Giter Club home page Giter Club logo

drawbridge's People

Contributors

dependabot[bot] avatar mend-bolt-for-github[bot] avatar renovate[bot] avatar spokeywheeler avatar

Watchers

avatar

drawbridge's Issues

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

  • fix(deps): update module github.com/pelletier/go-toml/v2 to v2.1.1
  • chore(deps): update dependency ubuntu to v22
  • ๐Ÿ” Create all rate-limited PRs at once ๐Ÿ”

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Detected dependencies

dockerfile
cmd/pkg/mod/golang.org/x/[email protected]/unix/linux/Dockerfile
  • ubuntu 22.04
github-actions
cmd/pkg/mod/github.com/knadh/[email protected]/.github/workflows/test.yml
  • actions/checkout v2
  • actions/setup-go v2
  • ubuntu 20.04
cmd/pkg/mod/github.com/mitchellh/[email protected]/.github/workflows/test.yml
  • actions/setup-go v2
  • actions/checkout v2
cmd/pkg/mod/github.com/mitchellh/[email protected]/.github/workflows/test.yml
  • actions/setup-go v2
  • actions/checkout v2
cmd/pkg/mod/gopkg.in/[email protected]/.github/workflows/go.yaml
  • actions/checkout v2
  • actions/setup-go v2
  • ubuntu 20.04
gomod
cmd/pkg/mod/github.com/fsnotify/[email protected]/go.mod
  • go 1.19
  • golang.org/x/sys v0.9.0
cmd/pkg/mod/github.com/knadh/[email protected]/go.mod
  • go 1.19
  • github.com/aws/aws-sdk-go-v2 v1.18.1
  • github.com/aws/aws-sdk-go-v2/config v1.18.27
  • github.com/aws/aws-sdk-go-v2/credentials v1.13.26
  • github.com/aws/aws-sdk-go-v2/service/appconfig v1.17.11
  • github.com/aws/aws-sdk-go-v2/service/sts v1.19.2
  • github.com/fatih/structs v1.1.0
  • github.com/fsnotify/fsnotify v1.6.0
  • github.com/hashicorp/consul/api v1.21.0
  • github.com/hashicorp/hcl v1.0.0
  • github.com/hashicorp/hcl/v2 v2.19.1
  • github.com/hashicorp/vault/api v1.10.0
  • github.com/hjson/hjson-go/v4 v4.3.0
  • github.com/joho/godotenv v1.5.1
  • github.com/mitchellh/copystructure v1.2.0
  • github.com/mitchellh/mapstructure v1.5.0
  • github.com/npillmayer/nestext v0.1.3
  • github.com/pelletier/go-toml v1.9.5
  • github.com/pelletier/go-toml/v2 v2.1.0
  • github.com/rhnvrm/simples3 v0.8.3
  • github.com/spf13/pflag v1.0.5
  • github.com/stretchr/testify v1.8.4
  • go.etcd.io/etcd/client/v3 v3.5.9
  • gopkg.in/yaml.v3 v3.0.1
cmd/pkg/mod/github.com/mitchellh/[email protected]/go.mod
  • go 1.19
  • github.com/mitchellh/reflectwalk v1.0.2
cmd/pkg/mod/github.com/mitchellh/[email protected]/go.mod
  • go 1.19
cmd/pkg/mod/golang.org/x/[email protected]/go.mod
  • go 1.19
cmd/pkg/mod/gopkg.in/[email protected]/go.mod
  • Check this box to trigger a request for Renovate to run again on this repository

github.com/hashicorp/Consul/api-v1.20.0: 1 vulnerabilities (highest severity is: 8.7) - autoclosed

Vulnerable Library - github.com/hashicorp/Consul/api-v1.20.0

Library home page: https://proxy.golang.org/github.com/hashicorp/consul/api/@v/v1.20.0.zip

Found in HEAD commit: 0c9767cc865b5c0b94b5628f441a02ef6e25e360

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (github.com/hashicorp/Consul/api-v1.20.0 version) Remediation Available
CVE-2023-2816 High 8.7 github.com/hashicorp/Consul/api-v1.20.0 Direct v1.15.3 โŒ

Details

CVE-2023-2816

Vulnerable Library - github.com/hashicorp/Consul/api-v1.20.0

Library home page: https://proxy.golang.org/github.com/hashicorp/consul/api/@v/v1.20.0.zip

Dependency Hierarchy:

  • โŒ github.com/hashicorp/Consul/api-v1.20.0 (Vulnerable Library)

Found in HEAD commit: 0c9767cc865b5c0b94b5628f441a02ef6e25e360

Found in base branch: main

Vulnerability Details

Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.

Publish Date: 2023-06-02

URL: CVE-2023-2816

CVSS 3 Score Details (8.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525

Release Date: 2023-06-02

Fix Resolution: v1.15.3

Step up your Open Source Security Game with Mend here

go.etcd.io/etcd/client/v3-v3.5.9: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - go.etcd.io/etcd/client/v3-v3.5.9

Found in HEAD commit: c5da1087dc006f88b4a2c8473c618300ff349911

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (go.etcd.io/etcd/client/v3-v3.5.9 version) Remediation Possible**
CVE-2023-39325 High 7.5 golang.org/x/net-v0.7.0 Transitive N/A* โŒ

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-39325

Vulnerable Library - golang.org/x/net-v0.7.0

Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.7.0.zip

Dependency Hierarchy:

  • go.etcd.io/etcd/client/v3-v3.5.9 (Root Library)
    • google.golang.org/grpc-v1.41.0
      • โŒ golang.org/x/net-v0.7.0 (Vulnerable Library)

Found in HEAD commit: c5da1087dc006f88b4a2c8473c618300ff349911

Found in base branch: main

Vulnerability Details

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

Publish Date: 2023-10-11

URL: CVE-2023-39325

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2023-2102

Release Date: 2023-10-11

Fix Resolution: go1.20.10, go1.21.3, golang.org/x/net - v0.17.0

Step up your Open Source Security Game with Mend here

github.com/HashiCorp/vault/api-v1.0.4: 2 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - github.com/HashiCorp/vault/api-v1.0.4

Found in HEAD commit: 64773dc2ff7b1509222d7a4c4ca08be3f98526b4

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (github.com/HashiCorp/vault/api-v1.0.4 version) Remediation Available
CVE-2021-38561 High 7.5 golang.org/x/text-v0.3.6 Transitive N/A* โŒ
CVE-2022-32149 High 7.5 golang.org/x/text-v0.3.6 Transitive N/A* โŒ

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2021-38561

Vulnerable Library - golang.org/x/text-v0.3.6

Library home page: https://proxy.golang.org/golang.org/x/text/@v/v0.3.6.zip

Dependency Hierarchy:

  • github.com/HashiCorp/vault/api-v1.0.4 (Root Library)
    • golang.org/x/net
      • โŒ golang.org/x/text-v0.3.6 (Vulnerable Library)

Found in HEAD commit: 64773dc2ff7b1509222d7a4c4ca08be3f98526b4

Found in base branch: main

Vulnerability Details

golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.

Publish Date: 2022-12-26

URL: CVE-2021-38561

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2021-0113

Release Date: 2021-08-12

Fix Resolution: v0.3.7

Step up your Open Source Security Game with Mend here

CVE-2022-32149

Vulnerable Library - golang.org/x/text-v0.3.6

Library home page: https://proxy.golang.org/golang.org/x/text/@v/v0.3.6.zip

Dependency Hierarchy:

  • github.com/HashiCorp/vault/api-v1.0.4 (Root Library)
    • golang.org/x/net
      • โŒ golang.org/x/text-v0.3.6 (Vulnerable Library)

Found in HEAD commit: 64773dc2ff7b1509222d7a4c4ca08be3f98526b4

Found in base branch: main

Vulnerability Details

An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.

Publish Date: 2022-10-14

URL: CVE-2022-32149

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-32149

Release Date: 2022-10-14

Fix Resolution: v0.3.8

Step up your Open Source Security Game with Mend here

go.etcd.io/etcd/client/v3-v3.5.6: 4 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - go.etcd.io/etcd/client/v3-v3.5.6

Found in HEAD commit: 599e2090707d2fdcb87d68de1d8173306ccd7b9d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (go.etcd.io/etcd/client/v3-v3.5.6 version) Remediation Available
CVE-2022-27664 High 7.5 golang.org/x/net-v0.0.0-20211216030914-fe4d6282115f Transitive N/A* โŒ
CVE-2022-30633 High 7.5 golang.org/x/net-v0.0.0-20211216030914-fe4d6282115f Transitive N/A* โŒ
CVE-2022-41721 High 7.5 golang.org/x/net-v0.0.0-20211216030914-fe4d6282115f Transitive N/A* โŒ
CVE-2022-28131 High 7.5 golang.org/x/net-v0.0.0-20211216030914-fe4d6282115f Transitive N/A* โŒ

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2022-27664

Vulnerable Library - golang.org/x/net-v0.0.0-20211216030914-fe4d6282115f

Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.0.0-20211216030914-fe4d6282115f.zip

Dependency Hierarchy:

  • go.etcd.io/etcd/client/v3-v3.5.6 (Root Library)
    • google.golang.org/grpc-v1.41.0
      • โŒ golang.org/x/net-v0.0.0-20211216030914-fe4d6282115f (Vulnerable Library)

Found in HEAD commit: 599e2090707d2fdcb87d68de1d8173306ccd7b9d

Found in base branch: main

Vulnerability Details

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

Publish Date: 2022-09-06

URL: CVE-2022-27664

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2022-30633

Vulnerable Library - golang.org/x/net-v0.0.0-20211216030914-fe4d6282115f

Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.0.0-20211216030914-fe4d6282115f.zip

Dependency Hierarchy:

  • go.etcd.io/etcd/client/v3-v3.5.6 (Root Library)
    • google.golang.org/grpc-v1.41.0
      • โŒ golang.org/x/net-v0.0.0-20211216030914-fe4d6282115f (Vulnerable Library)

Found in HEAD commit: 599e2090707d2fdcb87d68de1d8173306ccd7b9d

Found in base branch: main

Vulnerability Details

Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.

Publish Date: 2022-08-10

URL: CVE-2022-30633

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-30633

Release Date: 2022-05-13

Fix Resolution: go1.17.12,go1.18.4

Step up your Open Source Security Game with Mend here

CVE-2022-41721

Vulnerable Library - golang.org/x/net-v0.0.0-20211216030914-fe4d6282115f

Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.0.0-20211216030914-fe4d6282115f.zip

Dependency Hierarchy:

  • go.etcd.io/etcd/client/v3-v3.5.6 (Root Library)
    • google.golang.org/grpc-v1.41.0
      • โŒ golang.org/x/net-v0.0.0-20211216030914-fe4d6282115f (Vulnerable Library)

Found in HEAD commit: 599e2090707d2fdcb87d68de1d8173306ccd7b9d

Found in base branch: main

Vulnerability Details

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

Publish Date: 2023-01-13

URL: CVE-2022-41721

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2022-28131

Vulnerable Library - golang.org/x/net-v0.0.0-20211216030914-fe4d6282115f

Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.0.0-20211216030914-fe4d6282115f.zip

Dependency Hierarchy:

  • go.etcd.io/etcd/client/v3-v3.5.6 (Root Library)
    • google.golang.org/grpc-v1.41.0
      • โŒ golang.org/x/net-v0.0.0-20211216030914-fe4d6282115f (Vulnerable Library)

Found in HEAD commit: 599e2090707d2fdcb87d68de1d8173306ccd7b9d

Found in base branch: main

Vulnerability Details

Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.

Publish Date: 2022-08-10

URL: CVE-2022-28131

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-28131

Release Date: 2022-03-29

Fix Resolution: go1.17.12,go1.18.4

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.