mend-for-github-com[bot]
commented
1 year ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Found in HEAD commit: c04310548fdec9627ddb152fdaaff87b25527881
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2021-3121
### Vulnerable Library - github.com/prometheus/prometheus-v2.5.0+incompatibleThe Prometheus monitoring system and time series database.
Library home page: https://proxy.golang.org/github.com/prometheus/prometheus/@v/v2.5.0+incompatible.zip
Dependency Hierarchy: - contrib.go.opencensus.io/exporter/stackdriver-v0.13.12 (Root Library) - :x: **github.com/prometheus/prometheus-v2.5.0+incompatible** (Vulnerable Library)
Found in HEAD commit: c04310548fdec9627ddb152fdaaff87b25527881
Found in base branch: main
### Vulnerability DetailsAn issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
Publish Date: 2021-01-11
URL: CVE-2021-3121
### CVSS 3 Score Details (8.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121
Release Date: 2021-01-11
Fix Resolution: v1.3.2
CVE-2019-11253
### Vulnerable Library - github.com/prometheus/prometheus-v2.5.0+incompatibleThe Prometheus monitoring system and time series database.
Library home page: https://proxy.golang.org/github.com/prometheus/prometheus/@v/v2.5.0+incompatible.zip
Dependency Hierarchy: - contrib.go.opencensus.io/exporter/stackdriver-v0.13.12 (Root Library) - :x: **github.com/prometheus/prometheus-v2.5.0+incompatible** (Vulnerable Library)
Found in HEAD commit: c04310548fdec9627ddb152fdaaff87b25527881
Found in base branch: main
### Vulnerability DetailsImproper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable. Prior to v1.14.0, default RBAC policy authorized anonymous users to submit requests that could trigger this vulnerability. Clusters upgraded from a version prior to v1.14.0 keep the more permissive policy by default for backwards compatibility.
Publish Date: 2019-10-17
URL: CVE-2019-11253
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-10-02
Fix Resolution: v1.13.12;v1.14.8;v1.15.5;v1.16.2
CVE-2022-21698
### Vulnerable Library - github.com/prometheus/prometheus-v2.5.0+incompatibleThe Prometheus monitoring system and time series database.
Library home page: https://proxy.golang.org/github.com/prometheus/prometheus/@v/v2.5.0+incompatible.zip
Dependency Hierarchy: - contrib.go.opencensus.io/exporter/stackdriver-v0.13.12 (Root Library) - :x: **github.com/prometheus/prometheus-v2.5.0+incompatible** (Vulnerable Library)
Found in HEAD commit: c04310548fdec9627ddb152fdaaff87b25527881
Found in base branch: main
### Vulnerability Detailsclient_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.
Publish Date: 2022-02-15
URL: CVE-2022-21698
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p
Release Date: 2022-02-15
Fix Resolution: v1.11.1
WS-2021-0200
### Vulnerable Library - github.com/prometheus/prometheus-v2.5.0+incompatibleThe Prometheus monitoring system and time series database.
Library home page: https://proxy.golang.org/github.com/prometheus/prometheus/@v/v2.5.0+incompatible.zip
Dependency Hierarchy: - contrib.go.opencensus.io/exporter/stackdriver-v0.13.12 (Root Library) - :x: **github.com/prometheus/prometheus-v2.5.0+incompatible** (Vulnerable Library)
Found in HEAD commit: c04310548fdec9627ddb152fdaaff87b25527881
Found in base branch: main
### Vulnerability DetailsYaml in versions v2.2.0 to v2.2.2 is vulnerable to denial of service vector. Related to decode.go
Publish Date: 2021-04-14
URL: WS-2021-0200
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2021-0061
Release Date: 2021-04-14
Fix Resolution: v2.2.3
CVE-2020-26160
### Vulnerable Library - github.com/prometheus/prometheus-v2.5.0+incompatibleThe Prometheus monitoring system and time series database.
