37b,5058c78c3627b31e484a81463acd51c7cecc06f3;github.com/petermattis/x-net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/bradleyfalzon/net/html - 1cd7b7179478daf1f19f8b4b4f08106ef411619b,ca657d0bd9d9b4f73523118b59af79e5374b9908,153a6a61520e23dabb758b4a612bff144e5e28eb,5b4754d96d73efe14f882d2f14ae3d29f7b2a67d,b56b60992857e77db9472023aaef7a33881d130b,8bc62b7ce1723e0e686c39f8fe3c5e8d03c8524c;github.com/radioinmyhead/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2,3053e46bf4d836639f474dd738a58070463890e9;github.com/jelmersnoeck/go.net/html - 104dcad90073cd8d1e6828b2af19185b60cf3e29;github.com/jackmiller334/net/html - d96e6bbf425715f2bd00806e45fbbd5a54870397,63ee83b038e98e5716bfdd1a94178718cff506d2,5b76c8047cfbdbe90fdc031267d2144555ad63e3;github.com/owner888/net/html - 66b3e5ee27f66da79cc3695f293932920e946d87;github.com/golang/net/html - 97775bb4655419e5ab44c1f918c5bed052130f1b,161cd47e91fd58ac17490ef4d742dc98bb4cf60e;github.com/cesanta/goxnet/html - 23996681074122163cfa22b185668f84935be9a9,63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/fanatic/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/8090boy/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/niniwzw/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2;github.com/smithfox/gonet/html - 835a8501270a5b32645da11de6ee20e02f57e10e;github.com/matishsiao/net/html - 67f25490433376b5f7da086c0b9283fcdeca3a7b,8bc62b7ce1723e0e686c39f8fe3c5e8d03c8524c,405a8afa2d839d68dbd0481db63e49356af19650,2e20f33919de098ec28d48d93b0735cc76567f6e;github.com/donovanhide/net/html - 63ee83b038e98e5716bfdd1a94178718cff506d2,5b4754d96d73efe14f882d2f14ae3d29f7b2a67d,1cd7b7179478daf1f19f8b4b4f08106ef411619b
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2021-33194
### Vulnerable Library - github.com/miekg/dns-v1.0.14DNS library in Go
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - :x: **github.com/miekg/dns-v1.0.14** (Vulnerable Library)
Found in HEAD commit: d84c7024cb8f50e05bf9ef82c5d0e6df8328d7a0
Found in base branch: main
### Vulnerability Detailsgolang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
Publish Date: 2021-05-26
URL: CVE-2021-33194
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.CVE-2020-9283
### Vulnerable Library - github.com/miekg/dns-v1.0.14DNS library in Go
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - :x: **github.com/miekg/dns-v1.0.14** (Vulnerable Library)
Found in HEAD commit: d84c7024cb8f50e05bf9ef82c5d0e6df8328d7a0
Found in base branch: main
### Vulnerability Detailsgolang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
Publish Date: 2020-02-20
URL: CVE-2020-9283
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9283
Release Date: 2020-02-20
Fix Resolution: github.com/golang/crypto - bac4c82f69751a6dd76e702d54b3ceb88adab236
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2020-29652
### Vulnerable Library - github.com/miekg/dns-v1.0.14DNS library in Go
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - :x: **github.com/miekg/dns-v1.0.14** (Vulnerable Library)
Found in HEAD commit: d84c7024cb8f50e05bf9ef82c5d0e6df8328d7a0
Found in base branch: main
### Vulnerability DetailsA nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.
Publish Date: 2020-12-17
URL: CVE-2020-29652
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1
Release Date: 2020-12-17
Fix Resolution: v0.0.0-20201216223049-8b5274cf687f
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2020-7919
### Vulnerable Library - github.com/miekg/dns-v1.0.14DNS library in Go
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - :x: **github.com/miekg/dns-v1.0.14** (Vulnerable Library)
Found in HEAD commit: d84c7024cb8f50e05bf9ef82c5d0e6df8328d7a0
Found in base branch: main
### Vulnerability DetailsGo before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.
Publish Date: 2020-03-16
URL: CVE-2020-7919
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7919
Release Date: 2020-03-16
Fix Resolution: go - 1.12.16,1.13.7;crypto - v0.0.0-20200128174031-69ecbb4d6d5d
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2021-31525
### Vulnerable Library - github.com/miekg/dns-v1.0.14DNS library in Go
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - :x: **github.com/miekg/dns-v1.0.14** (Vulnerable Library)
Found in HEAD commit: d84c7024cb8f50e05bf9ef82c5d0e6df8328d7a0
Found in base branch: main
### Vulnerability Detailsnet/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
Publish Date: 2021-05-27
URL: CVE-2021-31525
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1958341
Release Date: 2021-05-27
Fix Resolution: golang - v1.15.12,v1.16.4,v1.17.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2019-11841
### Vulnerable Library - github.com/miekg/dns-v1.0.14DNS library in Go
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - :x: **github.com/miekg/dns-v1.0.14** (Vulnerable Library)
Found in HEAD commit: d84c7024cb8f50e05bf9ef82c5d0e6df8328d7a0
Found in base branch: main
### Vulnerability DetailsA message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message can contain one or more optional "Hash" Armor Headers. The "Hash" Armor Header specifies the message digest algorithm(s) used for the signature. However, the Go clearsign package ignores the value of this header, which allows an attacker to spoof it. Consequently, an attacker can lead a victim to believe the signature was generated using a different message digest algorithm than what was actually used. Moreover, since the library skips Armor Header parsing in general, an attacker can not only embed arbitrary Armor Headers, but also prepend arbitrary text to cleartext messages without invalidating the signatures.
Publish Date: 2019-05-22
URL: CVE-2019-11841
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-11841
Release Date: 2019-05-22
Fix Resolution: github.com/dizzyd/go.crypto/openpgp/clearsign - 04d51b511dfb566dd1f82bb6b66a81620178a456,b9b75b879318a4406f0144dcf743881c658f1f6b,826261375936cb3183b191689ef045a117b11442,97102e297913542f7215b5164962dbbb7e3ac329;github.com/scriptrock/crypto/openpgp/clearsign - 9f8b27c8af31154c90cacf5b9be1ddcb46bed784,907750ef230b26d207dd726105c190d72ce98696,c2eb4f1eeb6d905673685dc561c882ddeee035e3,8b4f6e3a0906ea9c46090ee5de4ed06113ad3da3;github.com/winlinvip/crypto/openpgp/clearsign - 6c932297e16070bd20e9384ea78e8afabaa3fae2,aa2481cbfe81d911eb62b642b7a6b5ec58bbea71;github.com/btcsuite/golangcrypto/openpgp/clearsign - b4b42222afc734a8fac0549d5ae6c4ab6a7ac71f,62944567d8abab8255c3bfcf82c8c347c7577c62,fa50e7408b9ef89ff2965535b59f1a0010c0770b,ef64186525f45244f1fd8d843a4474ef77d50f73,5a4ea2fde36b6d025182d6b240aa4518791d58cb,1b32d8b50a20d8fb3f40d1d50cb9d75cd0135bc8,280be005b3a662119e76768fe9d91171c1142511;github.com/progrium/crypto/openpgp/clearsign - 7cbb17fecb34db5291cde2f20061eaf746fb8e17,577ae2abf995653ad750624b223792d65a654333,7343d5f5849484ec61fca3e4a0e6c529e400aaa9,eccdd1285ab9ae1cb35bf3b90d777d304263f478;github.com/kmeaw/crypto/openpgp/clearsign - d172538b2cfce0c13cee31e647d0367aa8cd2486,f160b6bf95857cd862817875dd958be022e587c4,3092f0d93ba634e09d6cca8f935db357229b6ad5,efac7f277b17c19894091e358c6130cb6bd51117,019870fc9d457ee8abd13a2e93e3f2a3b55b7119,b07d8c96772f426812d3fc5530710ec1f3b205e7;github.com/juniorz/crypto/openpgp/clearsign - 6ba10a7acbbf2ad7cc0e72a5a9c60fc304c09461,731db29863ea7213d9556d0170afb38987f401d4,dc67354e864179a90a9bec14aa1c9af1344e1394,9fb356864640495bb15bef1f3e78c4264527b364,153731a6de123b98250cbf9e5adbc8d0d950c10a,552202b8e32b8d23879f85948aa263fb809ec2e8,18c283559e20c6fa8b7639afd6c8ba22645655cd,e6ded1797187ebd338e6764d03052931453e7658,929dedf39d9e8e1ffa201091598b681961c04b85,7343d5f5849484ec61fca3e4a0e6c529e400aaa9,8b27f58b78dbd60e9a26b60b0d908ea642974b6d;github.com/codeguard/crypto/openpgp/clearsign - b270509459adaed5fe5be459e6ddb0e1f3ef803d;github.com/seppestas/crypto/openpgp/clearsign - 50ff460fe18dd7f30883cadb9926ed1da056e107,bcdd6a2fd3e36323c71ab4c80588f4e48e8a3678,7e436327309324370917a1878da60107b88499aa,690e22b80a4c5bae73ab7186ddcca14f82dee9de,4c5258d8b6be6789e3c5433562c226507dc1249f,9c0a3ae19916a277d6d5b582d10b048f04b19e1a;github.com/benburkert/openpgp/clearsign - 0d9cd1316972cc441bd7aa896c05d8e218494c85,f5845320897ceaaabb067fc2fdbc123517fb7fce;github.com/mjkim/crypto/openpgp/clearsign - 9477e0b78b9ac3d0b03822fd95422e2fe07627cd,08da9c60bc7065e1a1df887121f42db309a6ff9a,44256fa2dfb760488af0b3f966ab00bcf98b1411,2c5e2074680afae185175121fc549913bf6f32c9,a548aac93ed489257b9d959b40fe1e8c1e20778c,d5c5f1769f2fcd2377be6f29863081f59a4fc80f,0e31b188fd38db611d4fbab7de9373a95f36aae5,351dc6a5bf92a5f2ae22fadeee08eb6a45aa2d93,18c283559e20c6fa8b7639afd6c8ba22645655cd,285fb2ed20d1dc450fc743a1b3ff7c36bef372b9,eb19e229bd898d2a3e69bdc0478553927be3b235,7c7765c32f8127cd34cde75d2eb450ae6a7b692e,db732cbcc6772c3a16d666f5cd737d32c4a12052,2f6fccd33b9b1fc23ebb73ad4890698820f7174d,1351f936d976c60a0a48d728281922cf63eafb8d,63f855d724c1fff8ec15a0191dcda32ec7761cc4,173ce04bfaf66c7bb0fa9d5c0bfd93e773909dbd,7f27901cb9636a61b9b0b1bab2679b2a9a12eb38,b8a0f4bb4040f8d884435cff35b9691e362cf00c,c34e38ab9ea85314630ff172a2378cd5da44e299,c1c0bfbd3ac981a523e036008cfb2d9ac2d9c967,f59690be3f9a31481d227f885bfe2466be0c5d27,7db43667c77d5d330c359ffd03f5789cf390e973,4ed45ec682102c643324fae5dff8dab085b6c300;github.com/cmars/go.crypto/openpgp/clearsign - bc1af7039d1278384d254877a61caa91cba53eb1,b9b75b879318a4406f0144dcf743881c658f1f6b;github.com/scalingdata/go-x-crypto/openpgp/clearsign - 