search

vipinsun / blockchain-carbon-accounting

Apache License 2.0
0 stars 0 forks source link

CVE-2020-14040 (High) detected in multiple libraries - autoclosed #14

Closed mend-bolt-for-github[bot] closed 2 years ago

mend-bolt-for-github[bot] commented 2 years ago

CVE-2020-14040 - High Severity Vulnerability

Vulnerable Libraries - github.com/golang/text-v0.3.2, github.com/containerd/containerd-v1.3.0, github.com/hyperledger/fabric-v1.4.1

github.com/golang/text-v0.3.2

[mirror] Go text processing support

Dependency Hierarchy: - github.com/hyperledger/fabric-protos-go-d7d9b8e1fcde4eb6a4b44ec9003bfb90eee3301c (Root Library) - github.com/grpc/grpc-go-v1.27.0 - github.com/golang/net-16171245cfb220d5317888b716d69c1fb4e7992b - :x: **github.com/golang/text-v0.3.2** (Vulnerable Library)

github.com/containerd/containerd-v1.3.0

An open and reliable container runtime

Dependency Hierarchy: - github.com/hyperledger/fabric-v1.4.1 (Root Library) - github.com/fsouza/go-dockerclient-v1.6.5 - github.com/docker/docker-v17.03.2-ce - :x: **github.com/containerd/containerd-v1.3.0** (Vulnerable Library)

github.com/hyperledger/fabric-v1.4.1

Read-only mirror of https://gerrit.hyperledger.org/r/#/admin/projects/fabric

Dependency Hierarchy: - :x: **github.com/hyperledger/fabric-v1.4.1** (Vulnerable Library)

Found in HEAD commit: d388e16464e00b9ce84df0d247029f534a429b90

Found in base branch: main

Vulnerability Details

The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

Publish Date: 2020-06-17

URL: CVE-2020-14040

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2020-0015

Release Date: 2020-06-17

Fix Resolution: v0.3.3

Step up your Open Source Security Game with WhiteSource here

mend-bolt-for-github[bot] commented 2 years ago

:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.