Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/apache/servicecomb-service-center: GHSA-x6jv-5vfg-gm7x #754

Closed
julieqiu opened this issue Aug 1, 2022 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/apache/servicecomb-service-center: GHSA-x6jv-5vfg-gm7x #754

julieqiu opened this issue Aug 1, 2022 · 1 comment
Assignees
@zpavlinovic
Labels
excluded: DEPENDENT_VULNERABILITY This vulnerability is downstream of another existing vulnerability report.

Comments

@julieqiu
Copy link
Member

julieqiu commented Aug 1, 2022

In GitHub Security Advisory GHSA-x6jv-5vfg-gm7x, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/apache/servicecomb-service-center 2.0.0 < 2.0.0

See doc/triage.md for instructions on how to triage this report.

packages:
  - package: github.com/apache/servicecomb-service-center
    versions:
      - fixed: 2.0.0
description: Improper configuration will cause ServiceComb ServiceCenter Directory
    Traversal problem in ServcieCenter 1.x.x versions and fixed in 2.0.0.
published: 2021-09-01T18:35:52Z
last_modified: 2021-09-01T18:35:52Z
cves:
  - CVE-2021-21501
ghsas:
  - GHSA-x6jv-5vfg-gm7x
links:
    context:
      - https://github.com/advisories/GHSA-x6jv-5vfg-gm7x
@zpavlinovic
Copy link
Contributor

Duplicate of https://github.com/golang/vulndb/blob/0cf3970a71893a908b5499740b21a184eac745b8/reports/GO-2021-0051.yaml. That is, the bug consists in importing a vulnerable package (and the fix is to update the dependency).

@neild neild added excluded: DEPENDENT_VULNERABILITY This vulnerability is downstream of another existing vulnerability report. and removed NotGoVuln labels Aug 10, 2022
This was referenced Jan 31, 2024
Closed
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@zpavlinovic zpavlinovic

Labels
excluded: DEPENDENT_VULNERABILITY This vulnerability is downstream of another existing vulnerability report.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@neild @zpavlinovic @julieqiu