template-consumer-kafka's People
Contributors
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "mend-bolt-for-github[bot]")
Watchers
Forkers
fossabottemplate-consumer-kafka's Issues
github.com/segmentio/Kafka-go-v0.3.5: 6 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - github.com/segmentio/Kafka-go-v0.3.5
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2021-38561 |  High |
7.5 | github.com/golang/text-v0.3.0 | Transitive | N/A | ❌ |
| CVE-2020-9283 | High |
7.5 | github.com/golang/crypto-e1dfcc566284e143ba8f9afbb3fa563f2a0d212b | Transitive | N/A | ❌ |
| CVE-2020-29652 | High |
7.5 | github.com/golang/crypto-e1dfcc566284e143ba8f9afbb3fa563f2a0d212b | Transitive | N/A | ❌ |
| CVE-2021-43565 | High |
7.5 | github.com/golang/crypto-e1dfcc566284e143ba8f9afbb3fa563f2a0d212b | Transitive | N/A | ❌ |
| CVE-2020-14040 | High |
7.5 | github.com/golang/text-v0.3.0 | Transitive | N/A | ❌ |
| CVE-2020-7919 | High |
7.5 | github.com/golang/crypto-e1dfcc566284e143ba8f9afbb3fa563f2a0d212b | Transitive | N/A | ❌ |
Details
CVE-2021-38561
Vulnerable Library - github.com/golang/text-v0.3.0
[mirror] Go text processing support
Dependency Hierarchy:
- github.com/segmentio/Kafka-go-v0.3.5 (Root Library)
- github.com/xdg/scram-v0.0.1
- github.com/xdg-go/stringprep-v1.0.0
- ❌ github.com/golang/text-v0.3.0 (Vulnerable Library)
- github.com/xdg-go/stringprep-v1.0.0
- github.com/xdg/scram-v0.0.1
Found in base branch: master
Vulnerability Details
Due to improper index calculation, an incorrectly formatted language tag can cause Parse
to panic, due to an out of bounds read. If Parse is used to process untrusted user inputs,
this may be used as a vector for a denial of service attack.
Publish Date: 2021-08-12
URL: CVE-2021-38561
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2021-0113
Release Date: 2021-08-12
Fix Resolution: v0.3.7
Step up your Open Source Security Game with Mend here
CVE-2020-9283
Vulnerable Library - github.com/golang/crypto-e1dfcc566284e143ba8f9afbb3fa563f2a0d212b
[mirror] Go supplementary cryptography libraries
Dependency Hierarchy:
- github.com/segmentio/Kafka-go-v0.3.5 (Root Library)
- github.com/xdg/scram-v0.0.1
- ❌ github.com/golang/crypto-e1dfcc566284e143ba8f9afbb3fa563f2a0d212b (Vulnerable Library)
- github.com/xdg/scram-v0.0.1
Found in base branch: master
Vulnerability Details
golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
Publish Date: 2020-02-20
URL: CVE-2020-9283
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9283
Release Date: 2020-02-20
Fix Resolution: github.com/golang/crypto - bac4c82f69751a6dd76e702d54b3ceb88adab236
Step up your Open Source Security Game with Mend here
CVE-2020-29652
Vulnerable Library - github.com/golang/crypto-e1dfcc566284e143ba8f9afbb3fa563f2a0d212b
[mirror] Go supplementary cryptography libraries
Dependency Hierarchy:
- github.com/segmentio/Kafka-go-v0.3.5 (Root Library)
- github.com/xdg/scram-v0.0.1
- ❌ github.com/golang/crypto-e1dfcc566284e143ba8f9afbb3fa563f2a0d212b (Vulnerable Library)
- github.com/xdg/scram-v0.0.1
Found in base branch: master
Vulnerability Details
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.
Publish Date: 2020-12-17
URL: CVE-2020-29652
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1
Release Date: 2020-12-17
Fix Resolution: v0.0.0-20201216223049-8b5274cf687f
Step up your Open Source Security Game with Mend here
CVE-2021-43565
Vulnerable Library - github.com/golang/crypto-e1dfcc566284e143ba8f9afbb3fa563f2a0d212b
[mirror] Go supplementary cryptography libraries
Dependency Hierarchy:
- github.com/segmentio/Kafka-go-v0.3.5 (Root Library)
- github.com/xdg/scram-v0.0.1
- ❌ github.com/golang/crypto-e1dfcc566284e143ba8f9afbb3fa563f2a0d212b (Vulnerable Library)
- github.com/xdg/scram-v0.0.1
Found in base branch: master
Vulnerability Details
There's an input validation flaw in golang.org/x/crypto's readCipherPacket() function. An unauthenticated attacker who sends an empty plaintext packet to a program linked with golang.org/x/crypto/ssh could cause a panic, potentially leading to denial of service.
