Giter Club home page Giter Club logo

vonage-go-sdk's Introduction

Vonage Go SDK

PkgGoDev Actions

Nexmo is now known as Vonage

This is the community-supported Golang library for Vonage. It has support for a handful of our APIs, but is no longer active development. Issues, pull requests, and other input are very welcome. The package documentation is available on pkg.go.

If you don't already know Vonage: We make telephony APIs. If you need to make a call, check a phone number, or send an SMS then you are in the right place! If you don't have one yet, you can sign up for a Vonage account and get some free credit to get you started.

Installation

Find current and past releases on the releases page.

Import the package and use it in your own project

import ("github.com/vonage/vonage-go-sdk")

Usage

Usage examples are in the docs/ folder - also rendered via GitHub pages: https://vonage.github.io/vonage-go-sdk/

API Support

Current state of API support in this library:

API API Release Status Supported?
Account API General Availability
Alerts API General Availability
Application API General Availability
Audit API Beta
Conversation API Beta
Dispatch API Beta
External Accounts API Beta
Media API Beta
Messages API Beta
Number Insight API General Availability
Number Management API General Availability
Pricing API General Availability
Redact API Developer Preview
Reports API Beta
SMS API General Availability
Verify API General Availability
Voice API General Availability

Contributions

Yes please! This library is open source, community-driven, and benefits greatly from the input of its users.

Please make all your changes on a branch, and open a pull request, these are welcome and will be reviewed with delight! If it's a big change, it is recommended to open an issue for discussion before you start.

All changes require tests to go with them.

Using a Local Branch

Refer to this excellent blog post for instructions on how to use a local clone of this repository as the import in your own project. This is really useful when you are using a version of the library other than the latest stable release - for example if you are working on a change, or testing an open pull request.

Getting Help

We love to hear from you so if you have questions, comments or find a bug in the project, let us know! You can either:

Further Reading

License

This library is released under the Apache 2.0 License

vonage-go-sdk's People

Contributors

avinashdhinwa avatar dragonmantank avatar fraenky8 avatar hot9cups avatar judy2k avatar lornajane avatar magicmonkey avatar martyndavies avatar moficodes avatar novalagung avatar seopei avatar strum355 avatar uroshercog avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

qiell ddymko lornajane fabriziomanunta nyarum mitrikovsky keonjeo quatre remitly fraenky8 seopei magicmonkey nexmo-community gregholmes avinashdhinwa hot9cups serkangunes nathanbaulch chidionuekwusi timbarker nbarbey subito-it parsaaes bfree-africa tenkoh dawnkosmos qjawko chaitualuru

vonage-go-sdk's Issues

call end instantly when message contain SSML

Hello, so it tried creating call with message containing SSML like this for example :
<speak> Hello <break time='3s'> how are you? </speak>

Whenever i answered the call, it always hung up instantly.

Is it not possible create call with message containing SSML ?

Unable to import module

Hello,

I'm trying to simply import this module to my project, but go doesn't seem to like it:

❯ go get 'github.com/Vonage/vonage-go-sdk'
go: github.com/Vonage/[email protected]: parsing go.mod:
	module declares its path as: github.com/vonage/vonage-go-sdk
	        but was required as: github.com/Vonage/vonage-go-sdk

To be clear, simply importing the library in code and having the toolchain automatically pick it up is also not working.

After some searching around, I've found a couple of articles related to the issue, but haven't been able to solve it.

I'm still relatively new to go, and the module system is a bit confusing at times, so maybe i'm doing something wrong here.

Any help would be appreciated.

