cyber-dojo
flows
runner-archived-at-1709658802
artifacts
d858634f16c406e60dcef01b71917b074adac7441fde04235576b27f3c8d74fe
By signing up, you agree to the
Terms of Service.
For more information about Kosli’s privacy practices, see the Kosli’s
Privacy Policy.
We’ll occasionally send you account-related emails.
We’ll occasionally send you account-related emails.
runner-archived-at-1709658802
Test runner
cyberdojo/runner:d3fe336
Compliant
Download Evidence Package
JSON
{ "created_at": 1703434839.1026833, "fingerprint": "d858634f16c406e60dcef01b71917b074adac7441fde04235576b27f3c8d74fe", "filename": "cyberdojo/runner:d3fe336", "git_commit": "d3fe336249867c7a4d81acd5b50d48aa8c5556a0", "build_url": "https://github.com/cyber-dojo/runner/actions/runs/7315653810", "commit_url": "https://github.com/cyber-dojo/runner/commit/d3fe336249867c7a4d81acd5b50d48aa8c5556a0", "evidence": { "branch-coverage": { "evidence_type": "generic", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/runner/actions/runs/7315653810", "description": "server & client branch-coverage reports", "user_data": { "client": { "command_name": "Minitest", "groups": { "Ungrouped": { "branches": { "covered": 15, "missed": 37, "total": 52 }, "lines": { "covered": 257, "missed": 85, "total": 342 } }, "code": { "branches": { "covered": 6, "missed": 0, "total": 6 }, "lines": { "covered": 129, "missed": 0, "total": 129 } }, "test": { "branches": { "covered": 5, "missed": 0, "total": 5 }, "lines": { "covered": 529, "missed": 0, "total": 529 } } }, "timestamp": 1703434879 }, "server": { "command_name": "Minitest", "groups": { "Ungrouped": { "branches": { "covered": 33, "missed": 19, "total": 52 }, "lines": { "covered": 333, "missed": 25, "total": 358 } }, "code": { "branches": { "covered": 64, "missed": 2, "total": 66 }, "lines": { "covered": 558, "missed": 1, "total": 559 } }, "test": { "branches": { "covered": 0, "missed": 0, "total": 0 }, "lines": { "covered": 963, "missed": 0, "total": 963 } } }, "timestamp": 1703434840 } }, "created_at": 1703434881.700302, "has_audit_package": false }, "snyk-scan": { "evidence_type": "snyk", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/runner/actions/runs/7315653810", "evidence_archive_fingerprint": "15d5c019c649cbee93dc4aeb1cfecf66297a83165d20af0e1d17099072e5a7bc", "user_data": {}, "snyk_results": { "applications": [ { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/containerd", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "cyberdojo/runner:d3fe336/containerd/containerd/cmd/containerd", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/containerd", "summary": "No known vulnerabilities", "targetFile": "/usr/local/bin/containerd", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/containerd-shim-runc-v2", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "cyberdojo/runner:d3fe336/containerd/containerd/cmd/containerd-shim-runc-v2", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/containerd-shim-runc-v2", "summary": "No known vulnerabilities", "targetFile": "/usr/local/bin/containerd-shim-runc-v2", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/ctr", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "cyberdojo/runner:d3fe336/containerd/containerd/cmd/ctr", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/ctr", "summary": "No known vulnerabilities", "targetFile": "/usr/local/bin/ctr", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 3, "displayTargetFile": "/usr/local/bin/docker-proxy", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "cyberdojo/runner:d3fe336/docker/docker", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/docker", "summary": "No known vulnerabilities", "targetFile": "/usr/local/bin/docker-proxy", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 833, "displayTargetFile": "/usr/local/bin/dockerd", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", "alternativeIds": [], "creationTime": "2023-12-19T07:43:18.835757Z", "credit": [ "Fabian B\u00e4umer", "Marcus Brinkmann", "J\u00f6rg Schwenk" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-19T13:31:34.026923Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-21T11:03:36.162102Z", "severity": "medium" } ], "cvssScore": 5.9, "description": "## Overview\n[golang.org/x/crypto/ssh](https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc) is a SSH client and server\n\nAffected versions of this package are vulnerable to Authentication Bypass by Capture-replay before the secure channel establishment. An attacker can use the manipulated sequence numbers to delete messages sent immediately after the channel is established.\r\n\r\n**Note:**\r\n\r\n1) Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.\r\n\r\n2) The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.\r\n\r\n**Impact:** \r\n\r\nWhile cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the `ChaCha20-Poly1305` or `CBC` with `Encrypt-then-MAC` encryption methods. The attacker must also be able to intercept and modify the connection's traffic. \r\n\r\n## Workaround\r\n\r\nTemporarily disable the affected chacha20-poly1305@openssh.com encryption and -etm@openssh.com MAC algorithms in the configuration of your SSH server (or client), and use unaffected algorithms like AES-GCM instead.\n## Remediation\nUpgrade `golang.org/x/crypto/ssh` to version 0.17.0 or higher.\n## References\n- [Attack Information](https://terrapin-attack.com/)\n- [GitHub Commit](https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d)\n- [GitHub Commit](https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742)\n- [GitHub Commit](https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356)\n- [GitHub Commit](https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a)\n- [GitHub Commit](https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0)\n- [GitHub Commit](https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae)\n- [GitHub Issue](https://github.com/paramiko/paramiko/issues/2337)\n- [GitHub Issue](https://go.dev/issue/64784)\n- [Go Forum](https://go.dev/cl/550715)\n- [Google Groups Forum](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg)\n- [Security Release](https://www.openssh.com/txt/release-9.6)\n", "disclosureTime": "2023-12-18T21:18:26Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.80865", "probability": "0.00899" }, "exploit": "Proof of Concept", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-01-24T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/docker@*", "golang.org/x/crypto/ssh@v0.14.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669", "identifiers": { "CVE": [ "CVE-2023-48795" ], "CWE": [ "CWE-294" ], "GO": [ "GO-2023-2402" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-21T11:03:36.162102Z", "moduleName": "golang.org/x/crypto/ssh", "name": "golang.org/x/crypto/ssh", "packageManager": "golang", "packageName": "golang.org/x/crypto/ssh", "patches": [], "proprietary": false, "publicationTime": "2023-12-19T08:34:48.266287Z", "references": [ { "title": "Attack Information", "url": "https://terrapin-attack.com/" }, { "title": "GitHub Commit", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "title": "GitHub Commit", "url": "https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742" }, { "title": "GitHub Commit", "url": "https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356" }, { "title": "GitHub Commit", "url": "https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a" }, { "title": "GitHub Commit", "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0" }, { "title": "GitHub Commit", "url": "https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae" }, { "title": "GitHub Issue", "url": "https://github.com/paramiko/paramiko/issues/2337" }, { "title": "GitHub Issue", "url": "https://go.dev/issue/64784" }, { "title": "Go Forum", "url": "https://go.dev/cl/550715" }, { "title": "Google Groups Forum", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "title": "Security Release", "url": "https://www.openssh.com/txt/release-9.6" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Authentication Bypass by Capture-replay", "upgradePath": [], "version": "v0.14.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.659383Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[google.golang.org/grpc](https://pkg.go.dev/google.golang.org/grpc) is a Go implementation of gRPC\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `google.golang.org/grpc` to version 1.56.3, 1.57.1, 1.58.3 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97454", "probability": "0.60157" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-11-11T12:47:37.173Z", "expires": "2024-01-11T12:47:37.165Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.56.3", "1.57.1", "1.58.3" ], "from": [ "github.com/docker/docker@*", "google.golang.org/grpc@v1.50.1" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ], "GO": [ "GO-2023-2153" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-14T08:07:09.521537Z", "moduleName": "google.golang.org/grpc", "name": "google.golang.org/grpc", "packageManager": "golang", "packageName": "google.golang.org/grpc", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v1.56.3", ">=v1.57.0 <v1.57.1", ">=v1.58.0 <v1.58.3" ], "vulnerable": [ "<1.56.3", ">=1.57.0 <1.57.1", ">=1.58.0 <1.58.3" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v1.50.1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-12-22T07:56:01.435551Z", "credit": [ "jhump" ], "cvssDetails": [], "cvssScore": 5.9, "description": "## Overview\n\nAffected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.\n## Remediation\nA fix was pushed into the `master` branch but not yet published.\n## References\n- [GitHub Commit](https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2)\n- [GitHub Issue](https://github.com/golang/protobuf/issues/1584)\n", "disclosureTime": "2023-12-21T17:31:13Z", "epssDetails": null, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-01-24T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "github.com/docker/docker@*", "google.golang.org/protobuf/encoding/protojson@v1.28.1" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908", "identifiers": { "CVE": [], "CWE": [ "CWE-121" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-22T08:15:52.238162Z", "moduleName": "google.golang.org/protobuf/encoding/protojson", "name": "google.golang.org/protobuf/encoding/protojson", "packageManager": "golang", "packageName": "google.golang.org/protobuf/encoding/protojson", "patches": [], "proprietary": false, "publicationTime": "2023-12-22T07:57:46.872135Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" }, { "title": "GitHub Issue", "url": "https://github.com/golang/protobuf/issues/1584" } ], "semver": { "hashesRange": [ "<bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" ], "vulnerable": [ "*" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Stack-based Buffer Overflow", "upgradePath": [], "version": "v1.28.1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:48.611Z", "expires": "2024-01-11T12:48:48.599Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.451299Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.72883", "probability": "0.00473" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:08.084Z", "expires": "2024-01-11T12:48:08.076Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.451299Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:29.723Z", "expires": "2024-01-11T12:48:29.711Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "cyberdojo/runner:d3fe336/docker/docker", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/docker", "summary": "6 vulnerable dependency paths", "targetFile": "/usr/local/bin/dockerd", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 753, "displayTargetFile": "/usr/local/libexec/docker/cli-plugins/docker-compose", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", "alternativeIds": [], "creationTime": "2023-12-19T07:43:18.835757Z", "credit": [ "Fabian B\u00e4umer", "Marcus Brinkmann", "J\u00f6rg Schwenk" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-19T13:31:34.026923Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-21T11:03:36.162102Z", "severity": "medium" } ], "cvssScore": 5.9, "description": "## Overview\n[golang.org/x/crypto/ssh](https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc) is a SSH client and server\n\nAffected versions of this package are vulnerable to Authentication Bypass by Capture-replay before the secure channel establishment. An attacker can use the manipulated sequence numbers to delete messages sent immediately after the channel is established.\r\n\r\n**Note:**\r\n\r\n1) Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.\r\n\r\n2) The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.\r\n\r\n**Impact:** \r\n\r\nWhile cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the `ChaCha20-Poly1305` or `CBC` with `Encrypt-then-MAC` encryption methods. The attacker must also be able to intercept and modify the connection's traffic. \r\n\r\n## Workaround\r\n\r\nTemporarily disable the affected chacha20-poly1305@openssh.com encryption and -etm@openssh.com MAC algorithms in the configuration of your SSH server (or client), and use unaffected algorithms like AES-GCM instead.\n## Remediation\nUpgrade `golang.org/x/crypto/ssh` to version 0.17.0 or higher.\n## References\n- [Attack Information](https://terrapin-attack.com/)\n- [GitHub Commit](https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d)\n- [GitHub Commit](https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742)\n- [GitHub Commit](https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356)\n- [GitHub Commit](https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a)\n- [GitHub Commit](https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0)\n- [GitHub Commit](https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae)\n- [GitHub Issue](https://github.com/paramiko/paramiko/issues/2337)\n- [GitHub Issue](https://go.dev/issue/64784)\n- [Go Forum](https://go.dev/cl/550715)\n- [Google Groups Forum](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg)\n- [Security Release](https://www.openssh.com/txt/release-9.6)\n", "disclosureTime": "2023-12-18T21:18:26Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.80865", "probability": "0.00899" }, "exploit": "Proof of Concept", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-01-24T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/compose/v2@*", "golang.org/x/crypto/ssh@v0.14.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669", "identifiers": { "CVE": [ "CVE-2023-48795" ], "CWE": [ "CWE-294" ], "GO": [ "GO-2023-2402" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-21T11:03:36.162102Z", "moduleName": "golang.org/x/crypto/ssh", "name": "golang.org/x/crypto/ssh", "packageManager": "golang", "packageName": "golang.org/x/crypto/ssh", "patches": [], "proprietary": false, "publicationTime": "2023-12-19T08:34:48.266287Z", "references": [ { "title": "Attack Information", "url": "https://terrapin-attack.com/" }, { "title": "GitHub Commit", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "title": "GitHub Commit", "url": "https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742" }, { "title": "GitHub Commit", "url": "https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356" }, { "title": "GitHub Commit", "url": "https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a" }, { "title": "GitHub Commit", "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0" }, { "title": "GitHub Commit", "url": "https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae" }, { "title": "GitHub Issue", "url": "https://github.com/paramiko/paramiko/issues/2337" }, { "title": "GitHub Issue", "url": "https://go.dev/issue/64784" }, { "title": "Go Forum", "url": "https://go.dev/cl/550715" }, { "title": "Google Groups Forum", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "title": "Security Release", "url": "https://www.openssh.com/txt/release-9.6" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Authentication Bypass by Capture-replay", "upgradePath": [], "version": "v0.14.