Dependency Report
Raw Location Data:🟧 Nil Pointer Dereference in golang.org/x/crypto
Description
A nil pointer dereference in the
golang.org/x/crypto/ssh
component enables remote attackers to cause a DoS against SSH servers.
Solution
Upgrade to version v0.0.0-20201216223049-8b5274cf687f or above.
Severity
High
CVE
go.sum:golang.org/x/crypto:gemnasium:ffb814a0-404c-11eb-b378-0242ac130002
Identifiers
Gemnasium-ffb814a0-404c-11eb-b378-0242ac130002, CVE-2020-29652
Links
https://go-review.googlesource.com/c/crypto/+/278852, https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1, https://nvd.nist.gov/vuln/detail/CVE-2020-29652
{
"file": "go.sum",
"dependency": {
"package": {
"name": "golang.org/x/crypto"
},
"version": "v0.0.0-20190308221718-c2843e01d9a2"
}
}
Raw Location Data:🟧 Loop with Unreachable Exit Condition (Infinite Loop) in golang.org/x/text
Description
The
x/text
package for Go has a vulnerability in encoding/unicode
that could lead to the UTF-16
decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16
decoder instantiated with UseBOM
or ExpectBOM
to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String
.
Solution
Upgrade to version 0.3.3 or above.
Severity
High
CVE
go.sum:golang.org/x/text:gemnasium:8ab0265a-d1a9-4085-a661-0d9d9931f0ad
Identifiers
Gemnasium-8ab0265a-d1a9-4085-a661-0d9d9931f0ad, CVE-2020-14040
Links
https://nvd.nist.gov/vuln/detail/CVE-2020-14040
{
"file": "go.sum",
"dependency": {
"package": {
"name": "golang.org/x/text"
},
"version": "v0.3.0"
}
}
Raw Location Data:🟨 Excessive Platform Resource Consumption within a Loop in Kubernetes in gopkg.in/yaml.v2
Description
The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.
Solution
Upgrade to version 2.2.8 or above.
Severity
Medium
CVE
go.sum:gopkg.in/yaml.v2:gemnasium:479bfa14-4b11-4314-ad05-696ac3b7b162
Identifiers
Gemnasium-479bfa14-4b11-4314-ad05-696ac3b7b162, CVE-2019-11254, GHSA-wxc4-f4m6-wwqv
Links
https://github.com/advisories/GHSA-wxc4-f4m6-wwqv, https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48, https://github.com/kubernetes/kubernetes/issues/89535, https://github.com/kubernetes/kubernetes/pull/87467/commits/b86df2bec4f377afc0ca03482ffad2f0a49a83b8, https://groups.google.com/d/msg/kubernetes-announce/ALL9s73E5ck/4yHe8J-PBAAJ, https://nvd.nist.gov/vuln/detail/CVE-2019-11254, https://security.netapp.com/advisory/ntap-20200413-0003/
{
"file": "go.sum",
"dependency": {
"package": {
"name": "gopkg.in/yaml.v2"
},
"version": "v2.2.2"
}
}
Raw Location Data:
Description
go-yaml is vulnerable to a Billion Laughs Attack.
Solution
Upgrade to version 2.2.3 or above.
Severity
Unknown
CVE
go.sum:gopkg.in/yaml.v2:gemnasium:7368f513-0aa9-4e34-a08d-40ea81f48e0e
Identifiers
Gemnasium-7368f513-0aa9-4e34-a08d-40ea81f48e0e
Links
https://github.com/docker/cli/pull/2117
{
"file": "go.sum",
"dependency": {
"package": {
"name": "gopkg.in/yaml.v2"
},
"version": "v2.2.2"
}
}