❯ go version
go version go1.16 linux/amd64

github-pages-226.gem: 1 vulnerabilities (highest severity is: 3.3) - autoclosed

Vulnerable Library - github-pages-226.gem

Path to dependency file: /docs/Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/octokit-4.24.0.gem

Found in HEAD commit: 821b439313de9340f2f41fa36d5cee25e1ab2361

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2022-31072 Low 3.3 octokit-4.24.0.gem Transitive N/A

Details

CVE-2022-31072

Vulnerable Library - octokit-4.24.0.gem

Simple wrapper for the GitHub API

Library home page: https://rubygems.org/gems/octokit-4.24.0.gem

Path to dependency file: /docs/Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/octokit-4.24.0.gem

Dependency Hierarchy:

  • github-pages-226.gem (Root Library)
    • github-pages-health-check-1.17.9.gem
      • octokit-4.24.0.gem (Vulnerable Library)

Found in HEAD commit: 821b439313de9340f2f41fa36d5cee25e1ab2361

Found in base branch: master

Vulnerability Details

Octokit is a Ruby toolkit for the GitHub API. Versions 4.23.0 and 4.24.0 of the octokit gem were published containing world-writeable files. Specifically, the gem was packed with files having their permissions set to -rw-rw-rw- (i.e. 0666) instead of rw-r--r-- (i.e. 0644). This means everyone who is not the owner (Group and Public) with access to the instance where this release had been installed could modify the world-writable files from this gem. This issue is patched in Octokit 4.25.0. Two workarounds are available. Users can use the previous version of the gem, v4.22.0. Alternatively, users can modify the file permissions manually until they are able to upgrade to the latest version.

Publish Date: 2022-06-15

URL: CVE-2022-31072

CVSS 3 Score Details (3.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31072

Release Date: 2022-06-15

Fix Resolution: octokit - 4.25.0

Some public API returns types have private subtypes, makes SDK hard to work with

Please update public API return types to not come from internal packages, as it make it impossible to mock. It's also kind of bad practice to be returning private data type on a public API as it makes it harder for people to work with and test etc.

for example type vonage.ApplicationResponse is exposed on the public API but contains subtypes application.ApplicationResponseKeys which is internal to the module. Therefore when I try to create my own type in my tests like so, I will get a compilation error.

vonage.ApplicationResponse{
	Id:   applicationID,
	Name: applicationName,
	Keys: application.ApplicationResponseKeys{
		PublicKey:  publicKeyString,
		PrivateKey: privateKeyString,
	},
}

the vonage package it self should also define it's own type ApplicationResponseKeys

Custom HTTP client

The previous SDK had a NewClient function that accepts a custom HTTP client and the auth set. I can't seem to find my way around how to include a custom HTTP client with this library. Also, amazing work with the library!

Callback support/Delivery Receipt Processing

The golang client we are currently using has implemented Delivery Receipts. In moving to this client implementation it appears that callbacks are on the TODO list. Is there a timeline for when this client will support processing delivery receipts? We have that on our roadmap. Additionally if this is already supported if there is an example then we can use that as well.

Add pin_code parameter on VerifyRequest

We leverage the pin_code parameter on our requests to the Verify API. We would like to have this parameter added so we can adopt using this client moving forward.

github.com/golang/oauth2-v0.0.0-20200107190931-bf48bf16ab8d: 5 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - github.com/golang/oauth2-v0.0.0-20200107190931-bf48bf16ab8d

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (github.com/golang/oauth2-v0.0.0 version) Remediation Possible**
CVE-2022-41721 High 7.5 github.com/golang/net-v0.0.0-20190603091049-60506f45cf65 Transitive N/A*
CVE-2022-27664 High 7.5 github.com/golang/net-v0.0.0-20190603091049-60506f45cf65 Transitive N/A*
CVE-2021-44716 High 7.5 github.com/golang/net-v0.0.0-20190603091049-60506f45cf65 Transitive N/A*
CVE-2021-33194 High 7.5 github.com/golang/net-v0.0.0-20190603091049-60506f45cf65 Transitive N/A*
CVE-2021-31525 Medium 5.9 github.com/golang/net-v0.0.0-20190603091049-60506f45cf65 Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-41721

Vulnerable Library - github.com/golang/net-v0.0.0-20190603091049-60506f45cf65

[mirror] Go supplementary network libraries

Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20190603091049-60506f45cf65.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • github.com/golang/oauth2-v0.0.0-20200107190931-bf48bf16ab8d (Root Library)
    • github.com/golang/net-v0.0.0-20190603091049-60506f45cf65 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

Publish Date: 2023-01-13

URL: CVE-2022-41721

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-01-13

Fix Resolution: v0.2.0

CVE-2022-27664

Vulnerable Library - github.com/golang/net-v0.0.0-20190603091049-60506f45cf65

[mirror] Go supplementary network libraries

Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20190603091049-60506f45cf65.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • github.com/golang/oauth2-v0.0.0-20200107190931-bf48bf16ab8d (Root Library)
    • github.com/golang/net-v0.0.0-20190603091049-60506f45cf65 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

Publish Date: 2022-09-06

URL: CVE-2022-27664

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2022-0969

Release Date: 2022-09-06

Fix Resolution: golang.org/x/net - 0.0.0-20220906165146-f3363e06e74c, go1.18.6, go1.19.1

CVE-2021-44716

Vulnerable Library - github.com/golang/net-v0.0.0-20190603091049-60506f45cf65

[mirror] Go supplementary network libraries

Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20190603091049-60506f45cf65.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • github.com/golang/oauth2-v0.0.0-20200107190931-bf48bf16ab8d (Root Library)
    • github.com/golang/net-v0.0.0-20190603091049-60506f45cf65 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.

Publish Date: 2022-01-01

URL: CVE-2021-44716

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vc3p-29h2-gpcp

Release Date: 2022-01-01

Fix Resolution: github.com/golang/net - 491a49abca63de5e07ef554052d180a1b5fe2d70

CVE-2021-33194

Vulnerable Library - github.com/golang/net-v0.0.0-20190603091049-60506f45cf65

[mirror] Go supplementary network libraries

Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20190603091049-60506f45cf65.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • github.com/golang/oauth2-v0.0.0-20200107190931-bf48bf16ab8d (Root Library)
    • github.com/golang/net-v0.0.0-20190603091049-60506f45cf65 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.

Publish Date: 2021-05-26

URL: CVE-2021-33194

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33194

Release Date: 2021-05-26

Fix Resolution: golang.org/x/net - v0.0.0-20210520170846-37e1c6afe023

CVE-2021-31525

Vulnerable Library - github.com/golang/net-v0.0.0-20190603091049-60506f45cf65

[mirror] Go supplementary network libraries

Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20190603091049-60506f45cf65.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • github.com/golang/oauth2-v0.0.0-20200107190931-bf48bf16ab8d (Root Library)
    • github.com/golang/net-v0.0.0-20190603091049-60506f45cf65 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.

Publish Date: 2021-05-27

URL: CVE-2021-31525

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1958341

Release Date: 2021-05-27

Fix Resolution: golang - v1.15.12,v1.16.4,v1.17.0

Move from Voice Names to Voice Styles

We use Voice Styles now, rather than voice names. Add support for styles, and update the docs to use this approach (bonus points if you can find Nicole in the new styles setup, she's my favourite!)

unicode is not supported?

I send some Chinese words, it becomes ?????? any solution?
I think the words is utf8 inside golang, when it comes out into api , it becomes ????

Create a release tag

Hi, would be nice, if you create a tag for this repo. The primary reason is not all package managers support a sticking to a specific commit hash. Thank you in advance.

Upgrade JWT library dependency to fix CVE

It looks like dgrijalva/jwt-go has been superseded by the golang-jwt/jwt library. The older 'dgrijalva' library has security vulnerabilities logged against it. Could this repo change to use the golang-jwt/jwt library in its place?

github-pages-227.gem: 6 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - github-pages-227.gem

Path to dependency file: /docs/Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activesupport-6.0.6.gem

Found in HEAD commit: 821b439313de9340f2f41fa36d5cee25e1ab2361

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (github-pages version) Remediation Possible**
WS-2023-0095 High 7.5 commonmarker-0.23.6.gem Transitive N/A*
CVE-2023-26485 High 7.5 commonmarker-0.23.6.gem Transitive N/A*
CVE-2023-24824 High 7.5 commonmarker-0.23.6.gem Transitive N/A*
CVE-2023-22796 High 7.5 activesupport-6.0.6.gem Transitive N/A*
CVE-2022-23476 High 7.5 nokogiri-1.13.8-x86_64-linux.gem Transitive N/A*
CVE-2023-38037 Medium 4.3 activesupport-6.0.6.gem Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2023-0095

Vulnerable Library - commonmarker-0.23.6.gem

A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.