Publish Date: 2021-11-10
URL: CVE-2021-43565
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43565
Release Date: 2021-11-10
Fix Resolution: golang-golang-x-crypto-dev - 1:0.0~git20211202.5770296-1;golang-go.crypto-dev - 1:0.0~git20211202.5770296-1
Step up your Open Source Security Game with Mend here
CVE-2020-14040
Vulnerable Library - github.com/golang/text-v0.3.0
[mirror] Go text processing support
Dependency Hierarchy:
- github.com/segmentio/Kafka-go-v0.3.5 (Root Library)
- github.com/xdg/scram-v0.0.1
- github.com/xdg-go/stringprep-v1.0.0
- ❌ github.com/golang/text-v0.3.0 (Vulnerable Library)
- github.com/xdg-go/stringprep-v1.0.0
- github.com/xdg/scram-v0.0.1
Found in base branch: master
Vulnerability Details
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
Publish Date: 2020-06-17
URL: CVE-2020-14040
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2020-0015
Release Date: 2020-06-17
Fix Resolution: v0.3.3
Step up your Open Source Security Game with Mend here
CVE-2020-7919
Vulnerable Library - github.com/golang/crypto-e1dfcc566284e143ba8f9afbb3fa563f2a0d212b
[mirror] Go supplementary cryptography libraries
Dependency Hierarchy:
- github.com/segmentio/Kafka-go-v0.3.5 (Root Library)
- github.com/xdg/scram-v0.0.1
- ❌ github.com/golang/crypto-e1dfcc566284e143ba8f9afbb3fa563f2a0d212b (Vulnerable Library)
- github.com/xdg/scram-v0.0.1
Found in base branch: master
Vulnerability Details
Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.
Publish Date: 2020-03-16
URL: CVE-2020-7919
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7919
Release Date: 2020-03-16
Fix Resolution: go - 1.12.16,1.13.7;crypto - v0.0.0-20200128174031-69ecbb4d6d5d
Step up your Open Source Security Game with Mend here
[DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20190404232315-eb5bcb51f2a3
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20190404232315-eb5bcb51f2a3 results in the following vulnerability(s):
- (CVSS 7.5) [CVE-2018-17847] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17142] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17846] Resource Management Errors
- (CVSS 7.5) [CVE-2018-17075] Improper Input Validation
- (CVSS 7.5) [CVE-2018-17848] Data Handling
- (CVSS 7.5) [CVE-2018-17143] Improper Input Validation
Occurrences
golang.org/x:net:0.0.0-20190404232315-eb5bcb51f2a3 is a transitive dependency introduced by the following direct dependency(s):
• github.com/segmentio:kafka-go:0.3.5
└─ golang.org/x:crypto:0.0.0-20190506204251-e1dfcc566284
└─ golang.org/x:net:0.0.0-20190404232315-eb5bcb51f2a3
└─ golang.org/x:net:0.0.0-20190404232315-eb5bcb51f2a3
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
github.com/segmentio/kafka-go-v0.3.5: 8 vulnerabilities (highest severity is: 7.5) - autoclosed
Vulnerable Library - github.com/segmentio/kafka-go-v0.3.5
Found in HEAD commit: 6f66e057c704726b9b18bb4d86e45dfe79906ad2
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| WS-2021-0184 | High |
7.5 | github.com/datadog/zstd-v1.4.0 | Transitive | N/A | ❌ |
| CVE-2021-38561 | High |
7.5 | github.com/golang/text-v0.3.0 | Transitive | N/A | ❌ |
| CVE-2020-9283 | High |
7.5 | github.com/golang/crypto-e1dfcc566284e143ba8f9afbb3fa563f2a0d212b | Transitive | N/A | ❌ |
| CVE-2020-29652 | High |
7.5 | github.com/golang/crypto-e1dfcc566284e143ba8f9afbb3fa563f2a0d212b | Transitive | N/A | ❌ |
| CVE-2021-43565 | High |
7.5 | github.com/golang/crypto-e1dfcc566284e143ba8f9afbb3fa563f2a0d212b | Transitive | N/A | ❌ |
| CVE-2020-14040 | High |
7.5 | github.com/golang/text-v0.3.0 | Transitive | N/A | ❌ |
| CVE-2020-7919 | High |
7.5 | github.com/golang/crypto-e1dfcc566284e143ba8f9afbb3fa563f2a0d212b | Transitive | N/A | ❌ |
| WS-2019-0534 |  Medium |
5.9 | github.com/datadog/zstd-v1.4.0 | Transitive | N/A | ❌ |
Details
WS-2021-0184
Vulnerable Library - github.com/datadog/zstd-v1.4.0
Zstd wrapper for Go
Dependency Hierarchy:
- github.com/segmentio/kafka-go-v0.3.5 (Root Library)
- ❌ github.com/datadog/zstd-v1.4.0 (Vulnerable Library)
Found in HEAD commit: 6f66e057c704726b9b18bb4d86e45dfe79906ad2
Found in base branch: master
Vulnerability Details
Zstandard in versions v1.3.5 to v1.4.9 is vulnerable to unknown read in MEM_read32.
