Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/gitpod-io/gitpod: CVE-2024-21583 #2997

Closed
GoVulnBot opened this issue Jul 19, 2024 · 5 comments
Closed

x/vulndb: potential Go vuln in github.com/gitpod-io/gitpod: CVE-2024-21583 #2997

GoVulnBot opened this issue Jul 19, 2024 · 5 comments
Labels
triaged

Comments

@GoVulnBot
Copy link

Advisory CVE-2024-21583 references a vulnerability in the following Go modules:

Module
github.com/gitpod-io/gitpod

Description:
Versions of the package github.com/gitpod-io/gitpod/components/server/go/pkg/lib before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/components/ws-proxy/pkg/proxy before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/auth before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/public-api-server before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/server before main-gha.27122; versions of the package @gitpod/gitpo...

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/gitpod-io/gitpod
      vulnerable_at: 0.10.0
summary: CVE-2024-21583 in github.com/gitpod-io/gitpod
cves:
    - CVE-2024-21583
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-21583
    - fix: https://github.com/gitpod-io/gitpod/commit/da1053e1013f27a56e6d3533aa251dbd241d0155
    - fix: https://github.com/gitpod-io/gitpod/pull/19973
    - web: https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=[…]942e-c768d37e9e0c&tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d
    - web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSSERVERGOPKGLIB-7452074
    - web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSWSPROXYPKGPROXY-7452075
    - web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSAUTH-7452076
    - web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSPUBLICAPISERVER-7452077
    - web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSSERVER-7452078
    - web: https://security.snyk.io/vuln/SNYK-JS-GITPODGITPODPROTOCOL-7452079
source:
    id: CVE-2024-21583
    created: 2024-07-19T06:01:16.172383195Z
review_status: UNREVIEWED
@tatianab
Copy link
Contributor

Fix does appear to affect Go code

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/599636 mentions this issue: data/reports: add 4 unreviewed reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/606360 mentions this issue: data/reports: regenerate 8 reports

gopherbot pushed a commit that referenced this issue Aug 19, 2024
@tatianab @gopherbot
data/reports: regenerate 8 reports
9fd9786 
  - data/reports/GO-2024-2993.yaml
  - data/reports/GO-2024-2997.yaml
  - data/reports/GO-2024-3033.yaml
  - data/reports/GO-2024-3039.yaml
  - data/reports/GO-2024-2921.yaml
  - data/reports/GO-2024-2982.yaml
  - data/reports/GO-2024-3066.yaml
  - data/reports/GO-2024-3070.yaml

Updates #2993
Updates #2997
Updates #3033
Updates #3039
Updates #2921
Updates #2982
Updates #3066
Updates #3070

Change-Id: I5a682ceba4983a42b0d7783535488c5ecf049f25
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606360
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/611375 mentions this issue: data/reports: update GO-2024-2997

gopherbot pushed a commit that referenced this issue Sep 6, 2024
@tatianab
data/reports: update GO-2024-2997
38348a7 
Fix bad URI.

  - data/reports/GO-2024-2997.yaml

Updates #2997
Fixes #3120

Change-Id: I08882a769b46b5f95f0a2182eed3ba924a78c11a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/611375
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/610809 mentions this issue: data/reports: regenerate GO-2024-2997

gopherbot pushed a commit that referenced this issue Sep 6, 2024
@tatianab
data/reports: regenerate GO-2024-2997
fcf3b07 
Regenerate with updated algorithm.

  - data/reports/GO-2024-2997.yaml

Updates #2997

Change-Id: I6c6aec10dfb4e24bae5e2f5313ecda78e7ddabe7
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/610809
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot