sureng-ws-ibm / go-remediate-issue

0 stars 0 forks source link

github.com/etcd-io/etcd-v3.3.22: 21 vulnerabilities (highest severity is: 9.8) #5

Open mend-for-github-com[bot] opened 2 years ago

mend-for-github-com[bot] commented 2 years ago
Vulnerable Library - github.com/etcd-io/etcd-v3.3.22

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip

Path to dependency file: /go-remediate/go.mod

Path to vulnerable library: /go-remediate/go.mod

Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (github.com/etcd-io/etcd-v3.3.22 version) Remediation Possible**
WS-2022-0329 Critical 9.8 github.com/etcd-io/etcd-v3.3.22 Direct 3.3.23,3.4.10
CVE-2021-28235 Critical 9.8 github.com/etcd-io/etcd-v3.3.22 Direct v3.4.25,v3.5.8
CVE-2020-15114 High 7.7 github.com/etcd-io/etcd-v3.3.22 Direct 3.4.10, 3.3.23
WS-2022-0328 High 7.5 github.com/etcd-io/etcd-v3.3.22 Direct 3.3.23,3.4.10
CVE-2023-44487 High 7.5 github.com/etcd-io/etcd-v3.3.22 Direct org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3,v1.57.1,v1.58.3, kubernetes/kubernetes - v1.25.15,v1.26.10,v1.27.7,v1.28.3,v1.29.0, kubernetes/apimachinery - v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0
CVE-2022-21698 High 7.5 github.com/etcd-io/etcd-v3.3.22 Direct v1.11.1
CVE-2021-44716 High 7.5 github.com/etcd-io/etcd-v3.3.22 Direct github.com/golang/net - 491a49abca63de5e07ef554052d180a1b5fe2d70
CVE-2020-27813 High 7.5 github.com/etcd-io/etcd-v3.3.22 Direct v1.4.1
CVE-2020-26160 High 7.5 github.com/etcd-io/etcd-v3.3.22 Direct 4.0.0-preview1
CVE-2020-14040 High 7.5 github.com/etcd-io/etcd-v3.3.22 Direct v0.3.3
CVE-2020-15136 Medium 6.5 github.com/etcd-io/etcd-v3.3.22 Direct 3.4.10, 3.3.23
CVE-2020-15112 Medium 6.5 github.com/etcd-io/etcd-v3.3.22 Direct 3.4.10, 3.3.23
CVE-2020-15106 Medium 6.5 github.com/etcd-io/etcd-v3.3.22 Direct v3.3.23;v3.4.10
CVE-2019-11254 Medium 6.5 github.com/etcd-io/etcd-v3.3.22 Direct v2.2.8
CVE-2021-31525 Medium 5.9 github.com/etcd-io/etcd-v3.3.22 Direct golang - v1.15.12,v1.16.4,v1.17.0
CVE-2020-15115 Medium 5.8 github.com/etcd-io/etcd-v3.3.22 Direct 3.4.10, 3.3.23
CVE-2020-15113 Medium 5.7 github.com/etcd-io/etcd-v3.3.22 Direct 3.4.10, 3.3.23
CVE-2021-4235 Medium 5.5 github.com/etcd-io/etcd-v3.3.22 Direct v2.2.3
CVE-2022-29526 Medium 5.3 github.com/etcd-io/etcd-v3.3.22 Direct go1.17.10,go1.18.2,go1.19
CVE-2018-1099 Medium 4.0 github.com/etcd-io/etcd-v3.3.22 Direct v3.4.0-rc.0
CVE-2024-51744 Low 3.1 github.com/etcd-io/etcd-v3.3.22 Direct github.com/golang-jwt/jwt-v4.5.1

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2022-0329 ### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip

Path to dependency file: /go-remediate/go.mod

Path to vulnerable library: /go-remediate/go.mod

Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)

Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab

Found in base branch: main

### Vulnerability Details

etcd vulnerable to TOCTOU of gateway endpoint authentication

Publish Date: 2024-11-03

URL: WS-2022-0329

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-h8g9-6gvh-5mrc

Release Date: 2022-10-07

Fix Resolution: 3.3.23,3.4.10

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-28235 ### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip

Path to dependency file: /go-remediate/go.mod

Path to vulnerable library: /go-remediate/go.mod

Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)

Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab

Found in base branch: main

### Vulnerability Details

Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function.

Publish Date: 2023-04-04

URL: CVE-2021-28235

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-gmph-wf7j-9gcm

Release Date: 2023-04-04

Fix Resolution: v3.4.25,v3.5.8

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-15114 ### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip

Path to dependency file: /go-remediate/go.mod

Path to vulnerable library: /go-remediate/go.mod

Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)

Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab

Found in base branch: main

### Vulnerability Details

In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This results in a denial of service, since the endpoint can become stuck in a loop of requesting itself until there are no more available file descriptors to accept connections on the gateway.

Publish Date: 2020-08-06

URL: CVE-2020-15114

### CVSS 3 Score Details (7.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-08-06

Fix Resolution: 3.4.10, 3.3.23

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
WS-2022-0328 ### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip

Path to dependency file: /go-remediate/go.mod

Path to vulnerable library: /go-remediate/go.mod

Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)

Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab

Found in base branch: main

### Vulnerability Details

etcd user credentials are stored in WAL logs in plaintext.

Publish Date: 2024-11-03

URL: WS-2022-0328

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-528j-9r78-wffx

Release Date: 2022-10-07

Fix Resolution: 3.3.23,3.4.10

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-44487 ### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip

Path to dependency file: /go-remediate/go.mod

Path to vulnerable library: /go-remediate/go.mod

Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)

Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab

Found in base branch: main

### Vulnerability Details

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Publish Date: 2023-10-10

URL: CVE-2023-44487

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487

Release Date: 2023-10-10

Fix Resolution: org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3,v1.57.1,v1.58.3, kubernetes/kubernetes - v1.25.15,v1.26.10,v1.27.7,v1.28.3,v1.29.0, kubernetes/apimachinery - v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-21698 ### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip

Path to dependency file: /go-remediate/go.mod

Path to vulnerable library: /go-remediate/go.mod

Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)

Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab

Found in base branch: main

### Vulnerability Details

client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.

Publish Date: 2022-02-15

URL: CVE-2022-21698

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p

Release Date: 2022-02-15

Fix Resolution: v1.11.1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-44716 ### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip

Path to dependency file: /go-remediate/go.mod

Path to vulnerable library: /go-remediate/go.mod

Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)

Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab

Found in base branch: main

### Vulnerability Details

net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.

Publish Date: 2022-01-01

URL: CVE-2021-44716

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-vc3p-29h2-gpcp

Release Date: 2022-01-01

Fix Resolution: github.com/golang/net - 491a49abca63de5e07ef554052d180a1b5fe2d70

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-27813 ### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip

Path to dependency file: /go-remediate/go.mod

Path to vulnerable library: /go-remediate/go.mod

Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)

Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab

Found in base branch: main

### Vulnerability Details

An integer overflow vulnerability exists with the length of websocket frames received via a websocket connection. An attacker would use this flaw to cause a denial of service attack on an HTTP Server allowing websocket connections.

Publish Date: 2020-12-02

URL: CVE-2020-27813

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2020-0019

Release Date: 2020-12-02

Fix Resolution: v1.4.1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-26160 ### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip

Path to dependency file: /go-remediate/go.mod

Path to vulnerable library: /go-remediate/go.mod

Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)

Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab

Found in base branch: main

### Vulnerability Details

jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.

Publish Date: 2020-09-30

URL: CVE-2020-26160

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-w73w-5m7g-f7qc

Release Date: 2020-09-30

Fix Resolution: 4.0.0-preview1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-14040 ### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip

Path to dependency file: /go-remediate/go.mod

Path to vulnerable library: /go-remediate/go.mod

Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)

Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab

Found in base branch: main

### Vulnerability Details

The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

Publish Date: 2020-06-17

URL: CVE-2020-14040

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2020-0015

Release Date: 2020-06-17

Fix Resolution: v0.3.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-15136 ### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip

Path to dependency file: /go-remediate/go.mod

Path to vulnerable library: /go-remediate/go.mod

Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)

Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab

Found in base branch: main

### Vulnerability Details

In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the --endpoints flag. This has been fixed in versions 3.4.10 and 3.3.23 with improved documentation and deprecation of the functionality.

