mend-for-github-com[bot]
commented
1 year ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Found in HEAD commit: 63b662559cd583d424ccbd121f96a1194e1fa2eb
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2018-1320
### Vulnerable Library - github.com/apache/thrift-v0.0.0-20161221203622-b2a4d4ae21c7Apache Thrift
Library home page: https://proxy.golang.org/github.com/apache/thrift/@v/v0.0.0-20161221203622-b2a4d4ae21c7.zip
Dependency Hierarchy: - go.temporal.io/server-v1.17.5 (Root Library) - github.com/temporalio/ringpop-go-v0.0.0-20211012191444-6f91b5915e95 - :x: **github.com/apache/thrift-v0.0.0-20161221203622-b2a4d4ae21c7** (Vulnerable Library)
Found in HEAD commit: 63b662559cd583d424ccbd121f96a1194e1fa2eb
Found in base branch: main
### Vulnerability DetailsApache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.
Publish Date: 2019-01-07
URL: CVE-2018-1320
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1320
Release Date: 2019-01-07
Fix Resolution: 0.12.0
CVE-2019-0205
### Vulnerable Libraries - github.com/uber-go/tally/v4-v4.1.2, github.com/apache/thrift-v0.0.0-20161221203622-b2a4d4ae21c7### github.com/uber-go/tally/v4-v4.1.2
A Go metrics interface with fast buffered metrics and third party reporters
Library home page: https://proxy.golang.org/github.com/uber-go/tally/v4/@v/v4.1.2.zip
Dependency Hierarchy: - go.temporal.io/server-v1.17.5 (Root Library) - :x: **github.com/uber-go/tally/v4-v4.1.2** (Vulnerable Library) ### github.com/apache/thrift-v0.0.0-20161221203622-b2a4d4ae21c7
Apache Thrift
Library home page: https://proxy.golang.org/github.com/apache/thrift/@v/v0.0.0-20161221203622-b2a4d4ae21c7.zip
Dependency Hierarchy: - go.temporal.io/server-v1.17.5 (Root Library) - github.com/temporalio/ringpop-go-v0.0.0-20211012191444-6f91b5915e95 - :x: **github.com/apache/thrift-v0.0.0-20161221203622-b2a4d4ae21c7** (Vulnerable Library)
Found in HEAD commit: 63b662559cd583d424ccbd121f96a1194e1fa2eb
Found in base branch: main
### Vulnerability DetailsIn Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.
Publish Date: 2019-10-29
URL: CVE-2019-0205
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0205
Release Date: 2019-10-29
Fix Resolution: org.apache.thrift:libthrift:0.13.0
CVE-2019-0210
### Vulnerable Libraries - github.com/uber-go/tally/v4-v4.1.2, github.com/apache/thrift-v0.0.0-20161221203622-b2a4d4ae21c7### github.com/uber-go/tally/v4-v4.1.2
A Go metrics interface with fast buffered metrics and third party reporters
Library home page: https://proxy.golang.org/github.com/uber-go/tally/v4/@v/v4.1.2.zip
Dependency Hierarchy: - go.temporal.io/server-v1.17.5 (Root Library) - :x: **github.com/uber-go/tally/v4-v4.1.2** (Vulnerable Library) ### github.com/apache/thrift-v0.0.0-20161221203622-b2a4d4ae21c7
Apache Thrift
Library home page: https://proxy.golang.org/github.com/apache/thrift/@v/v0.0.0-20161221203622-b2a4d4ae21c7.zip
Dependency Hierarchy: - go.temporal.io/server-v1.17.5 (Root Library) - github.com/temporalio/ringpop-go-v0.0.0-20211012191444-6f91b5915e95 - :x: **github.com/apache/thrift-v0.0.0-20161221203622-b2a4d4ae21c7** (Vulnerable Library)
Found in HEAD commit: 63b662559cd583d424ccbd121f96a1194e1fa2eb
Found in base branch: main
### Vulnerability DetailsIn Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.
Publish Date: 2019-10-29
URL: CVE-2019-0210
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: http://mail-archives.apache.org/mod_mbox/thrift-dev/201910.mbox/%3C277A46CA87494176B1BBCF5D72624A2A%40HAGGIS%3E
Release Date: 2019-10-29
Fix Resolution: 0.13.0
CVE-2018-11798
### Vulnerable Library - github.com/apache/thrift-v0.0.0-20161221203622-b2a4d4ae21c7Apache Thrift
Library home page: https://proxy.golang.org/github.com/apache/thrift/@v/v0.0.0-20161221203622-b2a4d4ae21c7.zip
Dependency Hierarchy: - go.temporal.io/server-v1.17.5 (Root Library) - github.com/temporalio/ringpop-go-v0.0.0-20211012191444-6f91b5915e95 - :x: **github.com/apache/thrift-v0.0.0-20161221203622-b2a4d4ae21c7** (Vulnerable Library)
Found in HEAD commit: 63b662559cd583d424ccbd121f96a1194e1fa2eb
Found in base branch: main
### Vulnerability DetailsThe Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.
Publish Date: 2019-01-07
URL: CVE-2018-11798
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11798
Release Date: 2019-01-07
Fix Resolution: v0.12.0
CVE-2020-28928
### Vulnerable Library - modernc.org/libc-v1.16.10Library home page: https://proxy.golang.org/modernc.org/libc/@v/v1.16.10.zip
Dependency Hierarchy: - go.temporal.io/server-v1.17.5 (Root Library) - modernc.org/sqlite-v1.17.3 - :x: **modernc.org/libc-v1.16.10** (Vulnerable Library)
Found in HEAD commit: 63b662559cd583d424ccbd121f96a1194e1fa2eb
Found in base branch: main
### Vulnerability DetailsIn musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).
Publish Date: 2020-11-24
URL: CVE-2020-28928
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-28928
Release Date: 2020-11-24
Fix Resolution: musl - 1.2.2-1,1.2.2-1,1.1.16-3+deb9u1