search

spf13 / afero

A FileSystem Abstraction System for Go
Apache License 2.0
5.8k stars 498 forks source link

同学,您这个项目引入了77个开源组件,存在2个漏洞,辛苦升级一下 #345

Open ghost opened 2 years ago

ghost commented 2 years ago

检测到 spf13/afero 一共引入了77个开源组件,存在2个漏洞

漏洞标题:Google Kubernetes API Server 资源管理错误漏洞
缺陷组件:gopkg.in/yaml.v2@v2.2.2
漏洞编号:CVE-2019-11254
漏洞描述:Google Kubernetes是美国谷歌(Google)公司的一套开源的Docker容器集群管理系统。该系统为容器化的应用提供资源调度、部署运行、服务发现和扩容缩容等功能。API server是其中的一个API(应用编程接口)服务器。
Google Kubernetes 1.15.10之前版本、1.16.7之前版本和1.17.3之前版本中的API Server组件存在资源管理错误漏洞。远程攻击者可借助特制请求利用该漏洞造成拒绝服务。
国家漏洞库信息:https://www.cnvd.org.cn/flaw/show/CNVD-2020-35519
影响范围:(∞, 2.2.8)
最小修复版本:2.2.8
缺陷组件引入路径:github.com/spf13/afero@->gopkg.in/yaml.v2@v2.2.2

另外还有2个漏洞,详细报告:https://mofeisec.com/jr?p=a0bfd4

kwaicssec commented 2 years ago

@spf13,同学,您好,上面的漏洞报告是我IDE运行时,安全插件提示您这个项目存在的几个漏洞的报告,辛苦您修复一下哈,担心其他人也会用到你这个项目,从而引入这些漏洞。:)

jxsl13 commented 2 years ago

English pls. Also this library should not have anything to do with Kubernetes.

AndrusGerman commented 2 years ago

@jxsl13 Doing some research seems to be a vulnerability reported by kubernetes, is related to the library gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= which is in the go.sum.

kubernetes/issues/89535

cloudwindy commented 2 years ago

Translation: (no guarantee on correctness)

Package spf13/afero imported 77 open-source packages and 2 vulnerabilities is detected.
Title: Google Kubernetes API Server Resource Management Error
Package: gopkg.in/yaml.v2@v2.2.2
CVE: CVE-2019-11254
CNVD: CNVD-2020-35519
Affected: (∞, 2.2.8)
Fixed: 2.2.8
Import path: github.com/spf13/afero@->gopkg.in/yaml.v2@v2.2.2