8b27f58b78dbd60e9a26b60b0d908ea642974b6d,ffadfa66488ddd3d386e89ebb19280aa87c098a6,9fb356864640495bb15bef1f3e78c4264527b364,03be8f3bf08562c9abf595f4a88954d5dff55e82,3092f0d93ba634e09d6cca8f935db357229b6ad5,4147256c9cfc043b679bae483b623e0076f9ed60,9b55b542f68bcaf688633f6e810d3d41b9c87739,7e436327309324370917a1878da60107b88499aa,77f4136a99ffb5ecdbdd0226bd5cb146cf56bc0e,aa2481cbfe81d911eb62b642b7a6b5ec58bbea71,4ed45ec682102c643324fae5dff8dab085b6c300,10c26747e67d76ad4fafe6087c6f4073c3b22942;github.com/mehrdadrad/crypto/openpgp/clearsign - 81e0b644eb2f05832b1801391bc9386a81e4fe45,eccdd1285ab9ae1cb35bf3b90d777d304263f478,124e52db8dfdfab4fc56ea36c2957b8d996ff760,c9c0e06eed439a60df0ef7aa13c0b97e19cdd3a7,632d287f9f3f54b09809eebbd3cacbcb00b9f2fc,eca6c1626e1a5b651a7a131cdb6b435930f64498,43c4f8a8964d075ae4829f4cabb2f8c0b685fdc5,1fbbd62cfec66bd39d91e97749579579d4d3037e,ce1cf546ac92dd001ee433ec58b6b0f9828e1cee,15577f9df470bf5e9292240050c4c84d210732d7,9e886ee4f218fc3dcdf33c35cee6e798d61c5b85,c57d4a71915a248dbad846d60825145062b4c18e,c16968172724c0b5e8bdc6ad33f5a79443a44cd7,88b65fb66346493d43e735adad931bf69dee4297,d67eb63455fa4d6fca5802332d86f1f204017e00,58afe880f197c244a2edbfab2bb090a5bf02dfe1,df1b4d2fcd21fb05d2ac65176e2a4243c201a920,cc04154d65fb9296747569b107cfd05380b1ea3e,4831188890de893ae55d9ecd1bbafc340ce0ff9f,c197bcf24cde29d3f73c7b4ac6fd41f4384e8af6,285fb2ed20d1dc450fc743a1b3ff7c36bef372b9,929dedf39d9e8e1ffa201091598b681961c04b85,4d8f0cfeca8290cfc0091edf678a138ce669b1bb,3fbbcd23f1cb824e69491a5930cfeff09b12f4d2,7b428712abe956d0e9e1e9a01e163fb6c7171438,9b55b542f68bcaf688633f6e810d3d41b9c87739,63a71ca82d5ccbe458cc4acef0c0ea8076463976,552202b8e32b8d23879f85948aa263fb809ec2e8;github.com/benbjohnson/crypto/openpgp/clearsign - c84e1f8e3a7e322d497cd16c0e8a13c7e127baf3;github.com/u-s-p/crypto/openpgp/clearsign - 2e60680932240e15a179f3b34782f42b7199981a,f5f25bdad0cb2b768bdea003ed92329914931542,4c5258d8b6be6789e3c5433562c226507dc1249f,0214db40ef9cee9306086200828340ba6253b6ce,49702c17ccd6ae14f6d5ca83f23019f30a92f71a,b6789ab629056511030d652d851e7dc10c9e9c9e,d95b28330da59cfd5b511cea8d98ce3379610013,4147256c9cfc043b679bae483b623e0076f9ed60,cbc3d0884eac986df6e78a039b8792e869bff863,3cb07270c9455e8ad27956a70891c962d121a228,b176d7def5d71bdd214203491f89843ed217f420,6575f7ea326e67d12b77872ff66f5ea15f8aefad,575fdbe86e5dd89229707ebec0575ce7d088a4a6,484eb34681af59703e639b971bc307019182c41f,3c0d69f1777220f1a1d2ec373cb94a282f03eb42,e311231e83195f401421a286060d65643f9c9d40,c2c80b64c04ccb917376270f715718ec87bacb29,eca6c1626e1a5b651a7a131cdb6b435930f64498,3ded668c5379f6951fb0de06174442072e5447d3,d8e61c69ab46ca38328da2f4995abaf93b252290,6318898455d3ac20e7e44d0a080d43f8c3ff120b,7b428712abe956d0e9e1e9a01e163fb6c7171438,c7af5bf2638a1164f2eb5467c39c6cffbd13a02e,59a182cab66ead4fe21e6472267504ac035edee2,396847505b5d877809d99cbba288cbca62ea189c,dc7f3af03ebbba4b0c90f8d95c682dba7d4c70f5,bcdd6a2fd3e36323c71ab4c80588f4e48e8a3678,e7ba82683099cae71475961448ab8f903ea77c26,8f45c680ceb25c200b8c301d9184532aeb7cb36e,2f6fccd33b9b1fc23ebb73ad4890698820f7174d,dc703e91d7bf2ed50e4e847371f53a4c0a83693c;github.com/vividcortex/crypto/openpgp/clearsign - ca7e7f10cb9fd9c1a6ff7f60436c086d73714180,d33bbf2cb3b8574ad57ddba26f03e861c01f69c5,5ef0053f77724838734b6945dd364d3847e5de1d,2b786ab9e9649dc660afa3bd580fd05a05e20d95,9fbab14f903f89e23047b5971369b86380230e56,2f6fccd33b9b1fc23ebb73ad4890698820f7174d,c7e3b0ebdd409a0d024e3d71801427ab0e05fb2e,e1b0d6c49fae5632d0a563812fce85b5b542fbcf,a3c6050446ec077a5f411deb35d89b420f8d5fd7,b286ef4198388fdb0e4ae62be12820df5da9b4c2,88b65fb66346493d43e735adad931bf69dee4297,d43a35d821f1e9a9dcb701ffab4cb5bc12d4006c,eb71ad9bd329b5ac0fd0148dd99bd62e8be8e035,119f50887f8fe324fe2386421c27a11af014b64e,6de97b525f030fe8dce13090d5c3731799bb9d3e,1a85842c9ed153459eaf94f2ff4c4e914c54410d,f944096df80415fafc888544caecaab86a991785,b7f382b979dc349948b0e69fbbf7fb2a7ef6b7d9,dc7f3af03ebbba4b0c90f8d95c682dba7d4c70f5,c16968172724c0b5e8bdc6ad33f5a79443a44cd7,f160b6bf95857cd862817875dd958be022e587c4,6575f7ea326e67d12b77872ff66f5ea15f8aefad,59a4410d829a8bb774b02b56d4aeab633414f233,f17d1302814ed95db5a4fae9ac53b86021a7584b,c367d6eeb7c6158125f2f47e049f7eb7e251c09a,2c99acdd1e9b90d779ca23f632aad86af9909c62,c0d640c88782f757a45d3f7b93eec2ec63b229cb,47ff8dfbc528fea3003fc0ce2d88ffbbfbc46a43,0d8dc3cd6a6b69fac2c54037ae8c235519cfbddc;github.com/gxed/go-crypto/openpgp/clearsign - 9b1a210a06ea1176ec1f0a1ddf83ad7463b8ea3e;github.com/fluidkeys/crypto/openpgp/clearsign - 2018-08-22;github.com/benburkert/crypto/openpgp/clearsign - e3f150b4372fce47109dbd8fef5f03cd2af08700,0d3cfff99f4428b308d63d9386fec9cd86475faa,61ab4d36dfa7fa0e3b13aebf87f8127a649463fb,6575f7ea326e67d12b77872ff66f5ea15f8aefad,bc89c496413265e715159bdc8478ee9a92fdc265,b4b42222afc734a8fac0549d5ae6c4ab6a7ac71f,fa50e7408b9ef89ff2965535b59f1a0010c0770b,f1b99bc9f1eb185629f6c4b5bd983dd66da2e0e8,ed40a6cc352d9acfba912aae191023ebdc0461d1,1b32d8b50a20d8fb3f40d1d50cb9d75cd0135bc8,b270509459adaed5fe5be459e6ddb0e1f3ef803d,3f77d695175f990a2967385c493939f380ee40a3,76cee1b7b184f79a9d93bbfcb287d0c03391928c,3c0d69f1777220f1a1d2ec373cb94a282f03eb42,1ddfbba54b04d4acf0785dacec9098d7d5e6b9a5,160b2e156e1c2c1e7d8db6b5e3f6ccf75e9dd34f,7f7cbbf18eb3ab6aa04ded92fc89b3088ee30849,aa0f5b40812c405df7480c8a69e7f0160363a94b,62944567d8abab8255c3bfcf82c8c347c7577c62,fcdb74e78f2621098ebc0376bbadffcf580ccfe4,8e06e8ddd9629eb88639aba897641bff8031f1d3,dc7f3af03ebbba4b0c90f8d95c682dba7d4c70f5;github.com/jlburkhead/crypto/openpgp/clearsign - bcdd6a2fd3e36323c71ab4c80588f4e48e8a3678,4c5258d8b6be6789e3c5433562c226507dc1249f,c2c80b64c04ccb917376270f715718ec87bacb29,2e60680932240e15a179f3b34782f42b7199981a,eca6c1626e1a5b651a7a131cdb6b435930f64498,4147256c9cfc043b679bae483b623e0076f9ed60,d95b28330da59cfd5b511cea8d98ce3379610013,396847505b5d877809d99cbba288cbca62ea189c,dc703e91d7bf2ed50e4e847371f53a4c0a83693c,f5f25bdad0cb2b768bdea003ed92329914931542,18c283559e20c6fa8b7639afd6c8ba22645655cd,cb7a96fa34f94f61171c4bdce01baf2411356574,c84e1f8e3a7e322d497cd16c0e8a13c7e127baf3,2aff5f12d83011dd1f9aeb358eb851b28668cf60,49702c17ccd6ae14f6d5ca83f23019f30a92f71a,8f45c680ceb25c200b8c301d9184532aeb7cb36e;github.com/schoppmp/go-crypto/openpgp/clearsign - 15577f9df470bf5e9292240050c4c84d210732d7,dc67354e864179a90a9bec14aa1c9af1344e1394;github.com/protonmail/crypto/openpgp/clearsign - 3a07e4a428e17dc7e67df31f702ac03e64522f53;github.com/szank/crypto/openpgp/clearsign - 61ab4d36dfa7fa0e3b13aebf87f8127a649463fb,62944567d8abab8255c3bfcf82c8c347c7577c62,7f7cbbf18eb3ab6aa04ded92fc89b3088ee30849,1ddfbba54b04d4acf0785dacec9098d7d5e6b9a5,aa0f5b40812c405df7480c8a69e7f0160363a94b,0d3cfff99f4428b308d63d9386fec9cd86475faa,665213f561b1d86f94956515da4886141e45eb9b,b4b42222afc734a8fac0549d5ae6c4ab6a7ac71f;github.com/conseweb/golangcrypto/openpgp/clearsign - 280be005b3a662119e76768fe9d91171c1142511,fa50e7408b9ef89ff2965535b59f1a0010c0770b,b4b42222afc734a8fac0549d5ae6c4ab6a7ac71f,62944567d8abab8255c3bfcf82c8c347c7577c62,ef64186525f45244f1fd8d843a4474ef77d50f73,1b32d8b50a20d8fb3f40d1d50cb9d75cd0135bc8,5a4ea2fde36b6d025182d6b240aa4518791d58cb;github.com/dizzyd/go.crypto/openpgp/clearsign - bc1af7039d1278384d254877a61caa91cba53eb1,400097dc741fc8fbcb8d7dd14304aa27bc124478,bc066ba6717d69b2d3998b93b9a27b3e7e5b74ea,5bb6445962bed970d80a2882706ba2c26f7426cd
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2019-19794
### Vulnerable Library - github.com/miekg/dns-v1.0.14DNS library in Go
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - :x: **github.com/miekg/dns-v1.0.14** (Vulnerable Library)
Found in HEAD commit: d84c7024cb8f50e05bf9ef82c5d0e6df8328d7a0
Found in base branch: main
### Vulnerability DetailsThe miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.
Publish Date: 2019-12-13
URL: CVE-2019-19794
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19794
Release Date: 2020-01-02
Fix Resolution: v1.1.25
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.WS-2019-0030
### Vulnerable Library - github.com/miekg/dns-v1.0.14DNS library in Go
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - :x: **github.com/miekg/dns-v1.0.14** (Vulnerable Library)
Found in HEAD commit: d84c7024cb8f50e05bf9ef82c5d0e6df8328d7a0
Found in base branch: main
### Vulnerability DetailsCommit b7391e95 fixes a vulnerability in the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa packages that affects large message sizes or high counter values.
Publish Date: 2019-03-19
URL: WS-2019-0030
### CVSS 2 Score Details (5.0)Base Score Metrics not available
### Suggested FixType: Upgrade version
Origin: https://go-review.googlesource.com/c/crypto/+/168406/
Release Date: 2019-03-19
Fix Resolution: commit b7391e95e576cacdcdd422573063bc057239113d
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.