Library home page: https://proxy.golang.org/github.com/prometheus/prometheus/@v/v2.5.0+incompatible.zip
Dependency Hierarchy: - contrib.go.opencensus.io/exporter/stackdriver-v0.13.12 (Root Library) - :x: **github.com/prometheus/prometheus-v2.5.0+incompatible** (Vulnerable Library)
Found in HEAD commit: c04310548fdec9627ddb152fdaaff87b25527881
Found in base branch: main
### Vulnerability Detailsjwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.
Publish Date: 2020-09-30
URL: CVE-2020-26160
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-26160
Release Date: 2020-09-30
Fix Resolution: v4.0.0-preview1
CVE-2018-17419
### Vulnerable Library - github.com/prometheus/prometheus-v2.5.0+incompatibleThe Prometheus monitoring system and time series database.
Library home page: https://proxy.golang.org/github.com/prometheus/prometheus/@v/v2.5.0+incompatible.zip
Dependency Hierarchy: - contrib.go.opencensus.io/exporter/stackdriver-v0.13.12 (Root Library) - :x: **github.com/prometheus/prometheus-v2.5.0+incompatible** (Vulnerable Library)
Found in HEAD commit: c04310548fdec9627ddb152fdaaff87b25527881
Found in base branch: main
### Vulnerability DetailsAn issue was discovered in setTA in scan_rr.go in the Miek Gieben DNS library before 1.0.10 for Go. A dns.ParseZone() parsing error causes a segmentation violation, leading to denial of service.
Publish Date: 2019-03-07
URL: CVE-2018-17419
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9545
Release Date: 2019-03-07
Fix Resolution: v1.0.10
CVE-2021-44716
### Vulnerable Library - github.com/prometheus/prometheus-v2.5.0+incompatibleThe Prometheus monitoring system and time series database.
Library home page: https://proxy.golang.org/github.com/prometheus/prometheus/@v/v2.5.0+incompatible.zip
Dependency Hierarchy: - contrib.go.opencensus.io/exporter/stackdriver-v0.13.12 (Root Library) - :x: **github.com/prometheus/prometheus-v2.5.0+incompatible** (Vulnerable Library)
Found in HEAD commit: c04310548fdec9627ddb152fdaaff87b25527881
Found in base branch: main
### Vulnerability Detailsnet/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
Publish Date: 2022-01-01
URL: CVE-2021-44716
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-vc3p-29h2-gpcp
Release Date: 2022-01-01
Fix Resolution: github.com/golang/net - 491a49abca63de5e07ef554052d180a1b5fe2d70
CVE-2019-11250
### Vulnerable Library - github.com/prometheus/prometheus-v2.5.0+incompatibleThe Prometheus monitoring system and time series database.
Library home page: https://proxy.golang.org/github.com/prometheus/prometheus/@v/v2.5.0+incompatible.zip
Dependency Hierarchy: - contrib.go.opencensus.io/exporter/stackdriver-v0.13.12 (Root Library) - :x: **github.com/prometheus/prometheus-v2.5.0+incompatible** (Vulnerable Library)
Found in HEAD commit: c04310548fdec9627ddb152fdaaff87b25527881
Found in base branch: main
### Vulnerability DetailsThe Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.
Publish Date: 2019-08-29
URL: CVE-2019-11250
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2020-0065
Release Date: 2020-10-16
Fix Resolution: v1.16.0-beta.1
CVE-2019-11254
### Vulnerable Library - github.com/prometheus/prometheus-v2.5.0+incompatibleThe Prometheus monitoring system and time series database.
Library home page: https://proxy.golang.org/github.com/prometheus/prometheus/@v/v2.5.0+incompatible.zip
Dependency Hierarchy: - contrib.go.opencensus.io/exporter/stackdriver-v0.13.12 (Root Library) - :x: **github.com/prometheus/prometheus-v2.5.0+incompatible** (Vulnerable Library)
Found in HEAD commit: c04310548fdec9627ddb152fdaaff87b25527881
Found in base branch: main
### Vulnerability DetailsThe Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.
Publish Date: 2020-04-01
URL: CVE-2019-11254
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-10-02
Fix Resolution: v2.2.8
CVE-2019-8331
### Vulnerable Library - github.com/prometheus/prometheus-v2.5.0+incompatibleThe Prometheus monitoring system and time series database.
Library home page: https://proxy.golang.org/github.com/prometheus/prometheus/@v/v2.5.0+incompatible.zip
Dependency Hierarchy: - contrib.go.opencensus.io/exporter/stackdriver-v0.13.12 (Root Library) - :x: **github.com/prometheus/prometheus-v2.5.0+incompatible** (Vulnerable Library)
Found in HEAD commit: c04310548fdec9627ddb152fdaaff87b25527881
Found in base branch: main
### Vulnerability DetailsIn Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
CVE-2018-14040
### Vulnerable Library - github.com/prometheus/prometheus-v2.5.0+incompatibleThe Prometheus monitoring system and time series database.
Library home page: https://proxy.golang.org/github.com/prometheus/prometheus/@v/v2.5.0+incompatible.zip
Dependency Hierarchy: - contrib.go.opencensus.io/exporter/stackdriver-v0.13.12 (Root Library) - :x: **github.com/prometheus/prometheus-v2.5.0+incompatible** (Vulnerable Library)
Found in HEAD commit: c04310548fdec9627ddb152fdaaff87b25527881
Found in base branch: main
### Vulnerability DetailsIn Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0
CVE-2018-20677
### Vulnerable Library - github.com/prometheus/prometheus-v2.5.0+incompatibleThe Prometheus monitoring system and time series database.
Library home page: https://proxy.golang.org/github.com/prometheus/prometheus/@v/v2.5.0+incompatible.zip
Dependency Hierarchy: - contrib.go.opencensus.io/exporter/stackdriver-v0.13.12 (Root Library) - :x: **github.com/prometheus/prometheus-v2.5.0+incompatible** (Vulnerable Library)
Found in HEAD commit: c04310548fdec9627ddb152fdaaff87b25527881
Found in base branch: main
### Vulnerability DetailsIn Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
Publish Date: 2019-01-09
URL: CVE-2018-20677
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677
Release Date: 2019-01-09
Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0
CVE-2018-14042
### Vulnerable Library - github.com/prometheus/prometheus-v2.5.0+incompatibleThe Prometheus monitoring system and time series database.
Library home page: https://proxy.golang.org/github.com/prometheus/prometheus/@v/v2.5.0+incompatible.zip
Dependency Hierarchy: - contrib.go.opencensus.io/exporter/stackdriver-v0.13.12 (Root Library) - :x: **github.com/prometheus/prometheus-v2.5.0+incompatible** (Vulnerable Library)
Found in HEAD commit: c04310548fdec9627ddb152fdaaff87b25527881
Found in base branch: main
### Vulnerability DetailsIn Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
CVE-2018-20676
### Vulnerable Library - github.com/prometheus/prometheus-v2.5.0+incompatibleThe Prometheus monitoring system and time series database.
Library home page: https://proxy.golang.org/github.com/prometheus/prometheus/@v/v2.5.0+incompatible.zip
Dependency Hierarchy: - contrib.go.opencensus.io/exporter/stackdriver-v0.13.12 (Root Library) - :x: **github.com/prometheus/prometheus-v2.5.0+incompatible** (Vulnerable Library)
Found in HEAD commit: c04310548fdec9627ddb152fdaaff87b25527881
Found in base branch: main
### Vulnerability DetailsIn Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
CVE-2016-10735
### Vulnerable Library - github.com/prometheus/prometheus-v2.5.0+incompatibleThe Prometheus monitoring system and time series database.