Publish Date: 2021-05-04
URL: WS-2021-0184
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/OSV-2021-727
Release Date: 2021-05-04
Fix Resolution: v1.5.0
Step up your Open Source Security Game with WhiteSource here
CVE-2021-38561
Vulnerable Library - github.com/golang/text-v0.3.0
[mirror] Go text processing support
Dependency Hierarchy:
- github.com/segmentio/kafka-go-v0.3.5 (Root Library)
- github.com/xdg/scram-v0.0.1
- github.com/xdg-go/stringprep-v1.0.0
- ❌ github.com/golang/text-v0.3.0 (Vulnerable Library)
- github.com/xdg-go/stringprep-v1.0.0
- github.com/xdg/scram-v0.0.1
Found in HEAD commit: 6f66e057c704726b9b18bb4d86e45dfe79906ad2
Found in base branch: master
Vulnerability Details
Due to improper index calculation, an incorrectly formatted language tag can cause Parse
to panic, due to an out of bounds read. If Parse is used to process untrusted user inputs,
this may be used as a vector for a denial of service attack.
Publish Date: 2021-08-12
URL: CVE-2021-38561
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2021-0113
Release Date: 2021-08-12
Fix Resolution: v0.3.7
Step up your Open Source Security Game with WhiteSource here
CVE-2020-9283
Vulnerable Library - github.com/golang/crypto-e1dfcc566284e143ba8f9afbb3fa563f2a0d212b
[mirror] Go supplementary cryptography libraries
Dependency Hierarchy:
- github.com/segmentio/kafka-go-v0.3.5 (Root Library)
- github.com/xdg/scram-v0.0.1
- ❌ github.com/golang/crypto-e1dfcc566284e143ba8f9afbb3fa563f2a0d212b (Vulnerable Library)
- github.com/xdg/scram-v0.0.1
Found in HEAD commit: 6f66e057c704726b9b18bb4d86e45dfe79906ad2
Found in base branch: master
Vulnerability Details
golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
Publish Date: 2020-02-20
URL: CVE-2020-9283
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9283
Release Date: 2020-02-20
Fix Resolution: github.com/golang/crypto - bac4c82f69751a6dd76e702d54b3ceb88adab236
Step up your Open Source Security Game with WhiteSource here
CVE-2020-29652
Vulnerable Library - github.com/golang/crypto-e1dfcc566284e143ba8f9afbb3fa563f2a0d212b
[mirror] Go supplementary cryptography libraries
Dependency Hierarchy:
- github.com/segmentio/kafka-go-v0.3.5 (Root Library)
- github.com/xdg/scram-v0.0.1
- ❌ github.com/golang/crypto-e1dfcc566284e143ba8f9afbb3fa563f2a0d212b (Vulnerable Library)
- github.com/xdg/scram-v0.0.1
Found in HEAD commit: 6f66e057c704726b9b18bb4d86e45dfe79906ad2
Found in base branch: master
Vulnerability Details
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.
Publish Date: 2020-12-17
URL: CVE-2020-29652
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1
Release Date: 2020-12-17
Fix Resolution: v0.0.0-20201216223049-8b5274cf687f
Step up your Open Source Security Game with WhiteSource here
CVE-2021-43565
Vulnerable Library - github.com/golang/crypto-e1dfcc566284e143ba8f9afbb3fa563f2a0d212b
[mirror] Go supplementary cryptography libraries
Dependency Hierarchy:
- github.com/segmentio/kafka-go-v0.3.5 (Root Library)
- github.com/xdg/scram-v0.0.1
- ❌ github.com/golang/crypto-e1dfcc566284e143ba8f9afbb3fa563f2a0d212b (Vulnerable Library)
- github.com/xdg/scram-v0.0.1
Found in HEAD commit: 6f66e057c704726b9b18bb4d86e45dfe79906ad2
Found in base branch: master
Vulnerability Details
There's an input validation flaw in golang.org/x/crypto's readCipherPacket() function. An unauthenticated attacker who sends an empty plaintext packet to a program linked with golang.org/x/crypto/ssh could cause a panic, potentially leading to denial of service.
Publish Date: 2021-11-10
URL: CVE-2021-43565
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Step up your Open Source Security Game with WhiteSource here
CVE-2020-14040
Vulnerable Library - github.com/golang/text-v0.3.0
[mirror] Go text processing support
Dependency Hierarchy:
- github.com/segmentio/kafka-go-v0.3.5 (Root Library)
- github.com/xdg/scram-v0.0.1
- github.com/xdg-go/stringprep-v1.0.0
- ❌ github.com/golang/text-v0.3.0 (Vulnerable Library)
- github.com/xdg-go/stringprep-v1.0.0
- github.com/xdg/scram-v0.0.1
Found in HEAD commit: 6f66e057c704726b9b18bb4d86e45dfe79906ad2
Found in base branch: master
Vulnerability Details
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
Publish Date: 2020-06-17
URL: CVE-2020-14040
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2020-0015
Release Date: 2020-06-17
Fix Resolution: v0.3.3
Step up your Open Source Security Game with WhiteSource here
CVE-2020-7919
Vulnerable Library - github.com/golang/crypto-e1dfcc566284e143ba8f9afbb3fa563f2a0d212b
[mirror] Go supplementary cryptography libraries
Dependency Hierarchy:
- github.com/segmentio/kafka-go-v0.3.5 (Root Library)
- github.com/xdg/scram-v0.0.1
- ❌ github.com/golang/crypto-e1dfcc566284e143ba8f9afbb3fa563f2a0d212b (Vulnerable Library)
- github.com/xdg/scram-v0.0.1
Found in HEAD commit: 6f66e057c704726b9b18bb4d86e45dfe79906ad2
Found in base branch: master
Vulnerability Details
Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.
Publish Date: 2020-03-16
URL: CVE-2020-7919
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7919
Release Date: 2020-03-16
Fix Resolution: go - 1.12.16,1.13.7;crypto - v0.0.0-20200128174031-69ecbb4d6d5d
Step up your Open Source Security Game with WhiteSource here
WS-2019-0534
Vulnerable Library - github.com/datadog/zstd-v1.4.0
Zstd wrapper for Go
Dependency Hierarchy:
- github.com/segmentio/kafka-go-v0.3.5 (Root Library)
- ❌ github.com/datadog/zstd-v1.4.0 (Vulnerable Library)
Found in HEAD commit: 6f66e057c704726b9b18bb4d86e45dfe79906ad2
Found in base branch: master
Vulnerability Details
The zstd in versions v0.4.3 to v1.4.2 is vulnerable to Stack-buffer-overflow in ZSTD_decodeLiteralsBlock , related to lib/legacy/zstd_v03.c .
Publish Date: 2019-08-15
URL: WS-2019-0534
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/OSV-2020-405
Release Date: 2019-08-15
Fix Resolution: v1.4.3
Step up your Open Source Security Game with WhiteSource here
[DepShield] (CVSS 5.9) Vulnerability due to usage of golang.org/x:crypto:0.0.0-20190308221718-c2843e01d9a2
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:crypto:0.0.0-20190308221718-c2843e01d9a2 results in the following vulnerability(s):
Occurrences
golang.org/x:crypto:0.0.0-20190308221718-c2843e01d9a2 is a transitive dependency introduced by the following direct dependency(s):
• github.com/segmentio:kafka-go:0.3.5
└─ golang.org/x:crypto:0.0.0-20190506204251-e1dfcc566284
└─ golang.org/x:net:0.0.0-20190404232315-eb5bcb51f2a3
└─ golang.org/x:crypto:0.0.0-20190308221718-c2843e01d9a2
└─ golang.org/x:net:0.0.0-20190404232315-eb5bcb51f2a3
└─ golang.org/x:crypto:0.0.0-20190308221718-c2843e01d9a2
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.