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-12-22T07:56:01.435551Z", "credit": [ "jhump" ], "cvssDetails": [], "cvssScore": 5.9, "description": "## Overview\n\nAffected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.\n## Remediation\nA fix was pushed into the `master` branch but not yet published.\n## References\n- [GitHub Commit](https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2)\n- [GitHub Issue](https://github.com/golang/protobuf/issues/1584)\n", "disclosureTime": "2023-12-21T17:31:13Z", "epssDetails": null, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-01-24T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "github.com/docker/compose/v2@*", "google.golang.org/protobuf/encoding/protojson@v1.31.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908", "identifiers": { "CVE": [], "CWE": [ "CWE-121" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-22T08:15:52.238162Z", "moduleName": "google.golang.org/protobuf/encoding/protojson", "name": "google.golang.org/protobuf/encoding/protojson", "packageManager": "golang", "packageName": "google.golang.org/protobuf/encoding/protojson", "patches": [], "proprietary": false, "publicationTime": "2023-12-22T07:57:46.872135Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" }, { "title": "GitHub Issue", "url": "https://github.com/golang/protobuf/issues/1584" } ], "semver": { "hashesRange": [ "<bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" ], "vulnerable": [ "*" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Stack-based Buffer Overflow", "upgradePath": [], "version": "v1.31.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:48.611Z", "expires": "2024-01-11T12:48:48.599Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/compose/v2@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.451299Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.72883", "probability": "0.00473" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:08.084Z", "expires": "2024-01-11T12:48:08.076Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/compose/v2@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.451299Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:29.723Z", "expires": "2024-01-11T12:48:29.711Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/compose/v2@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "cyberdojo/runner:d3fe336/docker/compose/v2", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/compose/v2", "summary": "5 vulnerable dependency paths", "targetFile": "/usr/local/libexec/docker/cli-plugins/docker-compose", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 723, "displayTargetFile": "/usr/local/libexec/docker/cli-plugins/docker-buildx", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", "alternativeIds": [], "creationTime": "2023-12-19T07:43:18.835757Z", "credit": [ "Fabian B\u00e4umer", "Marcus Brinkmann", "J\u00f6rg Schwenk" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-19T13:31:34.026923Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-21T11:03:36.162102Z", "severity": "medium" } ], "cvssScore": 5.9, "description": "## Overview\n[golang.org/x/crypto/ssh](https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc) is a SSH client and server\n\nAffected versions of this package are vulnerable to Authentication Bypass by Capture-replay before the secure channel establishment. An attacker can use the manipulated sequence numbers to delete messages sent immediately after the channel is established.\r\n\r\n**Note:**\r\n\r\n1) Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.\r\n\r\n2) The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.\r\n\r\n**Impact:** \r\n\r\nWhile cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the `ChaCha20-Poly1305` or `CBC` with `Encrypt-then-MAC` encryption methods. The attacker must also be able to intercept and modify the connection's traffic. \r\n\r\n## Workaround\r\n\r\nTemporarily disable the affected chacha20-poly1305@openssh.com encryption and -etm@openssh.com MAC algorithms in the configuration of your SSH server (or client), and use unaffected algorithms like AES-GCM instead.\n## Remediation\nUpgrade `golang.org/x/crypto/ssh` to version 0.17.0 or higher.\n## References\n- [Attack Information](https://terrapin-attack.com/)\n- [GitHub Commit](https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d)\n- [GitHub Commit](https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742)\n- [GitHub Commit](https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356)\n- [GitHub Commit](https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a)\n- [GitHub Commit](https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0)\n- [GitHub Commit](https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae)\n- [GitHub Issue](https://github.com/paramiko/paramiko/issues/2337)\n- [GitHub Issue](https://go.dev/issue/64784)\n- [Go Forum](https://go.dev/cl/550715)\n- [Google Groups Forum](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg)\n- [Security Release](https://www.openssh.com/txt/release-9.6)\n", "disclosureTime": "2023-12-18T21:18:26Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.80865", "probability": "0.00899" }, "exploit": "Proof of Concept", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-01-24T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/buildx@*", "golang.org/x/crypto/ssh@v0.14.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669", "identifiers": { "CVE": [ "CVE-2023-48795" ], "CWE": [ "CWE-294" ], "GO": [ "GO-2023-2402" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-21T11:03:36.162102Z", "moduleName": "golang.org/x/crypto/ssh", "name": "golang.org/x/crypto/ssh", "packageManager": "golang", "packageName": "golang.org/x/crypto/ssh", "patches": [], "proprietary": false, "publicationTime": "2023-12-19T08:34:48.266287Z", "references": [ { "title": "Attack Information", "url": "https://terrapin-attack.com/" }, { "title": "GitHub Commit", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "title": "GitHub Commit", "url": "https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742" }, { "title": "GitHub Commit", "url": "https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356" }, { "title": "GitHub Commit", "url": "https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a" }, { "title": "GitHub Commit", "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0" }, { "title": "GitHub Commit", "url": "https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae" }, { "title": "GitHub Issue", "url": "https://github.com/paramiko/paramiko/issues/2337" }, { "title": "GitHub Issue", "url": "https://go.dev/issue/64784" }, { "title": "Go Forum", "url": "https://go.dev/cl/550715" }, { "title": "Google Groups Forum", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "title": "Security Release", "url": "https://www.openssh.com/txt/release-9.6" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Authentication Bypass by Capture-replay", "upgradePath": [], "version": "v0.14.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.659383Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[google.golang.org/grpc](https://pkg.go.dev/google.golang.org/grpc) is a Go implementation of gRPC\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `google.golang.org/grpc` to version 1.56.3, 1.57.1, 1.58.3 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97454", "probability": "0.60157" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-11-11T12:47:37.173Z", "expires": "2024-01-11T12:47:37.165Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.56.3", "1.57.1", "1.58.3" ], "from": [ "github.com/docker/buildx@*", "google.golang.org/grpc@v1.53.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ], "GO": [ "GO-2023-2153" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-14T08:07:09.521537Z", "moduleName": "google.golang.org/grpc", "name": "google.golang.org/grpc", "packageManager": "golang", "packageName": "google.golang.org/grpc", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v1.56.3", ">=v1.57.0 <v1.57.1", ">=v1.58.0 <v1.58.3" ], "vulnerable": [ "<1.56.3", ">=1.57.0 <1.57.1", ">=1.58.0 <1.58.3" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v1.53.