Library home page: https://rubygems.org/gems/commonmarker-0.23.6.gem

Path to dependency file: /docs/Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/commonmarker-0.23.6.gem

Dependency Hierarchy:

  • github-pages-227.gem (Root Library)
    • jekyll-commonmark-ghpages-0.2.0.gem
      • commonmarker-0.23.6.gem (Vulnerable Library)

Found in HEAD commit: 821b439313de9340f2f41fa36d5cee25e1ab2361

Found in base branch: master

Vulnerability Details

Commonmarker vulnerable to to several quadratic complexity bugs that may lead to denial of service

Publish Date: 2023-04-12

URL: WS-2023-0095

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-48wp-p9qv-4j64

Release Date: 2023-04-12

Fix Resolution: commonmarker - 0.23.9

CVE-2023-26485

Vulnerable Library - commonmarker-0.23.6.gem

A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.

Library home page: https://rubygems.org/gems/commonmarker-0.23.6.gem

Path to dependency file: /docs/Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/commonmarker-0.23.6.gem

Dependency Hierarchy:

  • github-pages-227.gem (Root Library)
    • jekyll-commonmark-ghpages-0.2.0.gem
      • commonmarker-0.23.6.gem (Vulnerable Library)

Found in HEAD commit: 821b439313de9340f2f41fa36d5cee25e1ab2361

Found in base branch: master

Vulnerability Details

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of _ characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources. ### Impact A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. ### Proof of concept $ ~/cmark-gfm$ python3 -c 'pad = "_" * 100000; print(pad + "." + pad, end="")' | time ./build/src/cmark-gfm --to plaintext Increasing the number 10000 in the above commands causes the running time to increase quadratically. ### Patches This vulnerability have been patched in 0.29.0.gfm.10. ### Note on cmark and cmark-gfm XXX: TBD cmark-gfm is a fork of cmark that adds the GitHub Flavored Markdown extensions. The two codebases have diverged over time, but share a common core. These bugs affect both cmark and cmark-gfm. ### Credit We would like to thank @gravypod for reporting this vulnerability. ### References https://en.wikipedia.org/wiki/Time_complexity ### For more information If you have any questions or comments about this advisory: * Open an issue in github/cmark-gfm

Publish Date: 2023-03-31

URL: CVE-2023-26485

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-48wp-p9qv-4j64

Release Date: 2023-03-31

Fix Resolution: commonmarker - 0.23.9

CVE-2023-24824

Vulnerable Library - commonmarker-0.23.6.gem

A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.

Library home page: https://rubygems.org/gems/commonmarker-0.23.6.gem

Path to dependency file: /docs/Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/commonmarker-0.23.6.gem

Dependency Hierarchy:

  • github-pages-227.gem (Root Library)
    • jekyll-commonmark-ghpages-0.2.0.gem
      • commonmarker-0.23.6.gem (Vulnerable Library)

Found in HEAD commit: 821b439313de9340f2f41fa36d5cee25e1ab2361

Found in base branch: master

Vulnerability Details

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of > or - characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources.

Publish Date: 2023-03-31

URL: CVE-2023-24824

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-48wp-p9qv-4j64

Release Date: 2023-03-31

Fix Resolution: commonmarker - 0.23.9

CVE-2023-22796

Vulnerable Library - activesupport-6.0.6.gem

A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.

Library home page: https://rubygems.org/gems/activesupport-6.0.6.gem

Path to dependency file: /docs/Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activesupport-6.0.6.gem

Dependency Hierarchy:

  • github-pages-227.gem (Root Library)
    • jemoji-0.12.0.gem
      • html-pipeline-2.14.2.gem
        • activesupport-6.0.6.gem (Vulnerable Library)

Found in HEAD commit: 821b439313de9340f2f41fa36d5cee25e1ab2361

Found in base branch: master

Vulnerability Details

A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.

Publish Date: 2023-02-09

URL: CVE-2023-22796

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-j6gc-792m-qgm2

Release Date: 2023-02-09

Fix Resolution: activesupport - 6.1.7.1,7.0.4.1

CVE-2022-23476

Vulnerable Library - nokogiri-1.13.8-x86_64-linux.gem

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).

Library home page: https://rubygems.org/gems/nokogiri-1.13.8-x86_64-linux.gem

Path to dependency file: /docs/Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.13.8-x86_64-linux.gem

Dependency Hierarchy:

  • github-pages-227.gem (Root Library)
    • nokogiri-1.13.8-x86_64-linux.gem (Vulnerable Library)

Found in HEAD commit: 821b439313de9340f2f41fa36d5cee25e1ab2361

Found in base branch: master

Vulnerability Details

Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri 1.13.8 and 1.13.9 fail to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed. For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri >= 1.13.10. Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.

Publish Date: 2022-12-08

URL: CVE-2022-23476

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-12-08

Fix Resolution: nokogiri - 1.13.10

CVE-2023-38037

Vulnerable Library - activesupport-6.0.6.gem

A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.

Library home page: https://rubygems.org/gems/activesupport-6.0.6.gem

Path to dependency file: /docs/Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activesupport-6.0.6.gem

Dependency Hierarchy:

  • github-pages-227.gem (Root Library)
    • jemoji-0.12.0.gem
      • html-pipeline-2.14.2.gem
        • activesupport-6.0.6.gem (Vulnerable Library)

Found in HEAD commit: 821b439313de9340f2f41fa36d5cee25e1ab2361

Found in base branch: master

Vulnerability Details

Active Support Possibly Discloses Locally Encrypted Files

Publish Date: 2023-07-12

URL: CVE-2023-38037

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cr5q-6q9f-rq6q

Release Date: 2023-07-12

Fix Resolution: activesupport - 6.1.7.5,7.0.7.1

github.com/golang/oauth2-bf48bf16ab8d622ce64ec6ce98d2c98f916b6303: 5 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - github.com/golang/oauth2-bf48bf16ab8d622ce64ec6ce98d2c98f916b6303

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Found in HEAD commit: 821b439313de9340f2f41fa36d5cee25e1ab2361

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (github.com/golang/oauth2-bf48bf16ab8d622ce64ec6ce98d2c98f916b6303 version) Remediation Possible**
CVE-2022-41721 High 7.5 github.com/golang/net-v0.0.0-20190603091049-60506f45cf65 Transitive N/A*
CVE-2022-27664 High 7.5 github.com/golang/net-v0.0.0-20190603091049-60506f45cf65 Transitive N/A*
CVE-2021-44716 High 7.5 github.com/golang/net-v0.0.0-20190603091049-60506f45cf65 Transitive N/A*
CVE-2021-33194 High 7.5 github.com/golang/net-v0.0.0-20190603091049-60506f45cf65 Transitive N/A*
CVE-2021-31525 Medium 5.9 github.com/golang/net-v0.0.0-20190603091049-60506f45cf65 Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-41721

Vulnerable Library - github.com/golang/net-v0.0.0-20190603091049-60506f45cf65

[mirror] Go supplementary network libraries

Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20190603091049-60506f45cf65.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • github.com/golang/oauth2-bf48bf16ab8d622ce64ec6ce98d2c98f916b6303 (Root Library)
    • github.com/golang/net-v0.0.0-20190603091049-60506f45cf65 (Vulnerable Library)

Found in HEAD commit: 821b439313de9340f2f41fa36d5cee25e1ab2361

Found in base branch: master

Vulnerability Details

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

Publish Date: 2023-01-13

URL: CVE-2022-41721

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-01-13

Fix Resolution: v0.2.0

CVE-2022-27664

Vulnerable Library - github.com/golang/net-v0.0.0-20190603091049-60506f45cf65

[mirror] Go supplementary network libraries

Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20190603091049-60506f45cf65.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • github.com/golang/oauth2-bf48bf16ab8d622ce64ec6ce98d2c98f916b6303 (Root Library)
    • github.com/golang/net-v0.0.0-20190603091049-60506f45cf65 (Vulnerable Library)

Found in HEAD commit: 821b439313de9340f2f41fa36d5cee25e1ab2361

Found in base branch: master

Vulnerability Details

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

Publish Date: 2022-09-06

URL: CVE-2022-27664

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2022-0969

Release Date: 2022-09-06

Fix Resolution: golang.org/x/net - 0.0.0-20220906165146-f3363e06e74c, go1.18.6, go1.19.1

CVE-2021-44716

Vulnerable Library - github.com/golang/net-v0.0.0-20190603091049-60506f45cf65

[mirror] Go supplementary network libraries

Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20190603091049-60506f45cf65.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • github.com/golang/oauth2-bf48bf16ab8d622ce64ec6ce98d2c98f916b6303 (Root Library)
    • github.com/golang/net-v0.0.0-20190603091049-60506f45cf65 (Vulnerable Library)

Found in HEAD commit: 821b439313de9340f2f41fa36d5cee25e1ab2361

Found in base branch: master

Vulnerability Details

net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.

Publish Date: 2022-01-01

URL: CVE-2021-44716

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vc3p-29h2-gpcp

Release Date: 2022-01-01

Fix Resolution: github.com/golang/net - 491a49abca63de5e07ef554052d180a1b5fe2d70

CVE-2021-33194

Vulnerable Library - github.com/golang/net-v0.0.0-20190603091049-60506f45cf65

[mirror] Go supplementary network libraries

Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20190603091049-60506f45cf65.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • github.com/golang/oauth2-bf48bf16ab8d622ce64ec6ce98d2c98f916b6303 (Root Library)
    • github.com/golang/net-v0.0.0-20190603091049-60506f45cf65 (Vulnerable Library)

Found in HEAD commit: 821b439313de9340f2f41fa36d5cee25e1ab2361

Found in base branch: master

Vulnerability Details

golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.

Publish Date: 2021-05-26

URL: CVE-2021-33194

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33194

Release Date: 2021-05-26

Fix Resolution: golang.org/x/net - v0.0.0-20210520170846-37e1c6afe023

CVE-2021-31525

Vulnerable Library - github.com/golang/net-v0.0.0-20190603091049-60506f45cf65

[mirror] Go supplementary network libraries

Library home page: https://proxy.golang.org/github.com/golang/net/@v/v0.0.0-20190603091049-60506f45cf65.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • github.com/golang/oauth2-bf48bf16ab8d622ce64ec6ce98d2c98f916b6303 (Root Library)
    • github.com/golang/net-v0.0.0-20190603091049-60506f45cf65 (Vulnerable Library)

Found in HEAD commit: 821b439313de9340f2f41fa36d5cee25e1ab2361

Found in base branch: master

Vulnerability Details

net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.

Publish Date: 2021-05-27

URL: CVE-2021-31525

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1958341

Release Date: 2021-05-27

Fix Resolution: golang - v1.15.12,v1.16.4,v1.17.0

tzinfo-1.2.9.gem: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - tzinfo-1.2.9.gem

TZInfo provides daylight savings aware transformations between times in different time zones.

Library home page: https://rubygems.org/gems/tzinfo-1.2.9.gem

Path to dependency file: /docs/Gemfile.lock

Path to vulnerable library: /by/2.7.0/cache/tzinfo-1.2.9.gem

Found in HEAD commit: 821b439313de9340f2f41fa36d5cee25e1ab2361

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2022-31163 High 7.5 tzinfo-1.2.9.gem Direct tzinfo - 0.3.61,1.2.10

Details

CVE-2022-31163

Vulnerable Library - tzinfo-1.2.9.gem

TZInfo provides daylight savings aware transformations between times in different time zones.

Library home page: https://rubygems.org/gems/tzinfo-1.2.9.gem

Path to dependency file: /docs/Gemfile.lock

Path to vulnerable library: /by/2.7.0/cache/tzinfo-1.2.9.gem

Dependency Hierarchy:

  • tzinfo-1.2.9.gem (Vulnerable Library)

Found in HEAD commit: 821b439313de9340f2f41fa36d5cee25e1ab2361

Found in base branch: master

Vulnerability Details

TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with require on demand. In the affected versions, TZInfo::Timezone.get fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, TZInfo::Timezone.get can be made to load unintended files with require, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of tzinfo/definition within a directory in the load path. Applications should ensure that untrusted files are not placed in a directory on the load path. As a workaround, the time zone identifier can be validated before passing to TZInfo::Timezone.get by ensuring it matches the regular expression \A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z.

Publish Date: 2022-07-22

URL: CVE-2022-31163

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5cm2-9h8c-rvfx

Release Date: 2022-07-22

Fix Resolution: tzinfo - 0.3.61,1.2.10

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

The pin expiry option is ignored in the Verify request

Setting pin expiry to 60 seconds has no effect. SMS received after the API call states that the pin will expire after 5 minutes (default value).

Example:

	opts := vonage.VerifyOpts{
		PinExpiry:  60,
	}
	response, errResp, err := verifyClient.Request(
		phoneNumber,
		"TestBrand",
		opts,
	)

Example of voice call

Hello!

Thanks for your work on this library 😄

I'm having problems setting up a voice call using the library.
The problem is in the To attribute, which I don't understand why is a []interface{}.

Here's what I've currently:

	callReq := nexmo.CreateCallRequest{
		To: []interface{}{
			nexmo.PhoneCallEndpoint{
				Type:   "phone",
				Number: myPhoneNumber,
			},
		},
		From:      "1234567890",
		AnswerURL: []string{"https://nexmo-community.github.io/ncco-examples/first_call_talk.json"},
	}

Already tried the phone number directly:

	callReq := nexmo.CreateCallRequest{
		To: []interface{}{phoneNumber},
		From:      "1234567890",
		AnswerURL: []string{"https://nexmo-community.github.io/ncco-examples/first_call_talk.json"},
	}

But always get an error related to marshaling the To attribute:

2018/11/20 18:46:35 Could not decode: {"type":400,"title":"Bad Request","invalid_parameters":[{"reason":"Missing type id when trying to resolve subtype of [simple type, class com.nexmo.vapi.ncco.core.action.endpoint.Endpoint]: missing type id property 'type' (for POJO property 'from')","name":"from"}]}

Could you post an example of a voice call, please?

Thanks in advance for your support!

Add Custom JSON Marshalling to NCCO

When we make an API call, we can just pass in the NCCO as an object and the library handles everything for us. When returning an NCCO response, the user needs to call GetActions() themselves. As a helper feature, make the NCCO do this by itself when it is JSON-Marshalled.

The NumberInsightClient.Standard call returns an unmarshal error when the roaming field is 'unknown'

Whenever I call the standard number insight on an Italian number

auth := vonage.CreateAuthFromKeySecret("*****", "*******")
niClient := vonage.NewNumberInsightClient(auth)

result, _, err := niClient.Standard("39**********", vonage.NiOpts{})
if err != nil {
    ...
}

I'm getting a json: cannot unmarshal string into Go struct field NiResponseJsonStandard.roaming of type numberinsight.NiRoaming error since the roaming field in the return JSON is of type string with value unknown that cannot be unmarshalled into the NiRoaming struct.

{
    "status": 0,
    "status_message": "Success",
    "request_id": "4edb629f-114b-401b-8871-29710867ca5d",
    "country_code": "IT",
    "country_code_iso3": "ITA",
    "country_name": "Italy",
    "country_prefix": "39",
    ...
    "ported": "ported",
    "roaming": "unknown"
}

Here's decode that causes the issue.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.