cyber-dojo
flows
exercises-start-points-archived-at-1707630862
artifacts
a64e4ea48f7e9371522e5777cd43a5cf712e9779aaec67219368d1bcb8d7de36
By signing up, you agree to the
Terms of Service.
For more information about Kosli’s privacy practices, see the Kosli’s
Privacy Policy.
We’ll occasionally send you account-related emails.
We’ll occasionally send you account-related emails.
exercises-start-points-archived-at-1707630862
Exercises choices
[...] exercises-start-points:70d552e
Compliant
Download Evidence Package
JSON
{ "created_at": 1697628988.804801, "fingerprint": "a64e4ea48f7e9371522e5777cd43a5cf712e9779aaec67219368d1bcb8d7de36", "filename": "cyberdojo/exercises-start-points:70d552e", "git_commit": "70d552ebebb5dd2390da6a377101da3dc326a05a", "build_url": "https://github.com/cyber-dojo/exercises-start-points/actions/runs/6560278559", "commit_url": "https://github.com/cyber-dojo/exercises-start-points/commit/70d552ebebb5dd2390da6a377101da3dc326a05a", "evidence": { "snyk-scan": { "evidence_type": "snyk", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/snyk_scans/actions/runs/6676014264", "evidence_archive_fingerprint": "ce614605ae731172d8cfe9093a5cfaf1bb55d64170b9cfef00f3b6cfcd164f42", "user_data": {}, "snyk_results": { "applications": [ { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/containerd", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/exercises-start-points:70d552e@sha256:a64e4ea48f7e9371522e5777cd43a5cf712e9779aaec67219368d1bcb8d7de36/containerd/containerd/cmd/containerd", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:37.719Z\n created: 2023-10-11T21:18:37.723Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:57.635Z\n created: 2023-10-11T21:18:57.642Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-16T07:00:00.000Z\n created: 2023-10-16T07:20:24.142Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:29:48.309Z\n created: 2023-10-18T11:29:48.324Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:30:11.187Z\n created: 2023-10-18T11:30:11.205Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/containerd", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/containerd", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/containerd-shim-runc-v2", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/exercises-start-points:70d552e@sha256:a64e4ea48f7e9371522e5777cd43a5cf712e9779aaec67219368d1bcb8d7de36/containerd/containerd/cmd/containerd-shim-runc-v2", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:37.719Z\n created: 2023-10-11T21:18:37.723Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:57.635Z\n created: 2023-10-11T21:18:57.642Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-16T07:00:00.000Z\n created: 2023-10-16T07:20:24.142Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:29:48.309Z\n created: 2023-10-18T11:29:48.324Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:30:11.187Z\n created: 2023-10-18T11:30:11.205Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/containerd-shim-runc-v2", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/containerd-shim-runc-v2", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/ctr", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/exercises-start-points:70d552e@sha256:a64e4ea48f7e9371522e5777cd43a5cf712e9779aaec67219368d1bcb8d7de36/containerd/containerd/cmd/ctr", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:37.719Z\n created: 2023-10-11T21:18:37.723Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:57.635Z\n created: 2023-10-11T21:18:57.642Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-16T07:00:00.000Z\n created: 2023-10-16T07:20:24.142Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:29:48.309Z\n created: 2023-10-18T11:29:48.324Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:30:11.187Z\n created: 2023-10-18T11:30:11.205Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/ctr", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/ctr", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 3, "displayTargetFile": "/usr/local/bin/docker-proxy", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/exercises-start-points:70d552e@sha256:a64e4ea48f7e9371522e5777cd43a5cf712e9779aaec67219368d1bcb8d7de36/docker/docker", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:37.719Z\n created: 2023-10-11T21:18:37.723Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:57.635Z\n created: 2023-10-11T21:18:57.642Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-16T07:00:00.000Z\n created: 2023-10-16T07:20:24.142Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:29:48.309Z\n created: 2023-10-18T11:29:48.324Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:30:11.187Z\n created: 2023-10-18T11:30:11.205Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/docker", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/docker-proxy", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 834, "displayTargetFile": "/usr/local/bin/dockerd", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.249482Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[golang.org/x/net/http2](https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme) is a work-in-progress HTTP/2 implementation for Go.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `golang.org/x/net/http2` to version 0.17.0 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-10-11T21:18:57.642Z", "expires": "2023-11-10T21:18:57.635Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/docker@*", "golang.org/x/net/http2@v0.10.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-27T11:36:51.556659Z", "moduleName": "golang.org/x/net/http2", "name": "golang.org/x/net/http2", "packageManager": "golang", "packageName": "golang.org/x/net/http2", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v0.10.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.659383Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[google.golang.org/grpc](https://pkg.go.dev/google.golang.org/grpc) is a Go implementation of gRPC\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `google.golang.org/grpc` to version 1.56.3, 1.57.1, 1.58.3 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-10-11T21:18:37.723Z", "expires": "2023-11-10T21:18:37.719Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.56.3", "1.57.1", "1.58.3" ], "from": [ "github.com/docker/docker@*", "google.golang.org/grpc@v1.50.1" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-27T11:36:51.556659Z", "moduleName": "google.golang.org/grpc", "name": "google.golang.org/grpc", "packageManager": "golang", "packageName": "google.golang.org/grpc", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v1.56.3", ">=v1.57.0 <v1.57.1", ">=v1.58.0 <v1.58.3" ], "vulnerable": [ "<1.56.3", ">=1.57.0 <1.57.1", ">=1.58.0 <1.58.3" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v1.50.1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.10907", "probability": "0.00044" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-18T11:30:11.205Z", "expires": "2023-11-17T11:30:11.187Z", "path": [ "*" ], "reason": "No fix yet available in docker-in-docker base image", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-19T01:10:57.219390Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T22:07:21.759412Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.76701", "probability": "0.00635" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-16T07:20:24.142Z", "expires": "2023-11-16T07:00:00.000Z", "path": [ "*" ], "reason": "No fix yet available in docker-in-docker base image", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-13T14:05:13.108519Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.10907", "probability": "0.00044" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-18T11:29:48.324Z", "expires": "2023-11-17T11:29:48.309Z", "path": [ "*" ], "reason": "No fix yet available in docker-in-docker base image", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-19T01:10:57.219390Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/exercises-start-points:70d552e@sha256:a64e4ea48f7e9371522e5777cd43a5cf712e9779aaec67219368d1bcb8d7de36/docker/docker", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:37.719Z\n created: 2023-10-11T21:18:37.723Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:57.635Z\n created: 2023-10-11T21:18:57.642Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-16T07:00:00.000Z\n created: 2023-10-16T07:20:24.142Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:29:48.309Z\n created: 2023-10-18T11:29:48.324Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:30:11.187Z\n created: 2023-10-18T11:30:11.205Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/docker", "severityThreshold": "medium", "summary": "5 medium or high or critical severity vulnerable dependency paths", "targetFile": "/usr/local/bin/dockerd", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 753, "displayTargetFile": "/usr/local/libexec/docker/cli-plugins/docker-compose", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.249482Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[golang.org/x/net/http2](https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme) is a work-in-progress HTTP/2 implementation for Go.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `golang.org/x/net/http2` to version 0.17.0 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-10-11T21:18:57.642Z", "expires": "2023-11-10T21:18:57.635Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/compose/v2@*", "golang.org/x/net/http2@v0.12.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-27T11:36:51.556659Z", "moduleName": "golang.org/x/net/http2", "name": "golang.org/x/net/http2", "packageManager": "golang", "packageName": "golang.org/x/net/http2", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v0.12.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.659383Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[google.golang.org/grpc](https://pkg.go.dev/google.golang.org/grpc) is a Go implementation of gRPC\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `google.golang.org/grpc` to version 1.56.3, 1.57.1, 1.58.3 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-10-11T21:18:37.723Z", "expires": "2023-11-10T21:18:37.719Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.56.3", "1.57.1", "1.58.3" ], "from": [ "github.com/docker/compose/v2@*", "google.golang.org/grpc@v1.58.1" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-27T11:36:51.556659Z", "moduleName": "google.golang.org/grpc", "name": "google.golang.org/grpc", "packageManager": "golang", "packageName": "google.golang.org/grpc", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v1.56.3", ">=v1.57.0 <v1.57.1", ">=v1.58.0 <v1.58.3" ], "vulnerable": [ "<1.56.3", ">=1.57.0 <1.57.1", ">=1.58.0 <1.58.3" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v1.58.1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.10907", "probability": "0.00044" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-18T11:30:11.205Z", "expires": "2023-11-17T11:30:11.187Z", "path": [ "*" ], "reason": "No fix yet available in docker-in-docker base image", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/compose/v2@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-19T01:10:57.219390Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T22:07:21.759412Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.76701", "probability": "0.00635" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-16T07:20:24.142Z", "expires": "2023-11-16T07:00:00.000Z", "path": [ "*" ], "reason": "No fix yet available in docker-in-docker base image", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/compose/v2@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-13T14:05:13.108519Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.10907", "probability": "0.00044" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-18T11:29:48.324Z", "expires": "2023-11-17T11:29:48.309Z", "path": [ "*" ], "reason": "No fix yet available in docker-in-docker base image", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/compose/v2@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-19T01:10:57.219390Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/exercises-start-points:70d552e@sha256:a64e4ea48f7e9371522e5777cd43a5cf712e9779aaec67219368d1bcb8d7de36/docker/compose/v2", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:37.719Z\n created: 2023-10-11T21:18:37.723Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:57.635Z\n created: 2023-10-11T21:18:57.642Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-16T07:00:00.000Z\n created: 2023-10-16T07:20:24.142Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:29:48.309Z\n created: 2023-10-18T11:29:48.324Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:30:11.187Z\n created: 2023-10-18T11:30:11.205Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/compose/v2", "severityThreshold": "medium", "summary": "5 medium or high or critical severity vulnerable dependency paths", "targetFile": "/usr/local/libexec/docker/cli-plugins/docker-compose", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 733, "displayTargetFile": "/usr/local/libexec/docker/cli-plugins/docker-buildx", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.249482Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[golang.org/x/net/http2](https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme) is a work-in-progress HTTP/2 implementation for Go.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `golang.org/x/net/http2` to version 0.17.0 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-10-11T21:18:57.642Z", "expires": "2023-11-10T21:18:57.635Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/buildx@*", "golang.org/x/net/http2@v0.8.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-27T11:36:51.556659Z", "moduleName": "golang.org/x/net/http2", "name": "golang.org/x/net/http2", "packageManager": "golang", "packageName": "golang.org/x/net/http2", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v0.8.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.659383Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[google.golang.org/grpc](https://pkg.go.dev/google.golang.org/grpc) is a Go implementation of gRPC\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `google.golang.org/grpc` to version 1.56.3, 1.57.1, 1.58.3 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-10-11T21:18:37.723Z", "expires": "2023-11-10T21:18:37.719Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.56.3", "1.57.1", "1.58.3" ], "from": [ "github.com/docker/buildx@*", "google.golang.org/grpc@v1.53.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-27T11:36:51.556659Z", "moduleName": "google.golang.org/grpc", "name": "google.golang.org/grpc", "packageManager": "golang", "packageName": "google.golang.org/grpc", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v1.56.3", ">=v1.57.0 <v1.57.1", ">=v1.58.0 <v1.58.3" ], "vulnerable": [ "<1.56.3", ">=1.57.0 <1.57.1", ">=1.58.0 <1.58.3" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v1.53.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.10907", "probability": "0.00044" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-18T11:30:11.205Z", "expires": "2023-11-17T11:30:11.187Z", "path": [ "*" ], "reason": "No fix yet available in docker-in-docker base image", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-19T01:10:57.219390Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T22:07:21.759412Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.76701", "probability": "0.00635" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-16T07:20:24.142Z", "expires": "2023-11-16T07:00:00.000Z", "path": [ "*" ], "reason": "No fix yet available in docker-in-docker base image", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-13T14:05:13.108519Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.10907", "probability": "0.00044" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-18T11:29:48.324Z", "expires": "2023-11-17T11:29:48.309Z", "path": [ "*" ], "reason": "No fix yet available in docker-in-docker base image", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-19T01:10:57.219390Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/exercises-start-points:70d552e@sha256:a64e4ea48f7e9371522e5777cd43a5cf712e9779aaec67219368d1bcb8d7de36/docker/buildx", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:37.719Z\n created: 2023-10-11T21:18:37.723Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:57.635Z\n created: 2023-10-11T21:18:57.642Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-16T07:00:00.000Z\n created: 2023-10-16T07:20:24.142Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:29:48.309Z\n created: 2023-10-18T11:29:48.324Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:30:11.187Z\n created: 2023-10-18T11:30:11.205Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/buildx", "severityThreshold": "medium", "summary": "5 medium or high or critical severity vulnerable dependency paths", "targetFile": "/usr/local/libexec/docker/cli-plugins/docker-buildx", "uniqueCount": 0, "vulnerabilities": [] } ], "dependencyCount": 102, "docker": { "binariesVulns": { "affectedPkgs": {}, "issuesData": {} } }, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "apk", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/exercises-start-points:70d552e@sha256:a64e4ea48f7e9371522e5777cd43a5cf712e9779aaec67219368d1bcb8d7de36/exercises-start-points:70d552e", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:37.719Z\n created: 2023-10-11T21:18:37.723Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:57.635Z\n created: 2023-10-11T21:18:57.642Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-16T07:00:00.000Z\n created: 2023-10-16T07:20:24.142Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:29:48.309Z\n created: 2023-10-18T11:29:48.324Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:30:11.187Z\n created: 2023-10-18T11:30:11.205Z\n source: cli\npatch: {}\n", "projectName": "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/exercises-start-points:70d552e", "severityThreshold": "medium", "summary": "No known operating system vulnerabilities", "uniqueCount": 0, "vulnerabilities": [] }, "created_at": 1698484448.5626862, "has_audit_package": true } }, "git_commit_info": { "sha1": "70d552ebebb5dd2390da6a377101da3dc326a05a", "message": "Add vulnerabilities to .snyk file while waiting for base image upgrade", "author": "Faye <faye@kosli.com>", "timestamp": 1697628902, "branch": "main" }, "repo_url": "https://github.com/cyber-dojo/exercises-start-points", "template": [ "artifact", "snyk-scan" ], "last_modified_at": 1698484448.5626862, "deployments": [ 66, 65 ], "state": "COMPLIANT", "html_url": "https://app.kosli.com/cyber-dojo/flows/exercises-start-points-archived-at-1707630862/artifacts/a64e4ea48f7e9371522e5777cd43a5cf712e9779aaec67219368d1bcb8d7de36", "api_url": "https://app.kosli.com/api/v2/artifacts/cyber-dojo/exercises-start-points-archived-at-1707630862/fingerprint/a64e4ea48f7e9371522e5777cd43a5cf712e9779aaec67219368d1bcb8d7de36" }
Artifact Information |
|
Name | cyberdojo/exercises-start-points:70d552e |
Fingerprint | a64e4ea48f7e9371522e5777cd43a5cf712e9779aaec67219368d1bcb8d7de36 |
Git commit |
70d552e
Faye <faye@kosli.com> (main)
1697628902.0 • 6 months ago
Add vulnerabilities to .snyk file while waiting for base image upgrade
|
CI Build | https://github.com/cyber-dojo/exercises-start-points/actions/runs/6560278559 |
Running | - |
Exited | aws-beta#2033 aws-prod#1286 |
Last modified | 1698484448.5626862 • 6 months ago |
Approvals
None |
Evidence
Evidence for 'snyk-scan'
{ "evidence_type": "snyk", "name": "snyk-scan", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/snyk_scans/actions/runs/6676014264", "evidence_archive_fingerprint": "ce614605ae731172d8cfe9093a5cfaf1bb55d64170b9cfef00f3b6cfcd164f42", "user_data": {}, "snyk_results": { "applications": [ { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/containerd", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/exercises-start-points:70d552e@sha256:a64e4ea48f7e9371522e5777cd43a5cf712e9779aaec67219368d1bcb8d7de36/containerd/containerd/cmd/containerd", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:37.719Z\n created: 2023-10-11T21:18:37.723Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:57.635Z\n created: 2023-10-11T21:18:57.642Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-16T07:00:00.000Z\n created: 2023-10-16T07:20:24.142Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:29:48.309Z\n created: 2023-10-18T11:29:48.324Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:30:11.187Z\n created: 2023-10-18T11:30:11.205Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/containerd", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/containerd", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/containerd-shim-runc-v2", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/exercises-start-points:70d552e@sha256:a64e4ea48f7e9371522e5777cd43a5cf712e9779aaec67219368d1bcb8d7de36/containerd/containerd/cmd/containerd-shim-runc-v2", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:37.719Z\n created: 2023-10-11T21:18:37.723Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:57.635Z\n created: 2023-10-11T21:18:57.642Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-16T07:00:00.000Z\n created: 2023-10-16T07:20:24.142Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:29:48.309Z\n created: 2023-10-18T11:29:48.324Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:30:11.187Z\n created: 2023-10-18T11:30:11.205Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/containerd-shim-runc-v2", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/containerd-shim-runc-v2", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/ctr", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/exercises-start-points:70d552e@sha256:a64e4ea48f7e9371522e5777cd43a5cf712e9779aaec67219368d1bcb8d7de36/containerd/containerd/cmd/ctr", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:37.719Z\n created: 2023-10-11T21:18:37.723Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:57.635Z\n created: 2023-10-11T21:18:57.642Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-16T07:00:00.000Z\n created: 2023-10-16T07:20:24.142Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:29:48.309Z\n created: 2023-10-18T11:29:48.324Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:30:11.187Z\n created: 2023-10-18T11:30:11.205Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/ctr", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/ctr", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 3, "displayTargetFile": "/usr/local/bin/docker-proxy", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/exercises-start-points:70d552e@sha256:a64e4ea48f7e9371522e5777cd43a5cf712e9779aaec67219368d1bcb8d7de36/docker/docker", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:37.719Z\n created: 2023-10-11T21:18:37.723Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:57.635Z\n created: 2023-10-11T21:18:57.642Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-16T07:00:00.000Z\n created: 2023-10-16T07:20:24.142Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:29:48.309Z\n created: 2023-10-18T11:29:48.324Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:30:11.187Z\n created: 2023-10-18T11:30:11.205Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/docker", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bin/docker-proxy", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 834, "displayTargetFile": "/usr/local/bin/dockerd", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.249482Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[golang.org/x/net/http2](https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme) is a work-in-progress HTTP/2 implementation for Go.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `golang.org/x/net/http2` to version 0.17.0 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-10-11T21:18:57.642Z", "expires": "2023-11-10T21:18:57.635Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/docker@*", "golang.org/x/net/http2@v0.10.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-27T11:36:51.556659Z", "moduleName": "golang.org/x/net/http2", "name": "golang.org/x/net/http2", "packageManager": "golang", "packageName": "golang.org/x/net/http2", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v0.10.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.659383Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[google.golang.org/grpc](https://pkg.go.dev/google.golang.org/grpc) is a Go implementation of gRPC\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `google.golang.org/grpc` to version 1.56.3, 1.57.1, 1.58.3 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-10-11T21:18:37.723Z", "expires": "2023-11-10T21:18:37.719Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.56.3", "1.57.1", "1.58.3" ], "from": [ "github.com/docker/docker@*", "google.golang.org/grpc@v1.50.1" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-27T11:36:51.556659Z", "moduleName": "google.golang.org/grpc", "name": "google.golang.org/grpc", "packageManager": "golang", "packageName": "google.golang.org/grpc", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v1.56.3", ">=v1.57.0 <v1.57.1", ">=v1.58.0 <v1.58.3" ], "vulnerable": [ "<1.56.3", ">=1.57.0 <1.57.1", ">=1.58.0 <1.58.3" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v1.50.1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.10907", "probability": "0.00044" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-18T11:30:11.205Z", "expires": "2023-11-17T11:30:11.187Z", "path": [ "*" ], "reason": "No fix yet available in docker-in-docker base image", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-19T01:10:57.219390Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T22:07:21.759412Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.76701", "probability": "0.00635" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-16T07:20:24.142Z", "expires": "2023-11-16T07:00:00.000Z", "path": [ "*" ], "reason": "No fix yet available in docker-in-docker base image", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-13T14:05:13.108519Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.10907", "probability": "0.00044" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-18T11:29:48.324Z", "expires": "2023-11-17T11:29:48.309Z", "path": [ "*" ], "reason": "No fix yet available in docker-in-docker base image", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-19T01:10:57.219390Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/exercises-start-points:70d552e@sha256:a64e4ea48f7e9371522e5777cd43a5cf712e9779aaec67219368d1bcb8d7de36/docker/docker", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:37.719Z\n created: 2023-10-11T21:18:37.723Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:57.635Z\n created: 2023-10-11T21:18:57.642Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-16T07:00:00.000Z\n created: 2023-10-16T07:20:24.142Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:29:48.309Z\n created: 2023-10-18T11:29:48.324Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:30:11.187Z\n created: 2023-10-18T11:30:11.205Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/docker", "severityThreshold": "medium", "summary": "5 medium or high or critical severity vulnerable dependency paths", "targetFile": "/usr/local/bin/dockerd", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 753, "displayTargetFile": "/usr/local/libexec/docker/cli-plugins/docker-compose", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.249482Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[golang.org/x/net/http2](https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme) is a work-in-progress HTTP/2 implementation for Go.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `golang.org/x/net/http2` to version 0.17.0 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-10-11T21:18:57.642Z", "expires": "2023-11-10T21:18:57.635Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/compose/v2@*", "golang.org/x/net/http2@v0.12.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-27T11:36:51.556659Z", "moduleName": "golang.org/x/net/http2", "name": "golang.org/x/net/http2", "packageManager": "golang", "packageName": "golang.org/x/net/http2", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v0.12.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.659383Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[google.golang.org/grpc](https://pkg.go.dev/google.golang.org/grpc) is a Go implementation of gRPC\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `google.golang.org/grpc` to version 1.56.3, 1.57.1, 1.58.3 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-10-11T21:18:37.723Z", "expires": "2023-11-10T21:18:37.719Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.56.3", "1.57.1", "1.58.3" ], "from": [ "github.com/docker/compose/v2@*", "google.golang.org/grpc@v1.58.1" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-27T11:36:51.556659Z", "moduleName": "google.golang.org/grpc", "name": "google.golang.org/grpc", "packageManager": "golang", "packageName": "google.golang.org/grpc", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v1.56.3", ">=v1.57.0 <v1.57.1", ">=v1.58.0 <v1.58.3" ], "vulnerable": [ "<1.56.3", ">=1.57.0 <1.57.1", ">=1.58.0 <1.58.3" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v1.58.1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.10907", "probability": "0.00044" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-18T11:30:11.205Z", "expires": "2023-11-17T11:30:11.187Z", "path": [ "*" ], "reason": "No fix yet available in docker-in-docker base image", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/compose/v2@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-19T01:10:57.219390Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T22:07:21.759412Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.76701", "probability": "0.00635" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-16T07:20:24.142Z", "expires": "2023-11-16T07:00:00.000Z", "path": [ "*" ], "reason": "No fix yet available in docker-in-docker base image", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/compose/v2@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-13T14:05:13.108519Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.10907", "probability": "0.00044" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-18T11:29:48.324Z", "expires": "2023-11-17T11:29:48.309Z", "path": [ "*" ], "reason": "No fix yet available in docker-in-docker base image", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/compose/v2@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-19T01:10:57.219390Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/exercises-start-points:70d552e@sha256:a64e4ea48f7e9371522e5777cd43a5cf712e9779aaec67219368d1bcb8d7de36/docker/compose/v2", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:37.719Z\n created: 2023-10-11T21:18:37.723Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:57.635Z\n created: 2023-10-11T21:18:57.642Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-16T07:00:00.000Z\n created: 2023-10-16T07:20:24.142Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:29:48.309Z\n created: 2023-10-18T11:29:48.324Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:30:11.187Z\n created: 2023-10-18T11:30:11.205Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/compose/v2", "severityThreshold": "medium", "summary": "5 medium or high or critical severity vulnerable dependency paths", "targetFile": "/usr/local/libexec/docker/cli-plugins/docker-compose", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 733, "displayTargetFile": "/usr/local/libexec/docker/cli-plugins/docker-buildx", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.249482Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[golang.org/x/net/http2](https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme) is a work-in-progress HTTP/2 implementation for Go.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `golang.org/x/net/http2` to version 0.17.0 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-10-11T21:18:57.642Z", "expires": "2023-11-10T21:18:57.635Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/buildx@*", "golang.org/x/net/http2@v0.8.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-27T11:36:51.556659Z", "moduleName": "golang.org/x/net/http2", "name": "golang.org/x/net/http2", "packageManager": "golang", "packageName": "golang.org/x/net/http2", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v0.8.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.659383Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[google.golang.org/grpc](https://pkg.go.dev/google.golang.org/grpc) is a Go implementation of gRPC\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `google.golang.org/grpc` to version 1.56.3, 1.57.1, 1.58.3 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-10-11T21:18:37.723Z", "expires": "2023-11-10T21:18:37.719Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.56.3", "1.57.1", "1.58.3" ], "from": [ "github.com/docker/buildx@*", "google.golang.org/grpc@v1.53.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-27T11:36:51.556659Z", "moduleName": "google.golang.org/grpc", "name": "google.golang.org/grpc", "packageManager": "golang", "packageName": "google.golang.org/grpc", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v1.56.3", ">=v1.57.0 <v1.57.1", ">=v1.58.0 <v1.58.3" ], "vulnerable": [ "<1.56.3", ">=1.57.0 <1.57.1", ">=1.58.0 <1.58.3" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v1.53.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.10907", "probability": "0.00044" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-18T11:30:11.205Z", "expires": "2023-11-17T11:30:11.187Z", "path": [ "*" ], "reason": "No fix yet available in docker-in-docker base image", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-19T01:10:57.219390Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T22:07:21.759412Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.76701", "probability": "0.00635" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-16T07:20:24.142Z", "expires": "2023-11-16T07:00:00.000Z", "path": [ "*" ], "reason": "No fix yet available in docker-in-docker base image", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-13T14:05:13.108519Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.10907", "probability": "0.00044" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-18T11:29:48.324Z", "expires": "2023-11-17T11:29:48.309Z", "path": [ "*" ], "reason": "No fix yet available in docker-in-docker base image", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-10-19T01:10:57.219390Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/exercises-start-points:70d552e@sha256:a64e4ea48f7e9371522e5777cd43a5cf712e9779aaec67219368d1bcb8d7de36/docker/buildx", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:37.719Z\n created: 2023-10-11T21:18:37.723Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:57.635Z\n created: 2023-10-11T21:18:57.642Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-16T07:00:00.000Z\n created: 2023-10-16T07:20:24.142Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:29:48.309Z\n created: 2023-10-18T11:29:48.324Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:30:11.187Z\n created: 2023-10-18T11:30:11.205Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/buildx", "severityThreshold": "medium", "summary": "5 medium or high or critical severity vulnerable dependency paths", "targetFile": "/usr/local/libexec/docker/cli-plugins/docker-buildx", "uniqueCount": 0, "vulnerabilities": [] } ], "dependencyCount": 102, "docker": { "binariesVulns": { "affectedPkgs": {}, "issuesData": {} } }, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "apk", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/exercises-start-points:70d552e@sha256:a64e4ea48f7e9371522e5777cd43a5cf712e9779aaec67219368d1bcb8d7de36/exercises-start-points:70d552e", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:37.719Z\n created: 2023-10-11T21:18:37.723Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2023-11-10T21:18:57.635Z\n created: 2023-10-11T21:18:57.642Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-16T07:00:00.000Z\n created: 2023-10-16T07:20:24.142Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:29:48.309Z\n created: 2023-10-18T11:29:48.324Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: No fix yet available in docker-in-docker base image\n expires: 2023-11-17T11:30:11.187Z\n created: 2023-10-18T11:30:11.205Z\n source: cli\npatch: {}\n", "projectName": "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/exercises-start-points:70d552e", "severityThreshold": "medium", "summary": "No known operating system vulnerabilities", "uniqueCount": 0, "vulnerabilities": [] }, "created_at": 1698484448.5626862, "has_audit_package": true }