Publish Date: 2020-08-06

URL: CVE-2020-15136

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-08-06

Fix Resolution: 3.4.10, 3.3.23

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-15112 ### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip

Path to dependency file: /go-remediate/go.mod

Path to vulnerable library: /go-remediate/go.mod

Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)

Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab

Found in base branch: main

### Vulnerability Details

In etcd before versions 3.3.23 and 3.4.10, it is possible to have an entry index greater then the number of entries in the ReadAll method in wal/wal.go. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime panic when reading the entry.

Publish Date: 2020-08-05

URL: CVE-2020-15112

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-08-05

Fix Resolution: 3.4.10, 3.3.23

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-15106 ### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip

Path to dependency file: /go-remediate/go.mod

Path to vulnerable library: /go-remediate/go.mod

Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)

Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab

Found in base branch: main

### Vulnerability Details

In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL.

Publish Date: 2020-08-05

URL: CVE-2020-15106

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-15106

Release Date: 2020-08-05

Fix Resolution: v3.3.23;v3.4.10

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2019-11254 ### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip

Path to dependency file: /go-remediate/go.mod

Path to vulnerable library: /go-remediate/go.mod

Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)

Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab

Found in base branch: main

### Vulnerability Details

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.

Publish Date: 2020-04-01

URL: CVE-2019-11254

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-10-02

Fix Resolution: v2.2.8

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-31525 ### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip

Path to dependency file: /go-remediate/go.mod

Path to vulnerable library: /go-remediate/go.mod

Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)

Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab

Found in base branch: main

### Vulnerability Details

net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.

Publish Date: 2021-05-27

URL: CVE-2021-31525

### CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1958341

Release Date: 2021-05-27

Fix Resolution: golang - v1.15.12,v1.16.4,v1.17.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-15115 ### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip

Path to dependency file: /go-remediate/go.mod

Path to vulnerable library: /go-remediate/go.mod

Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)

Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab

Found in base branch: main

### Vulnerability Details

etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users' passwords with little computational effort.

Publish Date: 2020-08-06

URL: CVE-2020-15115

### CVSS 3 Score Details (5.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-08-06

Fix Resolution: 3.4.10, 3.3.23

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-15113 ### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip

Path to dependency file: /go-remediate/go.mod

Path to vulnerable library: /go-remediate/go.mod

Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)

Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab

Found in base branch: main

### Vulnerability Details

In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already. A possible workaround is to ensure the directories have the desired permission (700).

Publish Date: 2020-08-05

URL: CVE-2020-15113

### CVSS 3 Score Details (5.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-08-05

Fix Resolution: 3.4.10, 3.3.23

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-4235 ### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip

Path to dependency file: /go-remediate/go.mod

Path to vulnerable library: /go-remediate/go.mod

Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)

Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab

Found in base branch: main

### Vulnerability Details

Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.

Publish Date: 2022-12-27

URL: CVE-2021-4235

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-12-27

Fix Resolution: v2.2.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-29526 ### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip

Path to dependency file: /go-remediate/go.mod

Path to vulnerable library: /go-remediate/go.mod

Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)

Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab

Found in base branch: main

### Vulnerability Details

Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.

Publish Date: 2022-06-22

URL: CVE-2022-29526

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-29526

Release Date: 2022-06-23

Fix Resolution: go1.17.10,go1.18.2,go1.19

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2018-1099 ### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip

Path to dependency file: /go-remediate/go.mod

Path to vulnerable library: /go-remediate/go.mod

Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)

Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab

Found in base branch: main

### Vulnerability Details

DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).

Publish Date: 2018-04-03

URL: CVE-2018-1099

### CVSS 3 Score Details (4.0)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1099

Release Date: 2018-04-03

Fix Resolution: v3.4.0-rc.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-51744 ### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip

Path to dependency file: /go-remediate/go.mod

Path to vulnerable library: /go-remediate/go.mod

Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)

Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab

Found in base branch: main

### Vulnerability Details

golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in "dangerous" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors ("dangerous" ones first), so that you are not running in the case detailed above.

Publish Date: 2024-11-04

URL: CVE-2024-51744

### CVSS 3 Score Details (3.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r

Release Date: 2024-11-04

Fix Resolution: github.com/golang-jwt/jwt-v4.5.1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

mend-for-github-com[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] commented 8 months ago

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.