Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. Its modular and versatile design satisfies a broad range of industry use cases. It offers a unique approach to consensus that enables performance at scale while preserving privacy.
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-3121
### Vulnerable Library - github.com/gogo/protobuf-v1.3.1
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2022-0327
### Vulnerable Library - go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55
Distributed reliable key-value store for the most critical data of a distributed system
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-15112
### Vulnerable Library - go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55
Distributed reliable key-value store for the most critical data of a distributed system
In etcd before versions 3.3.23 and 3.4.10, it is possible to have an entry index greater then the number of entries in the ReadAll method in wal/wal.go. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime panic when reading the entry.
For more information on CVSS3 Scores, click here.
### Suggested Fix
Type: Upgrade version
Release Date: 2020-08-05
Fix Resolution: 3.4.10, 3.3.23
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-15106
### Vulnerable Library - go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55
Distributed reliable key-value store for the most critical data of a distributed system
In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-15113
### Vulnerable Library - go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55
Distributed reliable key-value store for the most critical data of a distributed system
In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already. A possible workaround is to ensure the directories have the desired permission (700).
Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/go.etcd.io/etcd/@v/v0.5.0-alpha.5.0.20181228115726-23731bf9ba55.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2022-0329
### Vulnerable Library - go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/go.etcd.io/etcd/@v/v0.5.0-alpha.5.0.20181228115726-23731bf9ba55.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - :x: **go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55** (Vulnerable Library)
Found in base branch: master
### Vulnerability Detailsetcd vulnerable to TOCTOU of gateway endpoint authentication
Publish Date: 2024-11-03
URL: WS-2022-0329
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-h8g9-6gvh-5mrc
Release Date: 2022-10-07
Fix Resolution: 3.3.23,3.4.10
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-3121
### Vulnerable Library - github.com/gogo/protobuf-v1.3.1[Deprecated] Protocol Buffers for Go with Gadgets
Library home page: https://proxy.golang.org/github.com/gogo/protobuf/@v/v1.3.1.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55 (Root Library) - :x: **github.com/gogo/protobuf-v1.3.1** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsAn issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
Publish Date: 2021-01-11
URL: CVE-2021-3121
### CVSS 3 Score Details (8.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121
Release Date: 2021-01-11
Fix Resolution: v1.3.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2022-0327
### Vulnerable Library - go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/go.etcd.io/etcd/@v/v0.5.0-alpha.5.0.20181228115726-23731bf9ba55.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - :x: **go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55** (Vulnerable Library)
Found in base branch: master
### Vulnerability Detailsetcd having a negative value for cluster node size results in an index out-of-bound panic during service discovery.
Publish Date: 2024-11-03
URL: WS-2022-0327
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-9gp7-6833-wv89
Release Date: 2022-10-07
Fix Resolution: 3.3.23,3.4.10
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-15112
### Vulnerable Library - go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/go.etcd.io/etcd/@v/v0.5.0-alpha.5.0.20181228115726-23731bf9ba55.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - :x: **go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsIn etcd before versions 3.3.23 and 3.4.10, it is possible to have an entry index greater then the number of entries in the ReadAll method in wal/wal.go. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime panic when reading the entry.
Publish Date: 2020-08-05
URL: CVE-2020-15112
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-08-05
Fix Resolution: 3.4.10, 3.3.23
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-15106
### Vulnerable Library - go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/go.etcd.io/etcd/@v/v0.5.0-alpha.5.0.20181228115726-23731bf9ba55.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - :x: **go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsIn etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL.
Publish Date: 2020-08-05
URL: CVE-2020-15106
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-15106
Release Date: 2020-08-05
Fix Resolution: v3.3.23;v3.4.10
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-15113
### Vulnerable Library - go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55Distributed reliable key-value store for the most critical data of a distributed system
Library home page: https://proxy.golang.org/go.etcd.io/etcd/@v/v0.5.0-alpha.5.0.20181228115726-23731bf9ba55.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - :x: **go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsIn etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already. A possible workaround is to ensure the directories have the desired permission (700).
Publish Date: 2020-08-05
URL: CVE-2020-15113
### CVSS 3 Score Details (5.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-08-05
Fix Resolution: 3.4.10, 3.3.23
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)