*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
A vulnerability was found in docconv up to 1.2.0. It has been declared as critical. This vulnerability affects the function ConvertPDFImages of the file pdf_ocr.go. The manipulation of the argument path leads to os command injection. The attack can be initiated remotely. Upgrading to version 1.2.1 is able to address this issue. The name of the patch is b19021ade3d0b71c89d35cb00eb9e589a121faa5. It is recommended to upgrade the affected component. VDB-216502 is the identifier assigned to this vulnerability.
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-45286
### Vulnerable Library - github.com/go-resty/resty/v2-v2.7.0
A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.
A vulnerability was found in docconv up to 1.2.0 and classified as problematic. This issue affects the function ConvertDocx/ConvertODT/ConvertPages/ConvertXML/XMLToText. The manipulation leads to uncontrolled memory allocation. The attack may be initiated remotely. Upgrading to version 1.2.1 is able to address this issue. The name of the patch is 42bcff666855ab978e67a9041d0cdea552f20301. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216779.
Converts PDF, DOC, DOCX, XML, HTML, RTF, etc to plain text
Library home page: https://proxy.golang.org/code.sajari.com/docconv/@v/v1.2.0.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Found in HEAD commit: fd9fc1baf3cd86beecdfe1d4b962b3e768b4ff92
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-4643
### Vulnerable Library - code.sajari.com/docconv-v1.2.0Converts PDF, DOC, DOCX, XML, HTML, RTF, etc to plain text
Library home page: https://proxy.golang.org/code.sajari.com/docconv/@v/v1.2.0.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - :x: **code.sajari.com/docconv-v1.2.0** (Vulnerable Library)
Found in HEAD commit: fd9fc1baf3cd86beecdfe1d4b962b3e768b4ff92
Found in base branch: master
### Vulnerability DetailsA vulnerability was found in docconv up to 1.2.0. It has been declared as critical. This vulnerability affects the function ConvertPDFImages of the file pdf_ocr.go. The manipulation of the argument path leads to os command injection. The attack can be initiated remotely. Upgrading to version 1.2.1 is able to address this issue. The name of the patch is b19021ade3d0b71c89d35cb00eb9e589a121faa5. It is recommended to upgrade the affected component. VDB-216502 is the identifier assigned to this vulnerability.
Publish Date: 2022-12-21
URL: CVE-2022-4643
### CVSS 3 Score Details (6.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-4643
Release Date: 2022-12-21
Fix Resolution: v1.2.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-45286
### Vulnerable Library - github.com/go-resty/resty/v2-v2.7.0Simple HTTP and REST client library for Go
Library home page: https://proxy.golang.org/github.com/go-resty/resty/v2/@v/v2.7.0.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - code.sajari.com/docconv-v1.2.0 (Root Library) - github.com/advancedlogic/GoOse-v0.0.0-20210820140952-9d5822d4a625 - :x: **github.com/go-resty/resty/v2-v2.7.0** (Vulnerable Library)
Found in HEAD commit: fd9fc1baf3cd86beecdfe1d4b962b3e768b4ff92
Found in base branch: master
### Vulnerability DetailsA race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.
Publish Date: 2023-11-28
URL: CVE-2023-45286
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-45286
Release Date: 2023-11-28
Fix Resolution: v2.10.0
CVE-2022-4741
### Vulnerable Library - code.sajari.com/docconv-v1.2.0Converts PDF, DOC, DOCX, XML, HTML, RTF, etc to plain text
Library home page: https://proxy.golang.org/code.sajari.com/docconv/@v/v1.2.0.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - :x: **code.sajari.com/docconv-v1.2.0** (Vulnerable Library)
Found in HEAD commit: fd9fc1baf3cd86beecdfe1d4b962b3e768b4ff92
Found in base branch: master
### Vulnerability DetailsA vulnerability was found in docconv up to 1.2.0 and classified as problematic. This issue affects the function ConvertDocx/ConvertODT/ConvertPages/ConvertXML/XMLToText. The manipulation leads to uncontrolled memory allocation. The attack may be initiated remotely. Upgrading to version 1.2.1 is able to address this issue. The name of the patch is 42bcff666855ab978e67a9041d0cdea552f20301. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216779.
Publish Date: 2022-12-25
URL: CVE-2022-4741
### CVSS 3 Score Details (4.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-4741
Release Date: 2022-12-25
Fix Resolution: v1.2.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.