From 2b4b07d36904cf18fc3dd0731ff99dfa408fa0e5 Mon Sep 17 00:00:00 2001 From: naveen <172697+naveensrinivasan@users.noreply.github.com> Date: Tue, 21 Sep 2021 17:46:31 +0000 Subject: [PATCH] :seedling: Fix GO-2021-0089 vulnerability The github.com/buger/jsonparser has this vulnerability. "vulns": [ { "id": "GO-2021-0089", "package": { "name": "github.com/buger/jsonparser", "ecosystem": "Go" }, "details": "Parsing malformed JSON which contain opening brackets, but not closing brackes,\nleads to an infinite loop. If operating on untrusted user input this can be\nused as a denial of service vector.\n", "affects": { "ranges": [ { "type": "SEMVER", "fixed": "0.0.0-20200321185410-91ac96899e49" } ] }, "aliases": [ "CVE-2020-10675" ], "modified": "2021-04-14T12:00:00Z", "published": "2021-04-14T12:00:00Z", "ecosystem_specific": { "symbols": [ "findKeyStart" ] }, "database_specific": { "source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json", "url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0089.yaml" }, "references": [ { "type": "FIX", "url": "https://github.com/buger/jsonparser/pull/192" }, { "type": "FIX", "url": "https://github.com/buger/jsonparser/commit/91ac96899e492584984ded0c8f9a08f10b473717" }, { "type": "WEB", "url": "https://github.com/buger/jsonparser/issues/188" } ], "affected": [ { "package": { "name": "github.com/buger/jsonparser", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-20200321185410-91ac96899e49" } ] } ], "ecosystem_specific": { "symbols": [ "findKeyStart" ] }, "database_specific": { "source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json", "url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0089.yaml" } } ] }, { "id": "GO-2021-0057", "package": { "name": "github.com/buger/jsonparser", "ecosystem": "Go" }, "details": "Due to improper bounds checking, maliciously crafted JSON objects\ncan cause an out-of-bounds panic. If parsing user input, this may\nbe used as a denial of service vector.\n", "affects": { "ranges": [ { "type": "SEMVER", "fixed": "1.1.1" } ] }, "aliases": [ "CVE-2020-35381" ], "modified": "2021-04-14T12:00:00Z", "published": "2021-04-14T12:00:00Z", "ecosystem_specific": { "symbols": [ "searchKeys" ] }, "database_specific": { "source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json", "url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0057.yaml" }, "references": [ { "type": "FIX", "url": "https://github.com/buger/jsonparser/pull/221" }, { "type": "FIX", "url": "https://github.com/buger/jsonparser/commit/df3ea76ece10095374fd1c9a22a4fb85a44efc42" }, { "type": "WEB", "url": "https://github.com/buger/jsonparser/issues/219" } ], "affected": [ { "package": { "name": "github.com/buger/jsonparser", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.1.1" } ] } ], "ecosystem_specific": { "symbols": [ "searchKeys" ] }, "database_specific": { "url": "https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0057.yaml", "source": "https://storage.googleapis.com/go-vulndb/github.com/buger/jsonparser.json" } } ] } ] } --- go.mod | 2 ++ go.sum | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index ca0ed04c948..d70d9ff32a0 100644 --- a/go.mod +++ b/go.mod @@ -93,3 +93,5 @@ require ( gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect ) + +replace github.com/buger/jsonparser => github.com/buger/jsonparser v1.1.1 diff --git a/go.sum b/go.sum index be65c5dcc60..2d8188ea2e8 100644 --- a/go.sum +++ b/go.sum @@ -291,7 +291,7 @@ github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBT github.com/bradleyfalzon/ghinstallation/v2 v2.0.2 h1:VdhctVU4Kag+Yo5iuvEvFx4HNpLEI99Cm41UnE7y1WE= github.com/bradleyfalzon/ghinstallation/v2 v2.0.2/go.mod h1:GhRUp70E+QFvNemlFd4unyHZ8ryBiMQkJm6KgdilpUo= github.com/bshuster-repo/logrus-logstash-hook v0.4.1/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk= -github.com/buger/jsonparser v0.0.0-20180808090653-f4dd9f5a6b44/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s= +github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0= github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd/go.mod h1:2oa8nejYd4cQ/b0hMIopN0lCRxU0bueqREvZLWFrtK8= github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b/go.mod h1:obH5gd0BsqsP2LwDJ9aOkm/6J86V6lyAXCoQWGw3K50= github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE=