/
temporal.advisories.yaml
127 lines (115 loc) · 3.36 KB
/
temporal.advisories.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
schema-version: 2.0.2
package:
name: temporal
advisories:
- id: CVE-2023-3485
aliases:
- GHSA-gm2g-2xr9-pxxj
events:
- timestamp: 2023-09-30T19:12:10Z
type: detection
data:
type: nvdapi
data:
cpeSearched: cpe:2.3:a:*:temporal:*:*:*:*:*:*:*:*
cpeFound: cpe:2.3:a:temporal:temporal:*:*:*:*:*:*:*:*
- timestamp: 2023-10-01T00:15:29Z
type: false-positive-determination
data:
type: component-vulnerability-mismatch
note: Our 'temporal' package is actually the temporal CLI, not the temporal server itself. (The found CPE is a related component.)
- id: CVE-2023-45283
aliases:
- GHSA-vvjp-q62m-2vph
events:
- timestamp: 2023-11-07T19:39:06Z
type: false-positive-determination
data:
type: vulnerable-code-not-included-in-package
note: Only affects Windows
- id: CVE-2023-45284
aliases:
- GHSA-rq3x-83w4-p28c
events:
- timestamp: 2023-11-07T19:39:08Z
type: false-positive-determination
data:
type: vulnerable-code-not-included-in-package
note: Only affects Windows
- id: CVE-2023-45289
aliases:
- GHSA-32ch-6x54-q4h9
events:
- timestamp: 2024-03-12T08:10:27Z
type: fixed
data:
fixed-version: 0.11.0-r1
- id: CVE-2023-45290
aliases:
- GHSA-rr6r-cfgf-gc6h
events:
- timestamp: 2024-03-12T08:10:28Z
type: fixed
data:
fixed-version: 0.11.0-r1
- id: CVE-2023-47108
aliases:
- GHSA-8pgv-569h-w5rw
events:
- timestamp: 2023-12-11T20:40:14Z
type: pending-upstream-fix
data:
note: |
We faced issues with "otlpmetricgrpc@v0.44.0/internal/transform/metricdata.go:108:18:undefined: metricdata.ExponentialHistogram" when upgrading otlpmetricgrpc to v0.46.0. It has some strict dependencies in the source code common/telemetry using an old version and thus this fix will require some code changes in upstream.
- id: CVE-2023-48795
aliases:
- GHSA-45x7-px36-x8w8
events:
- timestamp: 2023-12-22T15:02:35Z
type: fixed
data:
fixed-version: 0.10.7-r3
- id: CVE-2024-24783
aliases:
- GHSA-3q2c-pvp5-3cqp
events:
- timestamp: 2024-03-12T08:10:28Z
type: fixed
data:
fixed-version: 0.11.0-r1
- id: CVE-2024-24784
aliases:
- GHSA-fgq5-q76c-gx78
events:
- timestamp: 2024-03-12T08:10:29Z
type: fixed
data:
fixed-version: 0.11.0-r1
- id: CVE-2024-24785
aliases:
- GHSA-j6m3-gc37-6r6q
events:
- timestamp: 2024-03-12T08:10:30Z
type: fixed
data:
fixed-version: 0.11.0-r1
- id: CVE-2024-24786
aliases:
- GHSA-8r3f-844c-mc37
events:
- timestamp: 2024-03-14T13:20:06Z
type: detection
data:
type: scan/v1
data:
subpackageName: temporal-docgen
componentID: 690bf3af647a094f
componentName: google.golang.org/protobuf
componentVersion: v1.31.0
componentType: go-module
componentLocation: /usr/bin/temporal-docgen
scanner: grype
- timestamp: 2024-03-18T14:00:38Z
type: fixed
data:
fixed-version: 0.11.0-r2