Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Several go modules depencies vulnerabilities observed in apisix-dashboard #2909

Open
rafariossaa opened this issue Jan 18, 2024 · 0 comments
Open

Several go modules depencies vulnerabilities observed in apisix-dashboard #2909

rafariossaa opened this issue Jan 18, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@rafariossaa
Copy link

rafariossaa commented Jan 18, 2024
edited

Issue description

When running a trivy scan on apisix-dashboard v3.0.1, it reported several CVEs on the depedencies.
Is it possible to update those dependencies ?

apisix-dashboard-3.0.1$ trivy filesystem  --vuln-type library .
2024-01-18T16:02:31.827Z        INFO    Vulnerability scanning is enabled
2024-01-18T16:02:31.827Z        INFO    Secret scanning is enabled
2024-01-18T16:02:31.827Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-01-18T16:02:31.827Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation for faster secret detection
2024-01-18T16:02:32.606Z        INFO    Number of language-specific files: 3
2024-01-18T16:02:32.606Z        INFO    Detecting gomod vulnerabilities...
2024-01-18T16:02:32.608Z        INFO    Detecting yarn vulnerabilities...

api/go.mod (gomod)

Total: 7 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 2, CRITICAL: 0)

┌──────────────────────────┬─────────────────────┬──────────┬───────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐
│         Library          │    Vulnerability    │ Severity │ Installed Version │     Fixed Version      │                            Title                             │
├──────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/gin-gonic/gin │ CVE-2023-29401      │ MEDIUM   │ 1.9.0             │ 1.9.1                  │ golang-github-gin-gonic-gin: Gin Web Framework does not      │
│                          │                     │          │                   │                        │ properly sanitize filename parameter of                      │
│                          │                     │          │                   │                        │ Context.FileAttachment...                                    │
│                          │                     │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-29401                   │
├──────────────────────────┼─────────────────────┤          ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto      │ CVE-2023-48795      │          │ 0.5.0             │ 0.17.0                 │ ssh: Prefix truncation attack on Binary Packet Protocol      │
│                          │                     │          │                   │                        │ (BPP)                                                        │
│                          │                     │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-48795                   │
├──────────────────────────┼─────────────────────┼──────────┼───────────────────┤                        ├──────────────────────────────────────────────────────────────┤
│ golang.org/x/net         │ CVE-2023-39325      │ HIGH     │ 0.7.0             │                        │ golang: net/http, x/net/http2: rapid stream resets can cause │
│                          │                     │          │                   │                        │ excessive work (CVE-2023-44487)                              │
│                          │                     │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
│                          ├─────────────────────┼──────────┤                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│                          │ CVE-2023-3978       │ MEDIUM   │                   │ 0.13.0                 │ golang.org/x/net/html: Cross site scripting                  │
│                          │                     │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-3978                    │
│                          ├─────────────────────┤          │                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│                          │ CVE-2023-44487      │          │                   │ 0.17.0                 │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable   │
│                          │                     │          │                   │                        │ to a DDoS attack...                                          │
│                          │                     │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
├──────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc   │ GHSA-m425-mq94-257g │ HIGH     │ 1.47.0            │ 1.56.3, 1.57.1, 1.58.3 │ gRPC-Go HTTP/2 Rapid Reset vulnerability                     │
│                          │                     │          │                   │                        │ https://github.com/advisories/GHSA-m425-mq94-257g            │
│                          ├─────────────────────┼──────────┤                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│                          │ CVE-2023-44487      │ MEDIUM   │                   │ 1.58.3, 1.57.1, 1.56.3 │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable   │
│                          │                     │          │                   │                        │ to a DDoS attack...                                          │
│                          │                     │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
└──────────────────────────┴─────────────────────┴──────────┴───────────────────┴────────────────────────┴──────────────────────────────────────────────────────────────┘

Expected behavior

Depdencies up to date

How to Reproduce

Run trivy scan on source code
@rafariossaa rafariossaa added the bug Something isn't working label Jan 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rafariossaa