vipinsun / fabric

Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. Its modular and versatile design satisfies a broad range of industry use cases. It offers a unique approach to consensus that enables performance at scale while preserving privacy.
https://wiki.hyperledger.org/display/fabric
Apache License 2.0
0 stars 0 forks source link

go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55: 6 vulnerabilities (highest severity is: 9.8) #103

Open mend-bolt-for-github[bot] opened 1 month ago

mend-bolt-for-github[bot] commented 1 month ago
Vulnerable Library - go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/go.etcd.io/etcd/@v/v0.5.0-alpha.5.0.20181228115726-23731bf9ba55.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726 version) Remediation Possible**
WS-2022-0329 Critical 9.8 go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55 Direct 3.3.23,3.4.10
CVE-2021-3121 High 8.6 github.com/gogo/protobuf-v1.3.1 Transitive N/A*
WS-2022-0327 High 7.5 go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55 Direct 3.3.23,3.4.10
CVE-2020-15112 Medium 6.5 go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55 Direct 3.4.10, 3.3.23
CVE-2020-15106 Medium 6.5 go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55 Direct v3.3.23;v3.4.10
CVE-2020-15113 Medium 5.7 go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55 Direct 3.4.10, 3.3.23

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2022-0329 ### Vulnerable Library - go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/go.etcd.io/etcd/@v/v0.5.0-alpha.5.0.20181228115726-23731bf9ba55.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - :x: **go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

etcd vulnerable to TOCTOU of gateway endpoint authentication

Publish Date: 2024-11-03

URL: WS-2022-0329

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-h8g9-6gvh-5mrc

Release Date: 2022-10-07

Fix Resolution: 3.3.23,3.4.10

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-3121 ### Vulnerable Library - github.com/gogo/protobuf-v1.3.1

[Deprecated] Protocol Buffers for Go with Gadgets

Library home page: https://proxy.golang.org/github.com/gogo/protobuf/@v/v1.3.1.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55 (Root Library) - :x: **github.com/gogo/protobuf-v1.3.1** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.

Publish Date: 2021-01-11

URL: CVE-2021-3121

### CVSS 3 Score Details (8.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121

Release Date: 2021-01-11

Fix Resolution: v1.3.2

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2022-0327 ### Vulnerable Library - go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/go.etcd.io/etcd/@v/v0.5.0-alpha.5.0.20181228115726-23731bf9ba55.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - :x: **go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

etcd having a negative value for cluster node size results in an index out-of-bound panic during service discovery.

Publish Date: 2024-11-03

URL: WS-2022-0327

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-9gp7-6833-wv89

Release Date: 2022-10-07

Fix Resolution: 3.3.23,3.4.10

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-15112 ### Vulnerable Library - go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/go.etcd.io/etcd/@v/v0.5.0-alpha.5.0.20181228115726-23731bf9ba55.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - :x: **go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

In etcd before versions 3.3.23 and 3.4.10, it is possible to have an entry index greater then the number of entries in the ReadAll method in wal/wal.go. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime panic when reading the entry.

Publish Date: 2020-08-05

URL: CVE-2020-15112

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-08-05

Fix Resolution: 3.4.10, 3.3.23

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-15106 ### Vulnerable Library - go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/go.etcd.io/etcd/@v/v0.5.0-alpha.5.0.20181228115726-23731bf9ba55.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - :x: **go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL.

Publish Date: 2020-08-05

URL: CVE-2020-15106

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-15106

Release Date: 2020-08-05

Fix Resolution: v3.3.23;v3.4.10

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-15113 ### Vulnerable Library - go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55

Distributed reliable key-value store for the most critical data of a distributed system

Library home page: https://proxy.golang.org/go.etcd.io/etcd/@v/v0.5.0-alpha.5.0.20181228115726-23731bf9ba55.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - :x: **go.etcd.io/etcd-v0.5.0-alpha.5.0.20181228115726-23731bf9ba55** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already. A possible workaround is to ensure the directories have the desired permission (700).

Publish Date: 2020-08-05

URL: CVE-2020-15113

### CVSS 3 Score Details (5.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-08-05

Fix Resolution: 3.4.10, 3.3.23

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)