Open mend-for-github-com[bot] opened 2 years ago
mend-for-github-com[bot]
commented
1 year ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-for-github-com[bot]
commented
7 months ago :information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip
Path to dependency file: /go-remediate/go.mod
Path to vulnerable library: /go-remediate/go.mod
Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2022-0329
### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip
Path to dependency file: /go-remediate/go.mod
Path to vulnerable library: /go-remediate/go.mod
Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)
Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab
Found in base branch: main
### Vulnerability Detailsetcd vulnerable to TOCTOU of gateway endpoint authentication
Publish Date: 2022-10-07
URL: WS-2022-0329
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-h8g9-6gvh-5mrc
Release Date: 2022-10-07
Fix Resolution: 3.3.23,3.4.10
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-28235
### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip
Path to dependency file: /go-remediate/go.mod
Path to vulnerable library: /go-remediate/go.mod
Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)
Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab
Found in base branch: main
### Vulnerability DetailsAuthentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function.
Publish Date: 2023-04-04
URL: CVE-2021-28235
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-gmph-wf7j-9gcm
Release Date: 2023-04-04
Fix Resolution: v3.4.25,v3.5.8
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-15114
### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip
Path to dependency file: /go-remediate/go.mod
Path to vulnerable library: /go-remediate/go.mod
Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)
Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab
Found in base branch: main
### Vulnerability DetailsIn etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This results in a denial of service, since the endpoint can become stuck in a loop of requesting itself until there are no more available file descriptors to accept connections on the gateway.
Publish Date: 2020-08-06
URL: CVE-2020-15114
### CVSS 3 Score Details (7.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-08-06
Fix Resolution: 3.4.10, 3.3.23
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
WS-2022-0328
### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip
Path to dependency file: /go-remediate/go.mod
Path to vulnerable library: /go-remediate/go.mod
Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)
Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab
Found in base branch: main
### Vulnerability Detailsetcd user credentials are stored in WAL logs in plaintext.
Publish Date: 2022-10-07
URL: WS-2022-0328
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-528j-9r78-wffx
Release Date: 2022-10-07
Fix Resolution: 3.3.23,3.4.10
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-44487
### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip
Path to dependency file: /go-remediate/go.mod
Path to vulnerable library: /go-remediate/go.mod
Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)
Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab
Found in base branch: main
### Vulnerability DetailsThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Publish Date: 2023-10-10
URL: CVE-2023-44487
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487
Release Date: 2023-10-10
Fix Resolution: org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3,v1.57.1,v1.58.3, kubernetes/kubernetes - v1.25.15,v1.26.10,v1.27.7,v1.28.3,v1.29.0, kubernetes/apimachinery - v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-21698
### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip
Path to dependency file: /go-remediate/go.mod
Path to vulnerable library: /go-remediate/go.mod
Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)
Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab
Found in base branch: main
### Vulnerability Detailsclient_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.
Publish Date: 2022-02-15
URL: CVE-2022-21698
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p
Release Date: 2022-02-15
Fix Resolution: v1.11.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-44716
### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip
Path to dependency file: /go-remediate/go.mod
Path to vulnerable library: /go-remediate/go.mod
Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)
Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab
Found in base branch: main
### Vulnerability Detailsnet/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
Publish Date: 2022-01-01
URL: CVE-2021-44716
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-vc3p-29h2-gpcp
Release Date: 2022-01-01
Fix Resolution: github.com/golang/net - 491a49abca63de5e07ef554052d180a1b5fe2d70
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-27813
### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip
Path to dependency file: /go-remediate/go.mod
Path to vulnerable library: /go-remediate/go.mod
Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)
Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab
Found in base branch: main
### Vulnerability DetailsAn integer overflow vulnerability exists with the length of websocket frames received via a websocket connection. An attacker would use this flaw to cause a denial of service attack on an HTTP Server allowing websocket connections.
Publish Date: 2020-12-02
URL: CVE-2020-27813
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2020-0019
Release Date: 2020-12-02
Fix Resolution: v1.4.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-26160
### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip
Path to dependency file: /go-remediate/go.mod
Path to vulnerable library: /go-remediate/go.mod
Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)
Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab
Found in base branch: main
### Vulnerability Detailsjwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.
Publish Date: 2020-09-30
URL: CVE-2020-26160
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-w73w-5m7g-f7qc
Release Date: 2020-09-30
Fix Resolution: 4.0.0-preview1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-14040
### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip
Path to dependency file: /go-remediate/go.mod
Path to vulnerable library: /go-remediate/go.mod
Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)
Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab
Found in base branch: main
### Vulnerability DetailsThe x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
Publish Date: 2020-06-17
URL: CVE-2020-14040
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2020-0015
Release Date: 2020-06-17
Fix Resolution: v0.3.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-15136
### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip
Path to dependency file: /go-remediate/go.mod
Path to vulnerable library: /go-remediate/go.mod
Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)
Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab
Found in base branch: main
### Vulnerability DetailsIn ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the --endpoints flag. This has been fixed in versions 3.4.10 and 3.3.23 with improved documentation and deprecation of the functionality.
