Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

CVE-2022-21221 (High) detected in github.com/valyala/fasthttp-v1.31.0 #2775

Closed
mend-bolt-for-github bot opened this issue Mar 20, 2022 · 0 comments · Fixed by #3017
Closed

CVE-2022-21221 (High) detected in github.com/valyala/fasthttp-v1.31.0 #2775

mend-bolt-for-github bot opened this issue Mar 20, 2022 · 0 comments · Fixed by #3017
Assignees
@zroubalik
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource
Milestone
v2.7.1

Comments

@mend-bolt-for-github
Copy link
Contributor

mend-bolt-for-github bot commented Mar 20, 2022
edited
Loading

CVE-2022-21221 - High Severity Vulnerability

Vulnerable Library - github.com/valyala/fasthttp-v1.31.0

Fast HTTP package for Go. Tuned for high performance. Zero memory allocations in hot paths. Up to 10x faster than net/http

Dependency Hierarchy:

  • github.com/dysnix/predictkube-libs-v0.0.3 (Root Library)
    • github.com/valyala/fasthttp-v1.31.0 (Vulnerable Library)

Found in HEAD commit: 4213ed86dc859b83c4f126853835fab3dc987b5d

Found in base branch: main

Vulnerability Details

The package github.com/valyala/fasthttp before 1.34.0 are vulnerable to Directory Traversal via the ServeFile function, due to improper sanitization. It is possible to be exploited by using a backslash %5c character in the path. Note: This security issue impacts Windows users only.

Publish Date: 2022-03-17

URL: CVE-2022-21221

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21221

Release Date: 2022-03-17

Fix Resolution: v1.34.0

Step up your Open Source Security Game with WhiteSource here
@mend-bolt-for-github mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Mar 20, 2022
@tomkerkhove tomkerkhove moved this to Proposed in Roadmap - KEDA Core Mar 20, 2022
@zroubalik zroubalik mentioned this issue Mar 22, 2022
Closed
@JorTurFer JorTurFer self-assigned this Mar 23, 2022
@JorTurFer JorTurFer mentioned this issue Mar 23, 2022
Closed
5 tasks
@mend-bolt-for-github mend-bolt-for-github bot changed the title CVE-2022-21221 (Medium) detected in github.com/valyala/fasthttp-v1.31.0 CVE-2022-21221 (High) detected in github.com/valyala/fasthttp-v1.31.0 Mar 25, 2022
@zroubalik zroubalik assigned zroubalik and unassigned JorTurFer May 6, 2022
@zroubalik zroubalik moved this from Proposed to In Progress in Roadmap - KEDA Core May 6, 2022
@tomkerkhove tomkerkhove added this to the v2.7.1 milestone May 6, 2022
@zroubalik zroubalik mentioned this issue May 6, 2022
Merged
2 tasks
Repository owner moved this from In Progress to Ready To Ship in Roadmap - KEDA Core May 6, 2022
@tomkerkhove tomkerkhove moved this from Ready To Ship to Done in Roadmap - KEDA Core Aug 3, 2022
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@zroubalik zroubalik

Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource
Projects
Roadmap - KEDA Core
Archived in project
Milestone
v2.7.1
3 participants
@zroubalik @tomkerkhove @JorTurFer