github.com/mautrix/go/mautrix-v0.9.18: 7 vulnerabilities (highest severity is: 7.5) - autoclosed #18
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
|
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory. |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Vulnerabilities
Details
Vulnerable Library - github.com/tidwall/gjson-v1.6.8
Get JSON values quickly - JSON parser for Go
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
GJSON before 1.9.3 allows a ReDoS (regular expression denial of service) attack.
Publish Date: 2021-10-22
URL: CVE-2021-42836
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: tidwall/gjson#237
Release Date: 2021-10-22
Fix Resolution: v1.9.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/golang/crypto-5ea612d1eb830b38bc4e914e37f55311eb58adce
[mirror] Go supplementary cryptography libraries
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
Publish Date: 2022-03-18
URL: CVE-2022-27191
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-27191
Release Date: 2022-03-18
Fix Resolution: golang-golang-x-crypto-dev - 1:0.0~git20220315.3147a52-1;golang-go.crypto-dev - 1:0.0~git20220315.3147a52-1
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/golang/net-5f55cee0dc0dc168ce29222f077fe7fcd4be72c5
[mirror] Go supplementary network libraries
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
Publish Date: 2021-05-26
URL: CVE-2021-33194
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33194
Release Date: 2021-05-26
Fix Resolution: golang.org/x/net - v0.0.0-20210520170846-37e1c6afe023
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/golang/net-5f55cee0dc0dc168ce29222f077fe7fcd4be72c5
[mirror] Go supplementary network libraries
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
Publish Date: 2022-01-01
URL: CVE-2021-44716
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-vc3p-29h2-gpcp
Release Date: 2022-01-01
Fix Resolution: github.com/golang/net - 491a49abca63de5e07ef554052d180a1b5fe2d70
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/golang/crypto-5ea612d1eb830b38bc4e914e37f55311eb58adce
[mirror] Go supplementary cryptography libraries
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
There's an input validation flaw in golang.org/x/crypto's readCipherPacket() function. An unauthenticated attacker who sends an empty plaintext packet to a program linked with golang.org/x/crypto/ssh could cause a panic, potentially leading to denial of service.
Publish Date: 2021-11-10
URL: CVE-2021-43565
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43565
Release Date: 2021-11-10
Fix Resolution: golang-golang-x-crypto-dev - 1:0.0~git20211202.5770296-1;golang-go.crypto-dev - 1:0.0~git20211202.5770296-1
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/tidwall/gjson-v1.6.8
Get JSON values quickly - JSON parser for Go
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
GJSON <= 1.9.2 allows attackers to cause a redos via crafted JSON input.
Publish Date: 2022-05-24
URL: CVE-2021-42248
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42248
Release Date: 2022-05-24
Fix Resolution: v1.9.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/golang/net-5f55cee0dc0dc168ce29222f077fe7fcd4be72c5
[mirror] Go supplementary network libraries
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
Publish Date: 2021-05-27
URL: CVE-2021-31525
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1958341
Release Date: 2021-05-27
Fix Resolution: golang - v1.15.12,v1.16.4,v1.17.0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: