Skip to content

x/vulndb: potential Go vuln in github.com/crossplane/crossplane: GHSA-7h65-4p22-39j6 #3219

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
GoVulnBot opened this issue Oct 25, 2024 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/crossplane/crossplane: GHSA-7h65-4p22-39j6 #3219

GoVulnBot opened this issue Oct 25, 2024 · 1 comment
Assignees
@tatianab
Labels
triaged

Comments

@GoVulnBot
Copy link

Advisory GHSA-7h65-4p22-39j6 references a vulnerability in the following Go modules:

Module
github.com/crossplane/crossplane

Description:
A critical vulnerability was reported in the versions of golang that Crossplane depends on. Details of the golang vulnerability are included below. Crossplane does not directly use the vulnerable functions from the net/netip package, but the version of golang libraries, runtime, and build tools have still been updated as part of this security advisory nonetheless.

Critical Vulnerabilities
Vulnerability: CVE-2024-24790, golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
Description: The various Is met...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/crossplane/crossplane
      non_go_versions:
        - introduced: TODO (earliest fixed "1.17.2", vuln range "= 1.17.1")
        - introduced: TODO (earliest fixed "1.16.3", vuln range "= 1.16.2")
        - introduced: TODO (earliest fixed "1.15.6", vuln range "= 1.15.5")
      vulnerable_at: 1.17.2
summary: |-
    github.com/crossplane/crossplane: Unexpected behavior from Is methods for
    IPv4-mapped IPv6 addresses
ghsas:
    - GHSA-7h65-4p22-39j6
references:
    - advisory: https://github.com/advisories/GHSA-7h65-4p22-39j6
    - advisory: https://github.com/crossplane/crossplane/security/advisories/GHSA-7h65-4p22-39j6
notes:
    - fix: 'module merge error: could not merge versions of module github.com/crossplane/crossplane: invalid or non-canonical semver version (found TODO (earliest fixed "1.17.2", vuln range "= 1.17.1"))'
source:
    id: GHSA-7h65-4p22-39j6
    created: 2024-10-25T20:01:24.799520288Z
review_status: UNREVIEWED
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/622835 mentions this issue: data/reports: add 16 unreviewed reports

@tatianab tatianab self-assigned this Oct 28, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@tatianab tatianab

Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot