change go module version and go version

[rainerleber]

This PR will fix a lot of vulnerabilities by changing the module versions.

[rainerleber]

{
"SchemaVersion": 2,
"ArtifactName": "quay.io/mobb/ecr-secret-operator",
"ArtifactType": "container_image",
"Metadata": {
"OS": {
"Family": "debian",
"Name": "11.4"
},
"ImageID": "sha256:f8164ba7e90c0a5deb400f35f519b3290c8785a22fd7607e92affb7c1620d59f",
"DiffIDs": [
"sha256:c24fe0225c12cb76554571cd1fddb997d7561cb2a449335e75b02493382cd129",
"sha256:5ba0d3cd39eae8c5aad877af2040e35741ca49dfc30edc9571620bf1b13e0d73"
],
"RepoTags": [
"quay.io/mobb/ecr-secret-operator:latest"
],
"RepoDigests": [
"quay.io/mobb/ecr-secret-operator@sha256:c6ef40c339632fe97345b6328b92556251c591288f7801109e2c89e51a47e9d9"
],
"ImageConfig": {
"architecture": "arm64",
"author": "Bazel",
"created": "2022-08-15T13:34:32.900796254Z",
"history": [
{
"author": "Bazel",
"created": "1970-01-01T00:00:00Z",
"created_by": "bazel build ..."
},
{
"created": "2022-08-15T13:34:32.900796254Z",
"created_by": "WORKDIR /",
"comment": "buildkit.dockerfile.v0",
"empty_layer": true
},
{
"created": "2022-08-15T13:34:32.900796254Z",
"created_by": "COPY /workspace/manager . # buildkit",
"comment": "buildkit.dockerfile.v0"
},
{
"created": "2022-08-15T13:34:32.900796254Z",
"created_by": "USER 65532:65532",
"comment": "buildkit.dockerfile.v0",
"empty_layer": true
},
{
"created": "2022-08-15T13:34:32.900796254Z",
"created_by": "ENTRYPOINT ["/manager"]",
"comment": "buildkit.dockerfile.v0",
"empty_layer": true
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:c24fe0225c12cb76554571cd1fddb997d7561cb2a449335e75b02493382cd129",
"sha256:5ba0d3cd39eae8c5aad877af2040e35741ca49dfc30edc9571620bf1b13e0d73"
]
},
"config": {
"Entrypoint": [
"/manager"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"
],
"User": "65532:65532",
"WorkingDir": "/"
}
}
},
"Results": [
{
"Target": "quay.io/mobb/ecr-secret-operator (debian 11.4)",
"Class": "os-pkgs",
"Type": "debian"
},
{
"Target": "manager",
"Class": "lang-pkgs",
"Type": "gobinary",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2020-8911",
"PkgName": "github.com/aws/aws-sdk-go",
"InstalledVersion": "v1.43.42",
"Layer": {
"Digest": "sha256:9a3b06e5581dcf28c22194bb802450a42901abdb6a73a11cabb7570372c1b13c",
"DiffID": "sha256:5ba0d3cd39eae8c5aad877af2040e35741ca49dfc30edc9571620bf1b13e0d73"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8911",
"DataSource": {
"ID": "go-vulndb",
"Name": "The Go Vulnerability Database",
"URL": "https://github.com/golang/vulndb"
},
"Title": "aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto SDK for golang",
"Description": "A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-327"
],
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"V3Score": 5.6
},
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"V2Score": 2.1,
"V3Score": 5.6
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"V3Score": 5.6
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2020-8911",
"https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09",
"https://bugzilla.redhat.com/show_bug.cgi?id=1869800",
"https://github.com/advisories/GHSA-f5pg-7wfw-84q9",
"https://github.com/aws/aws-sdk-go/commit/1e84382fa1c0086362b5a4b68e068d4f8518d40e",
"https://github.com/aws/aws-sdk-go/commit/ae9b9fd92af132cfd8d879809d8611825ba135f4",
"https://github.com/aws/aws-sdk-go/pull/3403",
"https://github.com/google/security-research/security/advisories/GHSA-f5pg-7wfw-84q9",
"https://github.com/sophieschmieg/exploits/tree/master/aws_s3_crypto_poc",
"https://nvd.nist.gov/vuln/detail/CVE-2020-8911",
"https://pkg.go.dev/vuln/GO-2022-0646"
],
"PublishedDate": "2020-08-11T20:15:00Z",
"LastModifiedDate": "2020-08-18T13:37:00Z"
},
{
"VulnerabilityID": "CVE-2020-8912",
"PkgName": "github.com/aws/aws-sdk-go",
"InstalledVersion": "v1.43.42",
"Layer": {
"Digest": "sha256:9a3b06e5581dcf28c22194bb802450a42901abdb6a73a11cabb7570372c1b13c",
"DiffID": "sha256:5ba0d3cd39eae8c5aad877af2040e35741ca49dfc30edc9571620bf1b13e0d73"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8912",
"DataSource": {
"ID": "go-vulndb",
"Name": "The Go Vulnerability Database",
"URL": "https://github.com/golang/vulndb"
},
"Title": "aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto SDK for golang",
"Description": "A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.",
"Severity": "LOW",
"CweIDs": [
"CWE-327"
],
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 2.5
},
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"V2Score": 2.1,
"V3Score": 2.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"V3Score": 2.5
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2020-8912",
"https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09",
"https://bugzilla.redhat.com/show_bug.cgi?id=1869801",
"https://github.com/advisories/GHSA-7f33-f4f5-xwgw",
"https://github.com/aws/aws-sdk-go/commit/1e84382fa1c0086362b5a4b68e068d4f8518d40e",
"https://github.com/aws/aws-sdk-go/commit/ae9b9fd92af132cfd8d879809d8611825ba135f4",
"https://github.com/aws/aws-sdk-go/pull/3403",
"https://github.com/google/security-research/security/advisories/GHSA-7f33-f4f5-xwgw",
"https://github.com/sophieschmieg/exploits/tree/master/aws_s3_crypto_poc",
"https://nvd.nist.gov/vuln/detail/CVE-2020-8912",
"https://pkg.go.dev/vuln/GO-2022-0646"
],
"PublishedDate": "2020-08-11T20:15:00Z",
"LastModifiedDate": "2020-08-17T19:31:00Z"
},
{
"VulnerabilityID": "CVE-2022-21698",
"PkgName": "github.com/prometheus/client_golang",
"InstalledVersion": "v1.11.0",
"FixedVersion": "1.11.1",
"Layer": {
"Digest": "sha256:9a3b06e5581dcf28c22194bb802450a42901abdb6a73a11cabb7570372c1b13c",
"DiffID": "sha256:5ba0d3cd39eae8c5aad877af2040e35741ca49dfc30edc9571620bf1b13e0d73"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-21698",
"DataSource": {
"ID": "go-vulndb",
"Name": "The Go Vulnerability Database",
"URL": "https://github.com/golang/vulndb"
},
"Title": "prometheus/client_golang: Denial of service using InstrumentHandlerCounter",
"Description": "client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of promhttp.InstrumentHandler* middleware except RequestsInFlight; not filter any specific methods (e.g GET) before middleware; pass metric with method label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown method. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the method label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.",
"Severity": "HIGH",
"CweIDs": [
"CWE-400"
],
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V2Score": 5,
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://access.redhat.com/errata/RHSA-2022:8057",
"https://access.redhat.com/security/cve/CVE-2022-21698",
"https://bugzilla.redhat.com/2044628",
"https://bugzilla.redhat.com/2045880",
"https://bugzilla.redhat.com/2050648",
"https://bugzilla.redhat.com/2050742",
"https://bugzilla.redhat.com/2050743",
"https://bugzilla.redhat.com/2065290",
"https://bugzilla.redhat.com/2107342",
"https://bugzilla.redhat.com/2107371",
"https://bugzilla.redhat.com/2107374",
"https://bugzilla.redhat.com/2107376",
"https://bugzilla.redhat.com/2107383",
"https://bugzilla.redhat.com/2107386",
"https://bugzilla.redhat.com/2107388",
"https://bugzilla.redhat.com/2107390",
"https://bugzilla.redhat.com/2107392",
"https://errata.almalinux.org/9/ALSA-2022-8057.html",
"https://github.com/advisories/GHSA-cg3q-j54f-5p7p",
"https://github.com/prometheus/client_golang/pull/962",
"https://github.com/prometheus/client_golang/pull/987",
"https://github.com/prometheus/client_golang/releases/tag/v1.11.1",
"https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p",
"https://linux.oracle.com/cve/CVE-2022-21698.html",
"https://linux.oracle.com/errata/ELSA-2022-8057.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IK53GWZ475OQ6ENABKMJMTOBZG6LXUR/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3L6GDN5S5QZSCFKWD3GKL2RDZQ6B4UWA/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4KDETHL5XCT6RZN2BBNOCEXRZ2W3SFU3/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5OGNAFVXSMTTT2UPH6CS3IH6L3KM42Q7/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7V7I72LSQ3IET3QJR6QPAVGJZ4CBDLN5/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AK7CJBCGERCRXYUR2EWDSSDVAQMTAZGX/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FY3N7H6VSDZM37B4SKM2PFFCUWU7QYWN/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KBMVIQFKQDSSTHVVJWJ4QH6TW3JVB7XZ/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MH6ALXEQXIFQRQFNJ5Y2MJ5DFPIX76VN/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RN7JGC2LVHPEGSJYODFUV5FEKPBVG4D7/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SASRKYHT5ZFSVMJUQUG3UAEQRJYGJKAR/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKORFJTRRDJCWBTJPISKKCVMMMJBIRLG/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/",
"https://nvd.nist.gov/vuln/detail/CVE-2022-21698",
"https://pkg.go.dev/vuln/GO-2022-0322"
],
"PublishedDate": "2022-02-15T16:15:00Z",
"LastModifiedDate": "2022-12-09T16:46:00Z"
},
{
"VulnerabilityID": "CVE-2021-43565",
"PkgName": "golang.org/x/crypto",
"InstalledVersion": "v0.0.0-20210817164053-32db794688a5",
"FixedVersion": "0.0.0-20211202192323-5770296d904e",
"Layer": {
"Digest": "sha256:9a3b06e5581dcf28c22194bb802450a42901abdb6a73a11cabb7570372c1b13c",
"DiffID": "sha256:5ba0d3cd39eae8c5aad877af2040e35741ca49dfc30edc9571620bf1b13e0d73"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-43565",
"DataSource": {
"ID": "go-vulndb",
"Name": "The Go Vulnerability Database",
"URL": "https://github.com/golang/vulndb"
},
"Title": "golang.org/x/crypto: empty plaintext packet causes panic",
"Description": "The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.",
"Severity": "HIGH",
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2021-43565",
"https://github.com/advisories/GHSA-gwc9-m7rh-j2ww",
"https://go.dev/cl/368814/",
"https://go.dev/issues/49932",
"https://groups.google.com/forum/#!forum/golang-announce",
"https://groups.google.com/g/golang-announce/c/2AR1sKiM-Qs",
"https://nvd.nist.gov/vuln/detail/CVE-2021-43565",
"https://pkg.go.dev/vuln/GO-2022-0968"
],
"PublishedDate": "2022-09-06T18:15:00Z",
"LastModifiedDate": "2022-09-09T03:38:00Z"
},
{
"VulnerabilityID": "CVE-2022-27191",
"PkgName": "golang.org/x/crypto",
"InstalledVersion": "v0.0.0-20210817164053-32db794688a5",
"FixedVersion": "0.0.0-20220314234659-1baeb1ce4c0b",
"Layer": {
"Digest": "sha256:9a3b06e5581dcf28c22194bb802450a42901abdb6a73a11cabb7570372c1b13c",
"DiffID": "sha256:5ba0d3cd39eae8c5aad877af2040e35741ca49dfc30edc9571620bf1b13e0d73"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-27191",
"DataSource": {
"ID": "go-vulndb",
"Name": "The Go Vulnerability Database",
"URL": "https://github.com/golang/vulndb"
},
"Title": "golang: crash in a golang.org/x/crypto/ssh server",
"Description": "The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.",
"Severity": "HIGH",
"CweIDs": [
"CWE-327"
],
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V2Score": 4.3,
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://access.redhat.com/errata/RHSA-2022:8008",
"https://access.redhat.com/security/cve/CVE-2022-27191",
"https://bugzilla.redhat.com/1939485",
"https://bugzilla.redhat.com/1989564",
"https://bugzilla.redhat.com/1989570",
"https://bugzilla.redhat.com/1989575",
"https://bugzilla.redhat.com/2064702",
"https://bugzilla.redhat.com/2121445",
"https://bugzilla.redhat.com/2121453",
"https://errata.almalinux.org/9/ALSA-2022-8008.html",
"https://github.com/advisories/GHSA-8c26-wmh5-6g9v",
"https://go.dev/cl/392355",
"https://go.googlesource.com/crypto/+/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d",
"https://groups.google.com/g/golang-announce",
"https://groups.google.com/g/golang-announce/c/-cp44ypCT5s",
"https://groups.google.com/g/golang-announce/c/-cp44ypCT5s/m/wmegxkLiAQAJ",
"https://linux.oracle.com/cve/CVE-2022-27191.html",
"https://linux.oracle.com/errata/ELSA-2022-8008.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZ3S7LB65N54HXXBCB67P4TTOHTNPP5O/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HHGBEGJ54DZZGTXFUQNS7ZIG3E624YAF/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QTFOIDHQRGNI4P6LYN6ILH5G443RYYKB/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YHYRQB7TRMHDB3NEHW5XBRG7PPMUTPGV/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFUNHFHQVJSADNH7EZ3B53CYDZVEEPBP/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQNPPQWSTP2IX7SHE6TS4SP4EVMI5EZK/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/",
"https://nvd.nist.gov/vuln/detail/CVE-2022-27191",
"https://pkg.go.dev/vuln/GO-2021-0356",
"https://raw.githubusercontent.com/golang/vulndb/df2d3d326300e2ae768f00351ffa96cc2c56cf54/reports/GO-2021-0356.yaml",
"https://security.netapp.com/advisory/ntap-20220429-0002/"
],
"PublishedDate": "2022-03-18T07:15:00Z",
"LastModifiedDate": "2022-10-26T17:52:00Z"
},
{
"VulnerabilityID": "CVE-2022-27664",
"PkgName": "golang.org/x/net",
"InstalledVersion": "v0.0.0-20220225172249-27dd8689420f",
"FixedVersion": "0.0.0-20220906165146-f3363e06e74c",
"Layer": {
"Digest": "sha256:9a3b06e5581dcf28c22194bb802450a42901abdb6a73a11cabb7570372c1b13c",
"DiffID": "sha256:5ba0d3cd39eae8c5aad877af2040e35741ca49dfc30edc9571620bf1b13e0d73"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-27664",
"DataSource": {
"ID": "go-vulndb",
"Name": "The Go Vulnerability Database",
"URL": "https://github.com/golang/vulndb"
},
"Title": "golang: net/http: handle server errors after sending GOAWAY",
"Description": "In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.",
"Severity": "HIGH",
"CVSS": {
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 6.5
}
},
"References": [
"https://access.redhat.com/errata/RHSA-2022:7129",
"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-27664.json",
"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32189.json",
"https://access.redhat.com/security/cve/CVE-2022-27664",
"https://bugzilla.redhat.com/1913333",
"https://bugzilla.redhat.com/1913338",
"https://bugzilla.redhat.com/2107371",
"https://bugzilla.redhat.com/2107374",
"https://bugzilla.redhat.com/2107383",
"https://bugzilla.redhat.com/2107386",
"https://bugzilla.redhat.com/2107388",
"https://bugzilla.redhat.com/2113814",
"https://bugzilla.redhat.com/2124669",
"https://errata.almalinux.org/8/ALSA-2022-7129.html",
"https://go.dev/cl/428735",
"https://go.dev/issue/54658",
"https://groups.google.com/g/golang-announce",
"https://groups.google.com/g/golang-announce/c/x49AQzIVX-s",
"https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ",
"https://linux.oracle.com/cve/CVE-2022-27664.html",
"https://linux.oracle.com/errata/ELSA-2022-7129.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXKTHIGE5F576MAPFYCIJXNRGBSPISUF/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXS2OQ57KZC5XZKK5UW4SYKPVQAHIOJX/",
"https://nvd.nist.gov/vuln/detail/CVE-2022-27664",
"https://pkg.go.dev/vuln/GO-2022-0969",
"https://security.gentoo.org/glsa/202209-26",
"https://security.netapp.com/advisory/ntap-20220923-0004/"
],
"PublishedDate": "2022-09-06T18:15:00Z",
"LastModifiedDate": "2022-10-28T12:42:00Z"
},
{
"VulnerabilityID": "CVE-2022-41717",
"PkgName": "golang.org/x/net",
"InstalledVersion": "v0.0.0-20220225172249-27dd8689420f",
"FixedVersion": "0.4.0",
"Layer": {
"Digest": "sha256:9a3b06e5581dcf28c22194bb802450a42901abdb6a73a11cabb7570372c1b13c",
"DiffID": "sha256:5ba0d3cd39eae8c5aad877af2040e35741ca49dfc30edc9571620bf1b13e0d73"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-41717",
"DataSource": {
"ID": "go-vulndb",
"Name": "The Go Vulnerability Database",
"URL": "https://github.com/golang/vulndb"
},
"Title": "An attacker can cause excessive memory growth in a Go server accepting ...",
"Description": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-770"
],
"CVSS": {
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"V3Score": 5.3
}
},
"References": [
"https://go.dev/cl/455635",
"https://go.dev/cl/455717",
"https://go.dev/issue/56350",
"https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ",
"https://nvd.nist.gov/vuln/detail/CVE-2022-41717",
"https://pkg.go.dev/vuln/GO-2022-1144"
],
"PublishedDate": "2022-12-08T20:15:00Z",
"LastModifiedDate": "2022-12-12T17:50:00Z"
},
{
"VulnerabilityID": "CVE-2022-29526",
"PkgName": "golang.org/x/sys",
"InstalledVersion": "v0.0.0-20211216021012-1d35b9e2eb4e",
"FixedVersion": "0.0.0-20220412211240-33da011f77ad",
"Layer": {
"Digest": "sha256:9a3b06e5581dcf28c22194bb802450a42901abdb6a73a11cabb7570372c1b13c",
"DiffID": "sha256:5ba0d3cd39eae8c5aad877af2040e35741ca49dfc30edc9571620bf1b13e0d73"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-29526",
"DataSource": {
"ID": "go-vulndb",
"Name": "The Go Vulnerability Database",
"URL": "https://github.com/golang/vulndb"
},
"Title": "golang: syscall: faccessat checks wrong group",
"Description": "Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-269"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"V2Score": 5,
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 6.2
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2022-29526",
"https://github.com/golang/go/issues/52313",
"https://go.dev/cl/399539",
"https://go.dev/cl/400074",
"https://go.dev/issue/52313",
"https://groups.google.com/g/golang-announce",
"https://groups.google.com/g/golang-announce/c/Y5qrqw_lWdU",
"https://linux.oracle.com/cve/CVE-2022-29526.html",
"https://linux.oracle.com/errata/ELSA-2022-5337.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q6GE5EQGE4L2KRVGW4T75QVIYAXCLO5X/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/",
"https://pkg.go.dev/vuln/GO-2022-0493",
"https://security.gentoo.org/glsa/202208-02",
"https://security.netapp.com/advisory/ntap-20220729-0001/"
],
"PublishedDate": "2022-06-23T17:15:00Z",
"LastModifiedDate": "2022-08-19T12:50:00Z"
},
{
"VulnerabilityID": "CVE-2022-32149",
"PkgName": "golang.org/x/text",
"InstalledVersion": "v0.3.7",
"FixedVersion": "0.3.8",
"Layer": {
"Digest": "sha256:9a3b06e5581dcf28c22194bb802450a42901abdb6a73a11cabb7570372c1b13c",
"DiffID": "sha256:5ba0d3cd39eae8c5aad877af2040e35741ca49dfc30edc9571620bf1b13e0d73"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-32149",
"DataSource": {
"ID": "go-vulndb",
"Name": "The Go Vulnerability Database",
"URL": "https://github.com/golang/vulndb"
},
"Title": "golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags",
"Description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.",
"Severity": "HIGH",
"CweIDs": [
"CWE-772"
],
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2022-32149",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32149",
"https://github.com/advisories/GHSA-69ch-w2m2-3vjp",
"https://github.com/golang/go/issues/56152",
"https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c",
"https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c (v0.3.8)",
"https://go.dev/cl/442235",
"https://go.dev/issue/56152",
"https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ",
"https://groups.google.com/g/golang-dev/c/qfPIly0X7aU",
"https://nvd.nist.gov/vuln/detail/CVE-2022-32149",
"https://pkg.go.dev/vuln/GO-2022-1059"
],
"PublishedDate": "2022-10-14T15:15:00Z",
"LastModifiedDate": "2022-10-18T17:41:00Z"
}
]
}
]
}

[datianshi]

looks this does not compile

[datianshi]

I will merge and fix several issues later. Thanks for the contribution