Giter Club home page Giter Club logo

hecate's Introduction

hecate

(pronounced "HEK-uh-tee")

Hecate was a goddess in ancient Greek religion associated with crossroads. In XMiDT, Hecate is a tool to help transition webhook backends in XMiDT from AWS SNS to Argus.

Build Status Dependency Updateer codecov.io Go Report Card Quality Gate Status Apache V2 License GitHub Release

Summary

XMiDT has historically relied on SNS as the method to keep a distributed list of event webhook subscriptions. Now, it relies on argus to handle those storage needs. As teams may need to upgrade their XMiDT services without downtime or disruptions, Hecate is here to help ensure all the webhook data between SNS and Argus is synchronized during the migration.

Table of Contents

Code of Conduct

This project and everyone participating in it are governed by the XMiDT Code Of Conduct. By participating, you agree to this Code.

Details

Hecate's job consists in listening for webhook updates from SNS and pushing them to Argus.

Build

Source

In order to build from source, you need a working 1.x Go environment. Find more information on the Go website.

Then, clone the repository and build using make:

git clone [email protected]:xmidt-org/hecate.git
cd hecate
make build

Makefile

The Makefile has the following options you may find helpful:

  • make build: builds the Hecate binary
  • make docker: fetches all dependencies from source and builds a Hecate docker image
  • make local-docker: vendors dependencies and builds a Hecate docker image (recommended for local testing)
  • make test: runs unit tests with coverage for Hecate
  • make clean: deletes previously-built binaries and object files

Docker

The docker image can be built either with the Makefile or by running a docker command. Either option requires first getting the source code.

See Makefile on specifics of how to build the image that way.

If you'd like to build it without make, follow these instructions based on your use case:

  • Local testing
go mod vendor
docker build -t hecate:local -f deploy/Dockerfile .

This allows you to test local changes to a dependency. For example, you can build a hecate image with the changes to an upcoming changes to webpa-common by using the replace directive in your go.mod file like so:

replace github.com/xmidt-org/webpa-common v1.10.2 => ../webpa-common

Note: if you omit go mod vendor, your build will fail as the path ../webpa-common does not exist on the builder container.

  • Building a specific version
git checkout v0.5.1
docker build -t hecate:v0.5.1 -f deploy/Dockerfile .

Contributing

Refer to CONTRIBUTING.md.

hecate's People

Contributors

denopink avatar dependabot[bot] avatar j-mai avatar joe94 avatar kcajmagic avatar kristinapathak avatar schmidtw avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

j-mai

hecate's Issues

CVE-2022-41723 (High) detected in golang.org/x/net-v0.4.0 - autoclosed

CVE-2022-41723 - High Severity Vulnerability

Vulnerable Library - golang.org/x/net-v0.4.0

[mirror] Go supplementary network libraries

Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.4.0.zip

Dependency Hierarchy:

  • github.com/xmidt-org/webpa-common-v1.11.9 (Root Library)
    • github.com/miekg/dns-v1.1.50
      • golang.org/x/net-v0.4.0 (Vulnerable Library)

Found in HEAD commit: b37118506743862549e84c5223b60db358aed022

Found in base branch: main

Vulnerability Details

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

Publish Date: 2022-09-29

URL: CVE-2022-41723

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2023-1568

Release Date: 2022-09-29

Fix Resolution: v0.7.0

Step up your Open Source Security Game with Mend here

CVE-2020-8911 (Medium) detected in github.com/aws/aws-sdk-go-v1.31.6 - autoclosed

CVE-2020-8911 - Medium Severity Vulnerability

Vulnerable Library - github.com/aws/aws-sdk-go-v1.31.6

AWS SDK for the Go programming language.

Dependency Hierarchy:

  • github.com/xmidt-org/webpa-common-v1.11.5 (Root Library)
    • github.com/aws/aws-sdk-go-v1.31.6 (Vulnerable Library)

Found in HEAD commit: 05870796dac0956e1a32b0e2deb58f2ce2a1c875

Found in base branch: main

Vulnerability Details

A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files.

Publish Date: 2020-08-11

URL: CVE-2020-8911

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8911

Release Date: 2020-07-21

Fix Resolution: v1.34.1

Step up your Open Source Security Game with Mend here

CVE-2023-49290 (Medium) detected in github.com/lestrrat-go/jwx/v2-v2.0.6

CVE-2023-49290 - Medium Severity Vulnerability

Vulnerable Library - github.com/lestrrat-go/jwx/v2-v2.0.6

Implementation of various JWx (Javascript Object Signing and Encryption/JOSE) technologies

Library home page: https://proxy.golang.org/github.com/lestrrat-go/jwx/v2/@v/v2.0.6.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go/pkg/mod/cache/download/github.com/lestrrat-go/jwx/v2/@v/v2.0.6.mod