Publish Date: 2020-08-06
URL: CVE-2020-15136
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-08-06
Fix Resolution: 3.4.10, 3.3.23
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-15112
### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip
Path to dependency file: /go-remediate/go.mod
Path to vulnerable library: /go-remediate/go.mod
Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)
Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab
Found in base branch: main
### Vulnerability DetailsIn etcd before versions 3.3.23 and 3.4.10, it is possible to have an entry index greater then the number of entries in the ReadAll method in wal/wal.go. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime panic when reading the entry.
Publish Date: 2020-08-05
URL: CVE-2020-15112
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-08-05
Fix Resolution: 3.4.10, 3.3.23
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-15106
### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip
Path to dependency file: /go-remediate/go.mod
Path to vulnerable library: /go-remediate/go.mod
Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)
Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab
Found in base branch: main
### Vulnerability DetailsIn etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL.
Publish Date: 2020-08-05
URL: CVE-2020-15106
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-15106
Release Date: 2020-08-05
Fix Resolution: v3.3.23;v3.4.10
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2019-11254
### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip
Path to dependency file: /go-remediate/go.mod
Path to vulnerable library: /go-remediate/go.mod
Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)
Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab
Found in base branch: main
### Vulnerability DetailsThe Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.
Publish Date: 2020-04-01
URL: CVE-2019-11254
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-10-02
Fix Resolution: v2.2.8
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-31525
### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip
Path to dependency file: /go-remediate/go.mod
Path to vulnerable library: /go-remediate/go.mod
Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)
Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab
Found in base branch: main
### Vulnerability Detailsnet/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
Publish Date: 2021-05-27
URL: CVE-2021-31525
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1958341
Release Date: 2021-05-27
Fix Resolution: golang - v1.15.12,v1.16.4,v1.17.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-15115
### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip
Path to dependency file: /go-remediate/go.mod
Path to vulnerable library: /go-remediate/go.mod
Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)
Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab
Found in base branch: main
### Vulnerability Detailsetcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users' passwords with little computational effort.
Publish Date: 2020-08-06
URL: CVE-2020-15115
### CVSS 3 Score Details (5.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-08-06
Fix Resolution: 3.4.10, 3.3.23
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-15113
### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip
Path to dependency file: /go-remediate/go.mod
Path to vulnerable library: /go-remediate/go.mod
Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)
Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab
Found in base branch: main
### Vulnerability DetailsIn etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already. A possible workaround is to ensure the directories have the desired permission (700).
Publish Date: 2020-08-05
URL: CVE-2020-15113
### CVSS 3 Score Details (5.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-08-05
Fix Resolution: 3.4.10, 3.3.23
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-4235
### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip
Path to dependency file: /go-remediate/go.mod
Path to vulnerable library: /go-remediate/go.mod
Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)
Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab
Found in base branch: main
### Vulnerability DetailsDue to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.
Publish Date: 2022-12-27
URL: CVE-2021-4235
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-12-27
Fix Resolution: v2.2.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-29526
### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip
Path to dependency file: /go-remediate/go.mod
Path to vulnerable library: /go-remediate/go.mod
Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)
Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab
Found in base branch: main
### Vulnerability DetailsGo before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.
Publish Date: 2022-06-22
URL: CVE-2022-29526
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2022-29526
Release Date: 2022-06-23
Fix Resolution: go1.17.10,go1.18.2,go1.19
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2018-1099
### Vulnerable Library - github.com/etcd-io/etcd-v3.3.22Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/github.com/etcd-io/etcd/@v/v3.3.22+incompatible.zip
Path to dependency file: /go-remediate/go.mod
Path to vulnerable library: /go-remediate/go.mod
Dependency Hierarchy: - :x: **github.com/etcd-io/etcd-v3.3.22** (Vulnerable Library)
Found in HEAD commit: 270cc58a78fd567e736a727c44967bccbfd512ab
Found in base branch: main
### Vulnerability DetailsDNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).
Publish Date: 2018-04-03
URL: CVE-2018-1099
### CVSS 3 Score Details (4.0)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1099
Release Date: 2018-04-03
Fix Resolution: v3.4.0-rc.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.