Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

x/vulndb: potential Go vuln in github.com/cri-o/cri-o: GHSA-j9hf-98c3-wrm8 #2909

Closed
tatianab opened this issue Jun 7, 2024 · 2 comments

Comments

@tatianab
Copy link
Contributor

tatianab commented Jun 7, 2024

In GitHub Security Advisory GHSA-j9hf-98c3-wrm8, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/cri-o/cri-o 1.28.7 = 1.28.6

Cross references:

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/cri-o/cri-o
      non_go_versions:
        - introduced: TODO (earliest fixed "1.28.7", vuln range "= 1.28.6")
      vulnerable_at: 1.30.2
      packages:
        - package: github.com/cri-o/cri-o
    - module: github.com/cri-o/cri-o
      non_go_versions:
        - introduced: TODO (earliest fixed "1.29.5", vuln range "= 1.29.4")
      vulnerable_at: 1.30.2
      packages:
        - package: github.com/cri-o/cri-o
    - module: github.com/cri-o/cri-o
      non_go_versions:
        - introduced: TODO (earliest fixed "1.30.1", vuln range "= 1.30.0")
      vulnerable_at: 1.30.2
      packages:
        - package: github.com/cri-o/cri-o
summary: malicious container creates symlink "mtab" on the host External in github.com/cri-o/cri-o
cves:
    - CVE-2024-5154
ghsas:
    - GHSA-j9hf-98c3-wrm8
references:
    - advisory: https://github.com/advisories/GHSA-j9hf-98c3-wrm8
    - advisory: https://github.com/cri-o/cri-o/security/advisories/GHSA-j9hf-98c3-wrm8
notes:
    - fix: 'module merge error: could not merge versions of module github.com/cri-o/cri-o: invalid or non-canonical semver version (found TODO (earliest fixed "1.28.7", vuln range "= 1.28.6"))'
source:
    id: GHSA-j9hf-98c3-wrm8
    created: 2024-06-07T17:18:15.058375-04:00
review_status: UNREVIEWED

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592456 mentions this issue: data/reports: add 19 unreviewed reports

@tatianab
Copy link
Contributor Author

Duplicate of #2919

@tatianab tatianab marked this as a duplicate of #2919 Jun 27, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Projects
None yet
Development

No branches or pull requests

2 participants