Dependency Hierarchy:

  • github.com/xmidt-org/argus-v0.9.4 (Root Library)
    • github.com/xmidt-org/clortho-v0.0.4
      • github.com/lestrrat-go/jwx/v2-v2.0.6 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

lestrrat-go/jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. A p2c parameter set too high in JWE's algorithm PBES2-* could lead to a denial of service. The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c (PBES2 Count). This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its primary purpose is to intentionally slow down the key derivation function, making password brute-force and dictionary attacks more resource- intensive. Therefore, if an attacker sets the p2c parameter in JWE to a very large number, it can cause a lot of computational consumption, resulting in a denial of service. This vulnerability has been addressed in commit 64f2a229b which has been included in release version 1.2.27 and 2.0.18. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2023-12-05

URL: CVE-2023-49290

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-49290

Release Date: 2023-12-04

Fix Resolution: v1.2.27,v2.0.18

Step up your Open Source Security Game with Mend here

CVE-2022-32149 (High) detected in golang.org/x/text-v0.3.7 - autoclosed

CVE-2022-32149 - High Severity Vulnerability

Vulnerable Library - golang.org/x/text-v0.3.7

Library home page: https://proxy.golang.org/golang.org/x/text/@v/v0.3.7.zip

Dependency Hierarchy:

  • github.com/spf13/viper-v1.13.0 (Root Library)
    • github.com/spf13/afero-v1.9.2
      • golang.org/x/text-v0.3.7 (Vulnerable Library)

Found in HEAD commit: 7bdd3905a2b6d18ef5bb8bf5a77ea9e7a8cc3b03

Found in base branch: main

Vulnerability Details

An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.

Publish Date: 2022-10-14

URL: CVE-2022-32149

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-32149

Release Date: 2022-10-14

Fix Resolution: v0.3.8

Step up your Open Source Security Game with Mend here

CVE-2022-21698 (High) detected in github.com/prometheus/client_golang-v1.10.0 - autoclosed

CVE-2022-21698 - High Severity Vulnerability

Vulnerable Library - github.com/prometheus/client_golang-v1.10.0

Prometheus instrumentation library for Go applications

Dependency Hierarchy:

  • github.com/prometheus/client_golang-v1.10.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of promhttp.InstrumentHandler* middleware except RequestsInFlight; not filter any specific methods (e.g GET) before middleware; pass metric with method label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown method. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the method label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.

Publish Date: 2022-02-15

URL: CVE-2022-21698

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cg3q-j54f-5p7p

Release Date: 2022-02-15

Fix Resolution: v1.11.1

Step up your Open Source Security Game with Mend here

WS-2023-0177 (Medium) detected in github.com/lestrrat-go/jwx/v2-v2.0.6

WS-2023-0177 - Medium Severity Vulnerability

Vulnerable Library - github.com/lestrrat-go/jwx/v2-v2.0.6

Implementation of various JWx (Javascript Object Signing and Encryption/JOSE) technologies

Library home page: https://proxy.golang.org/github.com/lestrrat-go/jwx/v2/@v/v2.0.6.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go/pkg/mod/cache/download/github.com/lestrrat-go/jwx/v2/@v/v2.0.6.mod

Dependency Hierarchy:

  • github.com/xmidt-org/argus-v0.9.4 (Root Library)
    • github.com/xmidt-org/clortho-v0.0.4
      • github.com/lestrrat-go/jwx/v2-v2.0.6 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

github.com/lestrrat-go/jwx vulnerable to Potential Padding Oracle Attack

Publish Date: 2023-06-14

URL: WS-2023-0177

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rm8v-mxj3-5rmq

Release Date: 2023-06-14

Fix Resolution: v1.2.26,v2.0.11

Step up your Open Source Security Game with Mend here

Docker-compose goaws panic

When setting up the test cluster here, goaws is throwing a panic as Tr1d1um is making a request to it (most likely) when the goaws service running in the container is not yet ready.

More investigation is needed but if it does have to do with services not being ready to server a request, we might need something like a health check script on the docker-compose side.

CVE-2023-39325 (High) detected in golang.org/x/net-v0.15.0 - autoclosed

CVE-2023-39325 - High Severity Vulnerability

Vulnerable Library - golang.org/x/net-v0.15.0

Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.15.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • github.com/xmidt-org/webpa-common-v1.11.9 (Root Library)
    • github.com/miekg/dns-v1.1.50
      • golang.org/x/net-v0.15.0 (Vulnerable Library)

Found in HEAD commit: 000004eb78d854ac67e42669b45294e4d5ae1726

Found in base branch: main

Vulnerability Details

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

Publish Date: 2023-10-11

URL: CVE-2023-39325

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2023-2102

Release Date: 2023-10-11

Fix Resolution: go1.20.10, go1.21.3, golang.org/x/net - v0.17.0

Step up your Open Source Security Game with Mend here

Bump argus

The current argus version is too far out of date - currently hecate imports v0.3.11 while the current argus version is v0.7.0. This means that hecate likely won't work with current versions of scytale and tr1d1um.

It may make sense to import ancla, which isn't currently being imported or used. The biggest breaking change I know of is that we no longer store webhooks directly in argus like hecate expects. Instead, we store this struct:

https://github.com/xmidt-org/ancla/blob/884ab5a21b93b5411e59ca01b7828e7c7fad1209/service.go#L104-L107

CVE-2020-26160 (High) detected in github.com/dgrijalva/jwt-go-dc14462fd58732591c7fa58cc8496d6824316a82 - autoclosed

CVE-2020-26160 - High Severity Vulnerability

Vulnerable Library - github.com/dgrijalva/jwt-go-dc14462fd58732591c7fa58cc8496d6824316a82

Golang implementation of JSON Web Tokens (JWT)

Dependency Hierarchy:

  • github.com/xmidt-org/argus/store-v0.3.11 (Root Library)
    • github.com/xmidt-org/argus/auth-v0.3.11
      • github.com/xmidt-org/bascule-b408708d21bcbdb521594ea846ecb1e1dd4b1771
        • github.com/dgrijalva/jwt-go-dc14462fd58732591c7fa58cc8496d6824316a82 (Vulnerable Library)

Found in HEAD commit: 918ca09278586863be53d40e3005df43fb8cbf6b

Found in base branch: main

Vulnerability Details

jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.

Publish Date: 2020-09-30

URL: CVE-2020-26160

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-26160

Release Date: 2020-09-30

Fix Resolution: v4.0.0-preview1

Step up your Open Source Security Game with WhiteSource here

CVE-2021-38561 (High) detected in github.com/golang/text-v0.3.6 - autoclosed

CVE-2021-38561 - High Severity Vulnerability

Vulnerable Library - github.com/golang/text-v0.3.6

[mirror] Go text processing support

Dependency Hierarchy:

  • github.com/xmidt-org/webpa-common-v1.11.5 (Root Library)
    • github.com/aws/aws-sdk-go-v1.31.6
      • github.com/golang/net/go.mod-7fd8e65b642006927f6cec5cb4241df7f98a2210
        • github.com/golang/text-v0.3.6 (Vulnerable Library)

Found in HEAD commit: 05870796dac0956e1a32b0e2deb58f2ce2a1c875

Found in base branch: main

Vulnerability Details

Due to improper index calculation, an incorrectly formatted language tag can cause Parse
to panic, due to an out of bounds read. If Parse is used to process untrusted user inputs,
this may be used as a vector for a denial of service attack.

Publish Date: 2021-08-12

URL: CVE-2021-38561

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2021-0113

Release Date: 2021-08-12

Fix Resolution: v0.3.7

Step up your Open Source Security Game with Mend here

Explore using uber/fx

There might be some funky business with the handler to receive SNS confirmations. Other than that, it should mostly be uber/fx wiring fun. Argus and Themis are good example services already using fx.

Configurable upstream for sns or argus

update hecate to allow for it to pull webhooks from either sns or argus, depending on the configuration. The argus upstream would be separate from the downstream (where we are pushing the webhooks).

CVE-2023-45142 (High) detected in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp-v0.36.4 - autoclosed

CVE-2023-45142 - High Severity Vulnerability

Vulnerable Library - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp-v0.36.4

Collection of extensions for OpenTelemetry-Go.

Library home page: https://proxy.golang.org/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/@v/v0.36.4.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go/pkg/mod/cache/download/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/@v/v0.36.4.mod

Dependency Hierarchy:

  • github.com/xmidt-org/themis-v0.4.11 (Root Library)
    • go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp-v0.36.4 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels http.user_agent and http.method that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses httpconv.ServerRequest that records every value for HTTP method and User-Agent. In order to be affected, a program has to use the otelhttp.NewHandler wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute http.request.method were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, otelhttp.WithFilter() can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label unknown non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.

Publish Date: 2023-10-12

URL: CVE-2023-45142

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rcjv-mgp8-qvmr

Release Date: 2023-10-12

Fix Resolution: instrumentation/net/http/otelhttp/v0.44.0

Step up your Open Source Security Game with Mend here

Update main readme

A few things I spotted that need fixing:

  1. The sonarcloud quality gate badge has a broken link
  2. Path to the dockerfile is still the old one: deploy/Dockerfile

CVE-2022-28948 (High) detected in github.com/go-yaml/yaml-v3.0.0 - autoclosed

CVE-2022-28948 - High Severity Vulnerability

Vulnerable Library - github.com/go-yaml/yaml-v3.0.0

YAML support for the Go language.

Dependency Hierarchy:

  • github.com/xmidt-org/webpa-common-v1.11.5 (Root Library)
    • github.com/stretchr/testify-v1.7.0
      • github.com/go-yaml/yaml-v3.0.0 (Vulnerable Library)

Found in HEAD commit: 05870796dac0956e1a32b0e2deb58f2ce2a1c875

Found in base branch: main

Vulnerability Details

An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.

Publish Date: 2022-05-19

URL: CVE-2022-28948

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hp87-p4gw-j4gq

Release Date: 2022-05-19

Fix Resolution: 3.0.0

Step up your Open Source Security Game with Mend here

CVE-2024-21664 (High) detected in github.com/lestrrat-go/jwx/v2-v2.0.6

CVE-2024-21664 - High Severity Vulnerability

Vulnerable Library - github.com/lestrrat-go/jwx/v2-v2.0.6

Implementation of various JWx (Javascript Object Signing and Encryption/JOSE) technologies

Library home page: https://proxy.golang.org/github.com/lestrrat-go/jwx/v2/@v/v2.0.6.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go/pkg/mod/cache/download/github.com/lestrrat-go/jwx/v2/@v/v2.0.6.mod

Dependency Hierarchy:

  • github.com/xmidt-org/argus-v0.9.4 (Root Library)
    • github.com/xmidt-org/clortho-v0.0.4
      • github.com/lestrrat-go/jwx/v2-v2.0.6 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. Calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS a system doing JWS verification. This vulnerability has been patched in versions 2.0.19 and 1.2.28.

Publish Date: 2024-01-09

URL: CVE-2024-21664

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-pvcr-v8j8-j5q3

Release Date: 2024-01-09

Fix Resolution: v1.2.28, v2.0.19

Step up your Open Source Security Game with Mend here

CVE-2024-28122 (Medium) detected in github.com/lestrrat-go/jwx/v2-v2.0.6

CVE-2024-28122 - Medium Severity Vulnerability

Vulnerable Library - github.com/lestrrat-go/jwx/v2-v2.0.6

Implementation of various JWx (Javascript Object Signing and Encryption/JOSE) technologies

Library home page: https://proxy.golang.org/github.com/lestrrat-go/jwx/v2/@v/v2.0.6.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go/pkg/mod/cache/download/github.com/lestrrat-go/jwx/v2/@v/v2.0.6.mod

Dependency Hierarchy:

  • github.com/xmidt-org/argus-v0.9.4 (Root Library)
    • github.com/xmidt-org/clortho-v0.0.4
      • github.com/lestrrat-go/jwx/v2-v2.0.6 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

JWX is Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. This vulnerability allows an attacker with a trusted public key to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. This issue has been patched in versions 1.2.29 and 2.0.21.

Publish Date: 2024-03-09

URL: CVE-2024-28122

CVSS 3 Score Details (6.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hj3v-m684-v259

Release Date: 2024-03-09

Fix Resolution: lestrrat-go/jwx-v1.2.29,v2.0.21

Step up your Open Source Security Game with Mend here

CVE-2023-45288 (High) detected in golang.org/x/net-v0.20.0 - autoclosed

CVE-2023-45288 - High Severity Vulnerability

Vulnerable Library - golang.org/x/net-v0.20.0

Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.20.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go/pkg/mod/cache/download/golang.org/x/net/@v/v0.20.0.mod

Dependency Hierarchy:

  • github.com/xmidt-org/webpa-common-v1.11.9 (Root Library)
    • github.com/AWS/AWS-sdk-go-v1.44.125
      • golang.org/x/net-v0.20.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

Publish Date: 2024-04-04

URL: CVE-2023-45288

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-10-06

Fix Resolution: golang/net - v0.23.0

Step up your Open Source Security Game with Mend here

CVE-2020-13949 (High) detected in github.com/open-telemetry/opentelemetry-go-v0.19.0 - autoclosed

CVE-2020-13949 - High Severity Vulnerability

Vulnerable Library - github.com/open-telemetry/opentelemetry-go-v0.19.0

OpenTelemetry Go API and SDK

Dependency Hierarchy:

  • github.com/xmidt-org/themis-v0.4.7 (Root Library)
    • github.com/xmidt-org/candlelight-v0.0.5
      • github.com/open-telemetry/opentelemetry-go-v0.19.0 (Vulnerable Library)

Found in HEAD commit: 05870796dac0956e1a32b0e2deb58f2ce2a1c875

Found in base branch: main

Vulnerability Details

In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.

Publish Date: 2021-02-12

URL: CVE-2020-13949

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/r43dc2b2e928e9d845b07ac075634cb759d91bb852421dc282f87a74a%40%3Cdev.thrift.apache.org%3E

Release Date: 2021-02-12

Fix Resolution: v0.14.0

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.