search

turkdevops / sourcegraph

Universal code search (self-hosted)
https://sourcegraph.com
Other
1 stars 0 forks source link

CVE-2019-3564 (High) detected in multiple libraries - autoclosed #196

Closed mend-bolt-for-github[bot] closed 3 years ago

mend-bolt-for-github[bot] commented 3 years ago

CVE-2019-3564 - High Severity Vulnerability

Vulnerable Libraries - github.com/lightstep/lightstep-tracer-go/lightstepoc-v0.15.6, github.com/lightstep/lightstep-tracer-go-v0.15.6, github.com/lightstep/lightstep-tracer-go/lightstepoc/internal/conversions-v0.15.6

github.com/lightstep/lightstep-tracer-go/lightstepoc-v0.15.6

The LightStep distributed tracing library for Go

Dependency Hierarchy: - github.com/lightstep/lightstep-tracer-go-v0.15.6 (Root Library) - :x: **github.com/lightstep/lightstep-tracer-go/lightstepoc-v0.15.6** (Vulnerable Library)

github.com/lightstep/lightstep-tracer-go-v0.15.6

The LightStep distributed tracing library for Go

Dependency Hierarchy: - :x: **github.com/lightstep/lightstep-tracer-go-v0.15.6** (Vulnerable Library)

github.com/lightstep/lightstep-tracer-go/lightstepoc/internal/conversions-v0.15.6

The LightStep distributed tracing library for Go

Dependency Hierarchy: - github.com/lightstep/lightstep-tracer-go-v0.15.6 (Root Library) - :x: **github.com/lightstep/lightstep-tracer-go/lightstepoc/internal/conversions-v0.15.6** (Vulnerable Library)

Found in HEAD commit: f8d44c382168ebea3a3dae2b5347a7ffe36f343a

Found in base branch: dev/seed-tool

Vulnerability Details

Go Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.03.04.00.

Publish Date: 2019-05-06

URL: CVE-2019-3564

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3564

Release Date: 2019-05-06

Fix Resolution: v2019.03.04.00

Step up your Open Source Security Game with WhiteSource here

mend-bolt-for-github[bot] commented 3 years ago

:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.