Library home page: https://proxy.golang.org/github.com/prometheus/prometheus/@v/v2.5.0+incompatible.zip
Dependency Hierarchy: - contrib.go.opencensus.io/exporter/stackdriver-v0.13.12 (Root Library) - :x: **github.com/prometheus/prometheus-v2.5.0+incompatible** (Vulnerable Library)
Found in HEAD commit: c04310548fdec9627ddb152fdaaff87b25527881
Found in base branch: main
### Vulnerability DetailsIn Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
Publish Date: 2019-01-09
URL: CVE-2016-10735
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0, 4.0.0-beta.2
CVE-2019-3826
### Vulnerable Library - github.com/prometheus/prometheus-v2.5.0+incompatibleThe Prometheus monitoring system and time series database.
Library home page: https://proxy.golang.org/github.com/prometheus/prometheus/@v/v2.5.0+incompatible.zip
Dependency Hierarchy: - contrib.go.opencensus.io/exporter/stackdriver-v0.13.12 (Root Library) - :x: **github.com/prometheus/prometheus-v2.5.0+incompatible** (Vulnerable Library)
Found in HEAD commit: c04310548fdec9627ddb152fdaaff87b25527881
Found in base branch: main
### Vulnerability DetailsA stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts.
Publish Date: 2019-03-26
URL: CVE-2019-3826
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3826
Release Date: 2019-03-26
Fix Resolution: 2.7.1
CVE-2019-19794
### Vulnerable Library - github.com/prometheus/prometheus-v2.5.0+incompatibleThe Prometheus monitoring system and time series database.
Library home page: https://proxy.golang.org/github.com/prometheus/prometheus/@v/v2.5.0+incompatible.zip
Dependency Hierarchy: - contrib.go.opencensus.io/exporter/stackdriver-v0.13.12 (Root Library) - :x: **github.com/prometheus/prometheus-v2.5.0+incompatible** (Vulnerable Library)
Found in HEAD commit: c04310548fdec9627ddb152fdaaff87b25527881
Found in base branch: main
### Vulnerability DetailsThe miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.
Publish Date: 2019-12-13
URL: CVE-2019-19794
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19794
Release Date: 2020-01-02
Fix Resolution: v1.1.25
CVE-2020-8565
### Vulnerable Library - github.com/prometheus/prometheus-v2.5.0+incompatibleThe Prometheus monitoring system and time series database.
Library home page: https://proxy.golang.org/github.com/prometheus/prometheus/@v/v2.5.0+incompatible.zip
Dependency Hierarchy: - contrib.go.opencensus.io/exporter/stackdriver-v0.13.12 (Root Library) - :x: **github.com/prometheus/prometheus-v2.5.0+incompatible** (Vulnerable Library)
Found in HEAD commit: c04310548fdec9627ddb152fdaaff87b25527881
Found in base branch: main
### Vulnerability DetailsIn Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.
Publish Date: 2020-12-07
URL: CVE-2020-8565
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2020-0064
Release Date: 2020-12-07
Fix Resolution: v1.20.0-alpha.2
CVE-2022-29526
### Vulnerable Library - github.com/prometheus/prometheus-v2.5.0+incompatibleThe Prometheus monitoring system and time series database.
Library home page: https://proxy.golang.org/github.com/prometheus/prometheus/@v/v2.5.0+incompatible.zip
Dependency Hierarchy: - contrib.go.opencensus.io/exporter/stackdriver-v0.13.12 (Root Library) - :x: **github.com/prometheus/prometheus-v2.5.0+incompatible** (Vulnerable Library)
Found in HEAD commit: c04310548fdec9627ddb152fdaaff87b25527881
Found in base branch: main
### Vulnerability DetailsGo before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.
Publish Date: 2022-06-23
URL: CVE-2022-29526
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2022-29526
Release Date: 2022-06-23
Fix Resolution: go1.17.10,go1.18.2,go1.19