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-12-22T07:56:01.435551Z", "credit": [ "jhump" ], "cvssDetails": [], "cvssScore": 5.9, "description": "## Overview\n\nAffected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.\n## Remediation\nA fix was pushed into the `master` branch but not yet published.\n## References\n- [GitHub Commit](https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2)\n- [GitHub Issue](https://github.com/golang/protobuf/issues/1584)\n", "disclosureTime": "2023-12-21T17:31:13Z", "epssDetails": null, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-01-24T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "github.com/docker/buildx@*", "google.golang.org/protobuf/encoding/protojson@v1.30.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908", "identifiers": { "CVE": [], "CWE": [ "CWE-121" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-22T08:15:52.238162Z", "moduleName": "google.golang.org/protobuf/encoding/protojson", "name": "google.golang.org/protobuf/encoding/protojson", "packageManager": "golang", "packageName": "google.golang.org/protobuf/encoding/protojson", "patches": [], "proprietary": false, "publicationTime": "2023-12-22T07:57:46.872135Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" }, { "title": "GitHub Issue", "url": "https://github.com/golang/protobuf/issues/1584" } ], "semver": { "hashesRange": [ "<bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" ], "vulnerable": [ "*" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Stack-based Buffer Overflow", "upgradePath": [], "version": "v1.30.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:48.611Z", "expires": "2024-01-11T12:48:48.599Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.451299Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.72883", "probability": "0.00473" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:08.084Z", "expires": "2024-01-11T12:48:08.076Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.451299Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:29.723Z", "expires": "2024-01-11T12:48:29.711Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "cyberdojo/runner:d3fe336/docker/buildx", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/buildx", "summary": "6 vulnerable dependency paths", "targetFile": "/usr/local/libexec/docker/cli-plugins/docker-buildx", "uniqueCount": 0, "vulnerabilities": [] } ], "dependencyCount": 102, "docker": { "baseImage": "docker:24.0.7-dind-alpine3.18", "baseImageRemediation": { "advice": [ { "bold": true, "message": "According to our scan, you are currently using the most secure version of the selected base image" } ], "code": "NO_REMEDIATION_AVAILABLE" }, "binariesVulns": { "affectedPkgs": {}, "issuesData": {} } }, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "apk", "path": "cyberdojo/runner:d3fe336/runner", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "docker-image|cyberdojo/runner", "summary": "No known operating system vulnerabilities", "uniqueCount": 0, "vulnerabilities": [] }, "created_at": 1703434892.9846606, "has_audit_package": true } }, "reported_by": "cyber-dojo-machine-user", "git_commit_info": { "sha1": "d3fe336249867c7a4d81acd5b50d48aa8c5556a0", "message": "Delete dead .env entry", "author": "JonJagger <jon@kosli.com>", "timestamp": 1703434726, "branch": "main" }, "repo_url": "https://github.com/cyber-dojo/runner", "template": [ "artifact", "branch-coverage", "snyk-scan" ], "last_modified_at": 1703434892.9846606, "deployments": [ 67, 66 ], "state": "COMPLIANT", "html_url": "https://app.kosli.com/cyber-dojo/flows/runner-archived-at-1709658802/artifacts/d858634f16c406e60dcef01b71917b074adac7441fde04235576b27f3c8d74fe", "api_url": "https://app.kosli.com/api/v2/artifacts/cyber-dojo/runner-archived-at-1709658802/fingerprint/d858634f16c406e60dcef01b71917b074adac7441fde04235576b27f3c8d74fe" }
Artifact Information |
|
Name | cyberdojo/runner:d3fe336 |
Fingerprint | d858634f16c406e60dcef01b71917b074adac7441fde04235576b27f3c8d74fe |
Git commit |
d3fe336
JonJagger <jon@kosli.com> (main)
1703434726.0 • 4 months ago
Delete dead .env entry
|
CI Build | https://github.com/cyber-dojo/runner/actions/runs/7315653810 |
Running | - |
Exited | aws-beta#2595 aws-prod#1742 |
Last modified | 1703434892.9846606 • 4 months ago |
Approvals
None |
Evidence
Evidence for 'branch-coverage'
{ "evidence_type": "generic", "name": "branch-coverage", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/runner/actions/runs/7315653810", "description": "server & client branch-coverage reports", "user_data": { "client": { "command_name": "Minitest", "groups": { "Ungrouped": { "branches": { "covered": 15, "missed": 37, "total": 52 }, "lines": { "covered": 257, "missed": 85, "total": 342 } }, "code": { "branches": { "covered": 6, "missed": 0, "total": 6 }, "lines": { "covered": 129, "missed": 0, "total": 129 } }, "test": { "branches": { "covered": 5, "missed": 0, "total": 5 }, "lines": { "covered": 529, "missed": 0, "total": 529 } } }, "timestamp": 1703434879 }, "server": { "command_name": "Minitest", "groups": { "Ungrouped": { "branches": { "covered": 33, "missed": 19, "total": 52 }, "lines": { "covered": 333, "missed": 25, "total": 358 } }, "code": { "branches": { "covered": 64, "missed": 2, "total": 66 }, "lines": { "covered": 558, "missed": 1, "total": 559 } }, "test": { "branches": { "covered": 0, "missed": 0, "total": 0 }, "lines": { "covered": 963, "missed": 0, "total": 963 } } }, "timestamp": 1703434840 } }, "created_at": 1703434881.700302, "has_audit_package": false }
Evidence for 'snyk-scan'
{ "evidence_type": "snyk", "name": "snyk-scan", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/runner/actions/runs/7315653810", "evidence_archive_fingerprint": "15d5c019c649cbee93dc4aeb1cfecf66297a83165d20af0e1d17099072e5a7bc", "user_data": {}, "snyk_results": { "applications": [ { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/containerd", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "cyberdojo/runner:d3fe336/containerd/containerd/cmd/containerd", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/containerd", "summary": "No known vulnerabilities", "targetFile": "/usr/local/bin/containerd", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/containerd-shim-runc-v2", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "cyberdojo/runner:d3fe336/containerd/containerd/cmd/containerd-shim-runc-v2", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/containerd-shim-runc-v2", "summary": "No known vulnerabilities", "targetFile": "/usr/local/bin/containerd-shim-runc-v2", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 0, "displayTargetFile": "/usr/local/bin/ctr", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "cyberdojo/runner:d3fe336/containerd/containerd/cmd/ctr", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "go-distribution@github.com/containerd/containerd/cmd/ctr", "summary": "No known vulnerabilities", "targetFile": "/usr/local/bin/ctr", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 3, "displayTargetFile": "/usr/local/bin/docker-proxy", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "cyberdojo/runner:d3fe336/docker/docker", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/docker", "summary": "No known vulnerabilities", "targetFile": "/usr/local/bin/docker-proxy", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 833, "displayTargetFile": "/usr/local/bin/dockerd", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", "alternativeIds": [], "creationTime": "2023-12-19T07:43:18.835757Z", "credit": [ "Fabian B\u00e4umer", "Marcus Brinkmann", "J\u00f6rg Schwenk" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-19T13:31:34.026923Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-21T11:03:36.162102Z", "severity": "medium" } ], "cvssScore": 5.9, "description": "## Overview\n[golang.org/x/crypto/ssh](https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc) is a SSH client and server\n\nAffected versions of this package are vulnerable to Authentication Bypass by Capture-replay before the secure channel establishment. An attacker can use the manipulated sequence numbers to delete messages sent immediately after the channel is established.\r\n\r\n**Note:**\r\n\r\n1) Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.\r\n\r\n2) The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.\r\n\r\n**Impact:** \r\n\r\nWhile cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the `ChaCha20-Poly1305` or `CBC` with `Encrypt-then-MAC` encryption methods. The attacker must also be able to intercept and modify the connection's traffic. \r\n\r\n## Workaround\r\n\r\nTemporarily disable the affected chacha20-poly1305@openssh.com encryption and -etm@openssh.com MAC algorithms in the configuration of your SSH server (or client), and use unaffected algorithms like AES-GCM instead.\n## Remediation\nUpgrade `golang.org/x/crypto/ssh` to version 0.17.0 or higher.\n## References\n- [Attack Information](https://terrapin-attack.com/)\n- [GitHub Commit](https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d)\n- [GitHub Commit](https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742)\n- [GitHub Commit](https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356)\n- [GitHub Commit](https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a)\n- [GitHub Commit](https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0)\n- [GitHub Commit](https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae)\n- [GitHub Issue](https://github.com/paramiko/paramiko/issues/2337)\n- [GitHub Issue](https://go.dev/issue/64784)\n- [Go Forum](https://go.dev/cl/550715)\n- [Google Groups Forum](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg)\n- [Security Release](https://www.openssh.com/txt/release-9.6)\n", "disclosureTime": "2023-12-18T21:18:26Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.80865", "probability": "0.00899" }, "exploit": "Proof of Concept", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-01-24T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/docker@*", "golang.org/x/crypto/ssh@v0.14.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669", "identifiers": { "CVE": [ "CVE-2023-48795" ], "CWE": [ "CWE-294" ], "GO": [ "GO-2023-2402" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-21T11:03:36.162102Z", "moduleName": "golang.org/x/crypto/ssh", "name": "golang.org/x/crypto/ssh", "packageManager": "golang", "packageName": "golang.org/x/crypto/ssh", "patches": [], "proprietary": false, "publicationTime": "2023-12-19T08:34:48.266287Z", "references": [ { "title": "Attack Information", "url": "https://terrapin-attack.com/" }, { "title": "GitHub Commit", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "title": "GitHub Commit", "url": "https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742" }, { "title": "GitHub Commit", "url": "https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356" }, { "title": "GitHub Commit", "url": "https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a" }, { "title": "GitHub Commit", "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0" }, { "title": "GitHub Commit", "url": "https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae" }, { "title": "GitHub Issue", "url": "https://github.com/paramiko/paramiko/issues/2337" }, { "title": "GitHub Issue", "url": "https://go.dev/issue/64784" }, { "title": "Go Forum", "url": "https://go.dev/cl/550715" }, { "title": "Google Groups Forum", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "title": "Security Release", "url": "https://www.openssh.com/txt/release-9.6" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Authentication Bypass by Capture-replay", "upgradePath": [], "version": "v0.14.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.659383Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[google.golang.org/grpc](https://pkg.go.dev/google.golang.org/grpc) is a Go implementation of gRPC\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `google.golang.org/grpc` to version 1.56.3, 1.57.1, 1.58.3 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97454", "probability": "0.60157" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-11-11T12:47:37.173Z", "expires": "2024-01-11T12:47:37.165Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.56.3", "1.57.1", "1.58.3" ], "from": [ "github.com/docker/docker@*", "google.golang.org/grpc@v1.50.1" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ], "GO": [ "GO-2023-2153" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-14T08:07:09.521537Z", "moduleName": "google.golang.org/grpc", "name": "google.golang.org/grpc", "packageManager": "golang", "packageName": "google.golang.org/grpc", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v1.56.3", ">=v1.57.0 <v1.57.1", ">=v1.58.0 <v1.58.3" ], "vulnerable": [ "<1.56.3", ">=1.57.0 <1.57.1", ">=1.58.0 <1.58.3" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v1.50.1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-12-22T07:56:01.435551Z", "credit": [ "jhump" ], "cvssDetails": [], "cvssScore": 5.9, "description": "## Overview\n\nAffected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.\n## Remediation\nA fix was pushed into the `master` branch but not yet published.\n## References\n- [GitHub Commit](https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2)\n- [GitHub Issue](https://github.com/golang/protobuf/issues/1584)\n", "disclosureTime": "2023-12-21T17:31:13Z", "epssDetails": null, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-01-24T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "github.com/docker/docker@*", "google.golang.org/protobuf/encoding/protojson@v1.28.1" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908", "identifiers": { "CVE": [], "CWE": [ "CWE-121" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-22T08:15:52.238162Z", "moduleName": "google.golang.org/protobuf/encoding/protojson", "name": "google.golang.org/protobuf/encoding/protojson", "packageManager": "golang", "packageName": "google.golang.org/protobuf/encoding/protojson", "patches": [], "proprietary": false, "publicationTime": "2023-12-22T07:57:46.872135Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" }, { "title": "GitHub Issue", "url": "https://github.com/golang/protobuf/issues/1584" } ], "semver": { "hashesRange": [ "<bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" ], "vulnerable": [ "*" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Stack-based Buffer Overflow", "upgradePath": [], "version": "v1.28.1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:48.611Z", "expires": "2024-01-11T12:48:48.599Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.451299Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.72883", "probability": "0.00473" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:08.084Z", "expires": "2024-01-11T12:48:08.076Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.451299Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:29.723Z", "expires": "2024-01-11T12:48:29.711Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/docker@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.29.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.29.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "cyberdojo/runner:d3fe336/docker/docker", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/docker", "summary": "6 vulnerable dependency paths", "targetFile": "/usr/local/bin/dockerd", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 753, "displayTargetFile": "/usr/local/libexec/docker/cli-plugins/docker-compose", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", "alternativeIds": [], "creationTime": "2023-12-19T07:43:18.835757Z", "credit": [ "Fabian B\u00e4umer", "Marcus Brinkmann", "J\u00f6rg Schwenk" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-19T13:31:34.026923Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-21T11:03:36.162102Z", "severity": "medium" } ], "cvssScore": 5.9, "description": "## Overview\n[golang.org/x/crypto/ssh](https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc) is a SSH client and server\n\nAffected versions of this package are vulnerable to Authentication Bypass by Capture-replay before the secure channel establishment. An attacker can use the manipulated sequence numbers to delete messages sent immediately after the channel is established.\r\n\r\n**Note:**\r\n\r\n1) Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.\r\n\r\n2) The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.\r\n\r\n**Impact:** \r\n\r\nWhile cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the `ChaCha20-Poly1305` or `CBC` with `Encrypt-then-MAC` encryption methods. The attacker must also be able to intercept and modify the connection's traffic. \r\n\r\n## Workaround\r\n\r\nTemporarily disable the affected chacha20-poly1305@openssh.com encryption and -etm@openssh.com MAC algorithms in the configuration of your SSH server (or client), and use unaffected algorithms like AES-GCM instead.\n## Remediation\nUpgrade `golang.org/x/crypto/ssh` to version 0.17.0 or higher.\n## References\n- [Attack Information](https://terrapin-attack.com/)\n- [GitHub Commit](https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d)\n- [GitHub Commit](https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742)\n- [GitHub Commit](https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356)\n- [GitHub Commit](https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a)\n- [GitHub Commit](https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0)\n- [GitHub Commit](https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae)\n- [GitHub Issue](https://github.com/paramiko/paramiko/issues/2337)\n- [GitHub Issue](https://go.dev/issue/64784)\n- [Go Forum](https://go.dev/cl/550715)\n- [Google Groups Forum](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg)\n- [Security Release](https://www.openssh.com/txt/release-9.6)\n", "disclosureTime": "2023-12-18T21:18:26Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.80865", "probability": "0.00899" }, "exploit": "Proof of Concept", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-01-24T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/compose/v2@*", "golang.org/x/crypto/ssh@v0.14.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669", "identifiers": { "CVE": [ "CVE-2023-48795" ], "CWE": [ "CWE-294" ], "GO": [ "GO-2023-2402" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-21T11:03:36.162102Z", "moduleName": "golang.org/x/crypto/ssh", "name": "golang.org/x/crypto/ssh", "packageManager": "golang", "packageName": "golang.org/x/crypto/ssh", "patches": [], "proprietary": false, "publicationTime": "2023-12-19T08:34:48.266287Z", "references": [ { "title": "Attack Information", "url": "https://terrapin-attack.com/" }, { "title": "GitHub Commit", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "title": "GitHub Commit", "url": "https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742" }, { "title": "GitHub Commit", "url": "https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356" }, { "title": "GitHub Commit", "url": "https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a" }, { "title": "GitHub Commit", "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0" }, { "title": "GitHub Commit", "url": "https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae" }, { "title": "GitHub Issue", "url": "https://github.com/paramiko/paramiko/issues/2337" }, { "title": "GitHub Issue", "url": "https://go.dev/issue/64784" }, { "title": "Go Forum", "url": "https://go.dev/cl/550715" }, { "title": "Google Groups Forum", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "title": "Security Release", "url": "https://www.openssh.com/txt/release-9.6" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Authentication Bypass by Capture-replay", "upgradePath": [], "version": "v0.14.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-12-22T07:56:01.435551Z", "credit": [ "jhump" ], "cvssDetails": [], "cvssScore": 5.9, "description": "## Overview\n\nAffected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.\n## Remediation\nA fix was pushed into the `master` branch but not yet published.\n## References\n- [GitHub Commit](https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2)\n- [GitHub Issue](https://github.com/golang/protobuf/issues/1584)\n", "disclosureTime": "2023-12-21T17:31:13Z", "epssDetails": null, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-01-24T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "github.com/docker/compose/v2@*", "google.golang.org/protobuf/encoding/protojson@v1.31.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908", "identifiers": { "CVE": [], "CWE": [ "CWE-121" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-22T08:15:52.238162Z", "moduleName": "google.golang.org/protobuf/encoding/protojson", "name": "google.golang.org/protobuf/encoding/protojson", "packageManager": "golang", "packageName": "google.golang.org/protobuf/encoding/protojson", "patches": [], "proprietary": false, "publicationTime": "2023-12-22T07:57:46.872135Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" }, { "title": "GitHub Issue", "url": "https://github.com/golang/protobuf/issues/1584" } ], "semver": { "hashesRange": [ "<bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" ], "vulnerable": [ "*" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Stack-based Buffer Overflow", "upgradePath": [], "version": "v1.31.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:48.611Z", "expires": "2024-01-11T12:48:48.599Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/compose/v2@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.451299Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.72883", "probability": "0.00473" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:08.084Z", "expires": "2024-01-11T12:48:08.076Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/compose/v2@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.451299Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:29.723Z", "expires": "2024-01-11T12:48:29.711Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/compose/v2@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "cyberdojo/runner:d3fe336/docker/compose/v2", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/compose/v2", "summary": "5 vulnerable dependency paths", "targetFile": "/usr/local/libexec/docker/cli-plugins/docker-compose", "uniqueCount": 0, "vulnerabilities": [] }, { "dependencyCount": 723, "displayTargetFile": "/usr/local/libexec/docker/cli-plugins/docker-buildx", "docker": {}, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", "alternativeIds": [], "creationTime": "2023-12-19T07:43:18.835757Z", "credit": [ "Fabian B\u00e4umer", "Marcus Brinkmann", "J\u00f6rg Schwenk" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-19T13:31:34.026923Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.9, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "modificationTime": "2023-12-21T11:03:36.162102Z", "severity": "medium" } ], "cvssScore": 5.9, "description": "## Overview\n[golang.org/x/crypto/ssh](https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc) is a SSH client and server\n\nAffected versions of this package are vulnerable to Authentication Bypass by Capture-replay before the secure channel establishment. An attacker can use the manipulated sequence numbers to delete messages sent immediately after the channel is established.\r\n\r\n**Note:**\r\n\r\n1) Sequence numbers are only validated once the channel is established and arbitrary messages are allowed during the handshake, allowing them to manipulate the sequence numbers.\r\n\r\n2) The potential consequences of the general Terrapin attack are dependent on the messages exchanged after the handshake concludes. If you are using a custom SSH service and do not resort to the authentication protocol, you should check that dropping the first few messages of a connection does not yield security risks.\r\n\r\n**Impact:** \r\n\r\nWhile cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation. To successfully carry out the exploitation, the connection needs to be protected using either the `ChaCha20-Poly1305` or `CBC` with `Encrypt-then-MAC` encryption methods. The attacker must also be able to intercept and modify the connection's traffic. \r\n\r\n## Workaround\r\n\r\nTemporarily disable the affected chacha20-poly1305@openssh.com encryption and -etm@openssh.com MAC algorithms in the configuration of your SSH server (or client), and use unaffected algorithms like AES-GCM instead.\n## Remediation\nUpgrade `golang.org/x/crypto/ssh` to version 0.17.0 or higher.\n## References\n- [Attack Information](https://terrapin-attack.com/)\n- [GitHub Commit](https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d)\n- [GitHub Commit](https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742)\n- [GitHub Commit](https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356)\n- [GitHub Commit](https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b)\n- [GitHub Commit](https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a)\n- [GitHub Commit](https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0)\n- [GitHub Commit](https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae)\n- [GitHub Issue](https://github.com/paramiko/paramiko/issues/2337)\n- [GitHub Issue](https://go.dev/issue/64784)\n- [Go Forum](https://go.dev/cl/550715)\n- [Google Groups Forum](https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg)\n- [Security Release](https://www.openssh.com/txt/release-9.6)\n", "disclosureTime": "2023-12-18T21:18:26Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.80865", "probability": "0.00899" }, "exploit": "Proof of Concept", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-01-24T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.17.0" ], "from": [ "github.com/docker/buildx@*", "golang.org/x/crypto/ssh@v0.14.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669", "identifiers": { "CVE": [ "CVE-2023-48795" ], "CWE": [ "CWE-294" ], "GO": [ "GO-2023-2402" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-21T11:03:36.162102Z", "moduleName": "golang.org/x/crypto/ssh", "name": "golang.org/x/crypto/ssh", "packageManager": "golang", "packageName": "golang.org/x/crypto/ssh", "patches": [], "proprietary": false, "publicationTime": "2023-12-19T08:34:48.266287Z", "references": [ { "title": "Attack Information", "url": "https://terrapin-attack.com/" }, { "title": "GitHub Commit", "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" }, { "title": "GitHub Commit", "url": "https://github.com/libssh2/libssh2/pull/1291/commits/ab44b0906d7f8a296e995ccd661b0e98d01a3742" }, { "title": "GitHub Commit", "url": "https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356" }, { "title": "GitHub Commit", "url": "https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b" }, { "title": "GitHub Commit", "url": "https://github.com/ronf/asyncssh/commit/69f5a41b458b29367a65fe469c2b0255b5db210a" }, { "title": "GitHub Commit", "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0" }, { "title": "GitHub Commit", "url": "https://github.com/warp-tech/russh/commit/a355c62d11352cf93c3f9fda7499e03753a938ae" }, { "title": "GitHub Issue", "url": "https://github.com/paramiko/paramiko/issues/2337" }, { "title": "GitHub Issue", "url": "https://go.dev/issue/64784" }, { "title": "Go Forum", "url": "https://go.dev/cl/550715" }, { "title": "Google Groups Forum", "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" }, { "title": "Security Release", "url": "https://www.openssh.com/txt/release-9.6" } ], "semver": { "hashesRange": [ "<v0.17.0" ], "vulnerable": [ "<0.17.0" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Authentication Bypass by Capture-replay", "upgradePath": [], "version": "v0.14.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "alternativeIds": [], "creationTime": "2023-10-10T21:24:19.659383Z", "credit": [ "Unknown" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[google.golang.org/grpc](https://pkg.go.dev/google.golang.org/grpc) is a Go implementation of gRPC\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.\n## Remediation\nUpgrade `google.golang.org/grpc` to version 1.56.3, 1.57.1, 1.58.3 or higher.\n## References\n- [Github Commit](https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)\n- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)\n- [GitHub Commit](https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f)\n- [GitHub Commit](https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5)\n- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)\n- [GitHub Commit](https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13)\n- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)\n- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:47:39Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97454", "probability": "0.60157" }, "exploit": "High", "filtered": { "ignored": [ { "created": "2023-11-11T12:47:37.173Z", "expires": "2024-01-11T12:47:37.165Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "1.56.3", "1.57.1", "1.58.3" ], "from": [ "github.com/docker/buildx@*", "google.golang.org/grpc@v1.53.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328", "identifiers": { "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ], "GHSA": [ "GHSA-2m7v-gc89-fjqf", "GHSA-jhv4-f7mr-xx76" ], "GO": [ "GO-2023-2153" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-14T08:07:09.521537Z", "moduleName": "google.golang.org/grpc", "name": "google.golang.org/grpc", "packageManager": "golang", "packageName": "google.golang.org/grpc", "patches": [], "proprietary": false, "publicationTime": "2023-10-11T06:03:00.595391Z", "references": [ { "title": "Github Commit", "url": "https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49" }, { "title": "GitHub Commit", "url": "https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e" }, { "title": "GitHub Commit", "url": "https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148" }, { "title": "GitHub Commit", "url": "https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f" }, { "title": "GitHub Commit", "url": "https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5" }, { "title": "GitHub Commit", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "GitHub Commit", "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832" }, { "title": "GitHub Commit", "url": "https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13" }, { "title": "Snyk Blog", "url": "https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/" }, { "title": "Vulnerability Discovery", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "Vulnerability Explanation", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "CISA - Known Exploited Vulnerabilities", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "semver": { "hashesRange": [ "<v1.56.3", ">=v1.57.0 <v1.57.1", ">=v1.58.0 <v1.58.3" ], "vulnerable": [ "<1.56.3", ">=1.57.0 <1.57.1", ">=1.58.0 <1.58.3" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Denial of Service (DoS)", "upgradePath": [], "version": "v1.53.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-12-22T07:56:01.435551Z", "credit": [ "jhump" ], "cvssDetails": [], "cvssScore": 5.9, "description": "## Overview\n\nAffected versions of this package are vulnerable to Stack-based Buffer Overflow when processing input that uses pathologically deep nesting.\n## Remediation\nA fix was pushed into the `master` branch but not yet published.\n## References\n- [GitHub Commit](https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2)\n- [GitHub Issue](https://github.com/golang/protobuf/issues/1584)\n", "disclosureTime": "2023-12-21T17:31:13Z", "epssDetails": null, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-24T12:46:34.673Z", "expires": "2024-01-24T12:46:34.671Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "github.com/docker/buildx@*", "google.golang.org/protobuf/encoding/protojson@v1.30.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908", "identifiers": { "CVE": [], "CWE": [ "CWE-121" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-12-22T08:15:52.238162Z", "moduleName": "google.golang.org/protobuf/encoding/protojson", "name": "google.golang.org/protobuf/encoding/protojson", "packageManager": "golang", "packageName": "google.golang.org/protobuf/encoding/protojson", "patches": [], "proprietary": false, "publicationTime": "2023-12-22T07:57:46.872135Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" }, { "title": "GitHub Issue", "url": "https://github.com/golang/protobuf/issues/1584" } ], "semver": { "hashesRange": [ "<bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2" ], "vulnerable": [ "*" ], "vulnerableHashes": null }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Stack-based Buffer Overflow", "upgradePath": [], "version": "v1.30.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:45.160619Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n[go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace) is a provides a http.Handler and functions that are intended to be used to add tracing by wrapping existing handlers (with Handler) and routes WithRouteTag.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:48.611Z", "expires": "2024-01-11T12:48:48.599Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-13T14:05:12.769479Z", "credit": [ "Jakub Warczarek" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-11-15T01:10:29.297446Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2022-10-27T11:03:48.353189Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.451299Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when the `otelhttp.NewHandler` wrapper is used and no filtering is applied to unknown HTTP methods or User agents at the CDN, LB, or previous middleware levels. An attacker can cause the server's potential memory exhaustion by sending numerous malicious requests with random and long HTTP User-Agent or HTTP method values. \n\n**Note:**\n\nThis is only exploitable if the program does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. \n\n**Mitigation:** \n\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, which requires manual configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-12T17:49:33.127000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.72883", "probability": "0.00473" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:08.084Z", "expires": "2024-01-11T12:48:08.076Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583", "identifiers": { "CVE": [ "CVE-2022-21698" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-5r5m-65gx-7vrh", "GHSA-cg3q-j54f-5p7p", "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.451299Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-13T14:05:12.990398Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "alternativeIds": [], "creationTime": "2023-10-17T07:31:43.387804Z", "credit": [ "Jakub Warczarek", "Armin Ruech", "Robert Paj\u0105k" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-19T01:10:57.219390Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:38.359082Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `otelhttp` handler wrapper. An attacker can cause a denial of service by sending numerous malicious requests with random and long `http.user_agent` and `http.method` labels.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the program uses the `otelhttp.NewHandler` wrapper and does not filter any unknown HTTP methods or User agents at the CDN, LB, previous middleware, etc. level.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be mitigated by using `otelhttp.WithFilter()`, but it requires manual careful configuration to not log certain requests entirely.\n## Remediation\nUpgrade `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` to version 0.44.0 or higher.\n## References\n- [GitHub Commit](https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9)\n- [GitHub PR](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277)\n- [GitHub Release](https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)\n- [Vulnerable Code](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)\n", "disclosureTime": "2023-10-16T14:01:54Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.45228", "probability": "0.00116" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-11-11T12:48:29.723Z", "expires": "2024-01-11T12:48:29.711Z", "path": [ "*" ], "reason": "Waiting for base image upgrade", "source": "cli" } ] }, "fixedIn": [ "0.44.0" ], "from": [ "github.com/docker/buildx@*", "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0" ], "functions": [], "functions_new": [], "id": "SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109", "identifiers": { "CVE": [ "CVE-2023-45142" ], "CWE": [ "CWE-770" ], "GHSA": [ "GHSA-rcjv-mgp8-qvmr" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "golang", "malicious": false, "modificationTime": "2023-11-08T09:43:38.359082Z", "moduleName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "name": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "packageManager": "golang", "packageName": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp", "patches": [], "proprietary": false, "publicationTime": "2023-10-17T11:16:59.430698Z", "references": [ { "title": "GitHub Commit", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/50ca48f8017e04bcf9149a5435e7f8f96f9e83c9" }, { "title": "GitHub PR", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277" }, { "title": "GitHub Release", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go%23L223" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go%23L159" }, { "title": "Vulnerable Code", "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go%23L63-L65" } ], "semver": { "hashesRange": [ "<v0.44.0" ], "vulnerable": [ "<0.44.0" ], "vulnerableHashes": null }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Allocation of Resources Without Limits or Throttling", "upgradePath": [], "version": "v0.40.0" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "gomodules", "path": "cyberdojo/runner:d3fe336/docker/buildx", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "github.com/docker/buildx", "summary": "6 vulnerable dependency paths", "targetFile": "/usr/local/libexec/docker/cli-plugins/docker-buildx", "uniqueCount": 0, "vulnerabilities": [] } ], "dependencyCount": 102, "docker": { "baseImage": "docker:24.0.7-dind-alpine3.18", "baseImageRemediation": { "advice": [ { "bold": true, "message": "According to our scan, you are currently using the most secure version of the selected base image" } ], "code": "NO_REMEDIATION_AVAILABLE" }, "binariesVulns": { "affectedPkgs": {}, "issuesData": {} } }, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "apk", "path": "cyberdojo/runner:d3fe336/runner", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6137908:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-24T12:46:34.671Z\n created: 2023-12-24T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:46:34.671Z\n created: 2023-11-11T12:46:34.673Z\n source: cli\n SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:47:37.165Z\n created: 2023-11-11T12:47:37.173Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:08.076Z\n created: 2023-11-11T12:48:08.084Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:29.711Z\n created: 2023-11-11T12:48:29.723Z\n source: cli\n SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:48:48.599Z\n created: 2023-11-11T12:48:48.611Z\n source: cli\n SNYK-ALPINE318-OPENSSL-6032386:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-11-11T12:49:02.255Z\n source: cli\n SNYK-GOLANG-GOLANGORGXNETHTTP2-5958903:\n - '*':\n reason: Waiting for base image upgrade\n expires: 2024-01-11T12:49:02.243Z\n created: 2023-12-16T12:49:02.255Z\n source: cli\npatch: {}\n", "projectName": "docker-image|cyberdojo/runner", "summary": "No known operating system vulnerabilities", "uniqueCount": 0, "vulnerabilities": [] }, "created_at": 1703434892.9846606, "has_audit_package": true }