Dependency Report
Raw Location Data:🟧 Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) in github.com/gin-gonic/gin
Description
When gin is exposed directly to the internet, a client's IP can be spoofed by setting the
X-Forwarded-For
header.
Solution
Upgrade to version 1.7.0 or above.
Severity
High
CVE
go.sum:github.com/gin-gonic/gin:gemnasium:b4e7e4da-94f4-4701-bf8a-ab7bd2784d14
Identifiers
Gemnasium-b4e7e4da-94f4-4701-bf8a-ab7bd2784d14, CVE-2020-28483
Links
https://nvd.nist.gov/vuln/detail/CVE-2020-28483
{
"file": "go.sum",
"dependency": {
"package": {
"name": "github.com/gin-gonic/gin"
},
"version": "v1.1.5-0.20170702092826-d459835d2b07"
}
}
Raw Location Data:🟧 Nil Pointer Dereference in golang.org/x/crypto
Description
A nil pointer dereference in the
golang.org/x/crypto/ssh
component enables remote attackers to cause a DoS against SSH servers.
Solution
Upgrade to version v0.0.0-20201216223049-8b5274cf687f or above.
Severity
High
CVE
go.sum:golang.org/x/crypto:gemnasium:ffb814a0-404c-11eb-b378-0242ac130002
Identifiers
Gemnasium-ffb814a0-404c-11eb-b378-0242ac130002, CVE-2020-29652
Links
https://go-review.googlesource.com/c/crypto/+/278852, https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1, https://nvd.nist.gov/vuln/detail/CVE-2020-29652
{
"file": "go.sum",
"dependency": {
"package": {
"name": "golang.org/x/crypto"
},
"version": "v0.0.0-20190308221718-c2843e01d9a2"
}
}
Raw Location Data:🟧 Loop with Unreachable Exit Condition (Infinite Loop) in golang.org/x/text
Description
The
x/text
package for Go has a vulnerability in encoding/unicode
that could lead to the UTF-16
decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16
decoder instantiated with UseBOM
or ExpectBOM
to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String
.
Solution
Upgrade to version 0.3.3 or above.
Severity
High
CVE
go.sum:golang.org/x/text:gemnasium:8ab0265a-d1a9-4085-a661-0d9d9931f0ad
Identifiers
Gemnasium-8ab0265a-d1a9-4085-a661-0d9d9931f0ad, CVE-2020-14040
Links
https://nvd.nist.gov/vuln/detail/CVE-2020-14040
{
"file": "go.sum",
"dependency": {
"package": {
"name": "golang.org/x/text"
},
"version": "v0.3.0"
}
}
Raw Location Data:
Description
go-yaml is vulnerable to a Billion Laughs Attack.
Solution
Upgrade to version 2.2.3 or above.
Severity
Unknown
CVE
go.sum:gopkg.in/yaml.v2:gemnasium:7368f513-0aa9-4e34-a08d-40ea81f48e0e
Identifiers
Gemnasium-7368f513-0aa9-4e34-a08d-40ea81f48e0e
Links
https://github.com/docker/cli/pull/2117
{
"file": "go.sum",
"dependency": {
"package": {
"name": "gopkg.in/yaml.v2"
},
"version": "v2.2.1"
}
}