tenortim / isi_sdk_go Goto Github PK

Vulnerability Details

The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

Publish Date: 2020-06-17

URL: CVE-2020-14040

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2020-0015

Release Date: 2020-06-17

Fix Resolution: v0.3.3

Vulnerable Library - gopkg.in/yaml.v2-v2.2.2

YAML support for the Go language.

Library home page: https://proxy.golang.org/gopkg.in/yaml.v2/@v/v2.2.2.zip

Dependency Hierarchy:

• github.com/tenortim/isi_sdk_go/client/cluster_nodes (Root Library)
  • github.com/tenortim/isi_sdk_go/models
    • github.com/go-openapi/swag-v0.19.3
      • ❌ gopkg.in/yaml.v2-v2.2.2 (Vulnerable Library)

Vulnerability Details

Yaml in versions v2.2.0 to v2.2.2 is vulnerable to denial of service vector.
Related to decode.go

Publish Date: 2021-04-14

URL: WS-2021-0200

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2021-0061

Release Date: 2021-04-14

Fix Resolution: v2.2.3

Vulnerable Library - gopkg.in/yaml.v2-v2.2.2

YAML support for the Go language.

Library home page: https://proxy.golang.org/gopkg.in/yaml.v2/@v/v2.2.2.zip

Dependency Hierarchy:

• github.com/tenortim/isi_sdk_go/client/cluster_nodes (Root Library)
  • github.com/tenortim/isi_sdk_go/models
    • github.com/go-openapi/swag-v0.19.3
      • ❌ gopkg.in/yaml.v2-v2.2.2 (Vulnerable Library)

Vulnerability Details

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.

Publish Date: 2020-04-01

URL: CVE-2019-11254

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-10-02

Fix Resolution: v2.2.8

Vulnerable Library - gopkg.in/yaml.v2-v2.2.2

YAML support for the Go language.

Library home page: https://proxy.golang.org/gopkg.in/yaml.v2/@v/v2.2.2.zip

Dependency Hierarchy:

• github.com/tenortim/isi_sdk_go/client/cluster_nodes (Root Library)
  • github.com/tenortim/isi_sdk_go/models
    • github.com/go-openapi/swag-v0.19.3
      • ❌ gopkg.in/yaml.v2-v2.2.2 (Vulnerable Library)

Vulnerability Details

Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.

Publish Date: 2022-12-27

URL: CVE-2021-4235

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-12-27

Fix Resolution: v2.2.3

Vulnerable Library - gopkg.in/yaml.v2-v2.2.2

YAML support for the Go language.

Library home page: https://proxy.golang.org/gopkg.in/yaml.v2/@v/v2.2.2.zip

Dependency Hierarchy:

• github.com/tenortim/isi_sdk_go/client/cluster_nodes (Root Library)
  • github.com/tenortim/isi_sdk_go/models
    • github.com/go-openapi/swag-v0.19.3
      • ❌ gopkg.in/yaml.v2-v2.2.2 (Vulnerable Library)

Vulnerability Details

Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.

Publish Date: 2022-12-27

URL: CVE-2022-3064

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2022-0956

Release Date: 2022-12-27

Fix Resolution: v2.2.4

Vulnerable Library - github.com/golang/text/language-v0.3.2

[mirror] Go text processing support

Dependency Hierarchy:

• github.com/tenortim/isi_sdk_go/client/cluster_nodes (Root Library)
  • github.com/tenortim/isi_sdk_go/models
    • github.com/go-openapi/Validate-v0.19.2
      • github.com/go-openapi/runtime-v0.19.2
        • github.com/go-openapi/runtime/middleware-v0.19.2
          • github.com/go-openapi/spec-v0.19.2
            • github.com/go-openapi/jsonreference-v0.19.2
              • github.com/PuerkitoBio/purell-v1.1.1
                • github.com/golang/net/idna-ca1201d0de80cfde86cb01aea620983605dfe99b
                  • github.com/golang/text/secure/bidirule-v0.3.2
                  • github.com/golang/text/unicode/bidi-v0.3.2
                  • github.com/golang/text-v0.3.2
                  • ❌ github.com/golang/text/language-v0.3.2 (Vulnerable Library)

Vulnerability Details

An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.

Publish Date: 2022-10-14

URL: CVE-2022-32149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-32149

Release Date: 2022-10-14

Fix Resolution: v0.3.8

Vulnerable Library - github.com/golang/text/language-v0.3.2

[mirror] Go text processing support

Dependency Hierarchy:

• github.com/tenortim/isi_sdk_go/client/cluster_nodes (Root Library)
  • github.com/tenortim/isi_sdk_go/models
    • github.com/go-openapi/Validate-v0.19.2
      • github.com/go-openapi/runtime-v0.19.2
        • github.com/go-openapi/runtime/middleware-v0.19.2
          • github.com/go-openapi/spec-v0.19.2
            • github.com/go-openapi/jsonreference-v0.19.2
              • github.com/PuerkitoBio/purell-v1.1.1
                • github.com/golang/net/idna-ca1201d0de80cfde86cb01aea620983605dfe99b
                  • github.com/golang/text/secure/bidirule-v0.3.2
                  • github.com/golang/text/unicode/bidi-v0.3.2
                  • github.com/golang/text-v0.3.2
                  • ❌ github.com/golang/text/language-v0.3.2 (Vulnerable Library)

Vulnerability Details

golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.

Publish Date: 2022-12-26

URL: CVE-2021-38561

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2021-0113

Release Date: 2021-08-12

Fix Resolution: v0.3.7