mvalle21 / circonus-unified-agent Goto Github PK

Vulnerable Library - github.com/golang/net/http2-5f4716e94777e714bc2fb3e3a44599cb40817aac

[mirror] Go supplementary network libraries

Dependency Hierarchy:

• github.com/circonus-labs/circonus-unified-agent/plugins/inputs/fibaro-v0.0.10 (Root Library)
  • github.com/circonus-labs/circonus-unified-agent/plugins/inputs-v0.0.10
    • google.golang.org/genproto/googleapis/monitoring/v3-44e461bb6506e1f454f092a809a64f303b6c8e33
      • google.golang.org/grpc-v0.0.0-20210129004707-0bc741730b81
        • github.com/grpc/grpc-go/internal-v1.37.0-dev
          • ❌ github.com/golang/net/http2-5f4716e94777e714bc2fb3e3a44599cb40817aac (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

Publish Date: 2023-01-13

URL: CVE-2022-41721

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2023-01-13

Fix Resolution: v0.2.0

Vulnerable Library - github.com/tidwaLl/gjson-v1.6.7

Get JSON values quickly - JSON parser for Go

Library home page: https://proxy.golang.org/github.com/tidwall/gjson/@v/v1.6.7.zip

Dependency Hierarchy:

• ❌ github.com/tidwaLl/gjson-v1.6.7 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

GJSON before 1.9.3 allows a ReDoS (regular expression denial of service) attack.

Publish Date: 2021-10-22

URL: CVE-2021-42836

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-10-22

Fix Resolution: v1.9.3

Vulnerable Library - github.com/kardianos/service-v1.2.1-0.20201211143537-ef35c563203c

Run go programs as a service on major platforms.

Library home page: https://proxy.golang.org/github.com/kardianos/service/@v/v1.2.1-0.20201211143537-ef35c563203c.zip

Dependency Hierarchy:

• ❌ github.com/kardianos/service-v1.2.1-0.20201211143537-ef35c563203c (Vulnerable Library)

Found in base branch: master

Vulnerability Details

** DISPUTED ** service_windows.go in the kardianos service package for Go omits quoting that is sometimes needed for execution of a Windows service executable from the intended directory. NOTE: this finding could not be reproduced by its original reporter or by others.

Publish Date: 2022-04-22

URL: CVE-2022-29583

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - github.com/tidwaLl/gjson-v1.6.7

Get JSON values quickly - JSON parser for Go

Library home page: https://proxy.golang.org/github.com/tidwall/gjson/@v/v1.6.7.zip

Dependency Hierarchy:

• ❌ github.com/tidwaLl/gjson-v1.6.7 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

GJSON <= 1.9.2 allows attackers to cause a redos via crafted JSON input.

Publish Date: 2022-05-24

URL: CVE-2021-42248

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42248

Release Date: 2022-05-24

Fix Resolution: v1.9.3

Vulnerable Library - github.com/dgrijalva/jwt-go-v3.2.1-0.20200107013213-dc14462fd587+incompatible

ARCHIVE - Golang implementation of JSON Web Tokens (JWT). This project is now maintained at:

Library home page: https://proxy.golang.org/github.com/dgrijalva/jwt-go/@v/v3.2.1-0.20200107013213-dc14462fd587+incompatible.zip

Dependency Hierarchy:

• ❌ github.com/dgrijalva/jwt-go-v3.2.1-0.20200107013213-dc14462fd587+incompatible (Vulnerable Library)

Found in base branch: master

Vulnerability Details

jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.

Publish Date: 2020-09-30

URL: CVE-2020-26160

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-w73w-5m7g-f7qc

Release Date: 2020-09-30

Fix Resolution: 4.0.0-preview1

Vulnerable Library - github.com/golang/net/html-5f4716e94777e714bc2fb3e3a44599cb40817aac

[mirror] Go supplementary network libraries

Dependency Hierarchy:

• github.com/circonus-labs/circonus-unified-agent/plugins/inputs/fibaro-v0.0.10 (Root Library)
  • github.com/circonus-labs/circonus-unified-agent/plugins/inputs-v0.0.10
    • github.com/golang/net/html/charset-5f4716e94777e714bc2fb3e3a44599cb40817aac
      • ❌ github.com/golang/net/html-5f4716e94777e714bc2fb3e3a44599cb40817aac (Vulnerable Library)

Found in base branch: master

Vulnerability Details

golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.

Publish Date: 2021-05-26

URL: CVE-2021-33194

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33194

Release Date: 2021-05-26

Fix Resolution: golang.org/x/net - v0.0.0-20210520170846-37e1c6afe023

Vulnerable Library - github.com/golang/net/http/httpguts-5f4716e94777e714bc2fb3e3a44599cb40817aac

[mirror] Go supplementary network libraries

Dependency Hierarchy:

• github.com/circonus-labs/circonus-unified-agent/plugins/inputs/fibaro-v0.0.10 (Root Library)
  • github.com/circonus-labs/circonus-unified-agent/plugins/inputs-v0.0.10
    • google.golang.org/genproto/googleapis/monitoring/v3-44e461bb6506e1f454f092a809a64f303b6c8e33
      • google.golang.org/grpc-v0.0.0-20210129004707-0bc741730b81
        • github.com/grpc/grpc-go/internal-v1.37.0-dev
          • github.com/golang/net/http2-5f4716e94777e714bc2fb3e3a44599cb40817aac
            • ❌ github.com/golang/net/http/httpguts-5f4716e94777e714bc2fb3e3a44599cb40817aac (Vulnerable Library)

Found in base branch: master

Vulnerability Details

net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.

Publish Date: 2021-05-27

URL: CVE-2021-31525

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1958341

Release Date: 2021-05-27

Fix Resolution: golang - v1.15.12,v1.16.4,v1.17.0

Vulnerable Library - github.com/golang/net/http2-5f4716e94777e714bc2fb3e3a44599cb40817aac

[mirror] Go supplementary network libraries

Dependency Hierarchy:

• github.com/circonus-labs/circonus-unified-agent/plugins/inputs/fibaro-v0.0.10 (Root Library)
  • github.com/circonus-labs/circonus-unified-agent/plugins/inputs-v0.0.10
    • google.golang.org/genproto/googleapis/monitoring/v3-44e461bb6506e1f454f092a809a64f303b6c8e33
      • google.golang.org/grpc-v0.0.0-20210129004707-0bc741730b81
        • github.com/grpc/grpc-go/internal-v1.37.0-dev
          • ❌ github.com/golang/net/http2-5f4716e94777e714bc2fb3e3a44599cb40817aac (Vulnerable Library)

Found in base branch: master

Vulnerability Details

net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.

Publish Date: 2022-01-01

URL: CVE-2021-44716

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-vc3p-29h2-gpcp

Release Date: 2022-01-01

Fix Resolution: github.com/golang/net - 491a49abca63de5e07ef554052d180a1b5fe2d70

Vulnerable Library - golang.org/x/text/language-v0.3.5

Package language implements BCP 47 language tags and related functionality.

Library home page: https://proxy.golang.org/golang.org/x/text/@v/v0.3.5.zip

Dependency Hierarchy:

• github.com/circonus-labs/circonus-unified-agent/plugins/inputs/fibaro-v0.0.10 (Root Library)
  • github.com/circonus-labs/circonus-unified-agent/plugins/inputs-v0.0.10
    • github.com/circonus-labs/circonus-unified-agent/plugins/inputs/postgresql_extensible-v0.0.10
      • github.com/jackc/pgx/stdlib-v4.11.0
        • github.com/jackc/pgconn-v1.8.1
          • golang.org/x/text/secure/precis-75a595aef632b07c6eeaaa805adb6f0f66e4130e
            • ❌ golang.org/x/text/language-v0.3.5 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.

Publish Date: 2022-12-26

URL: CVE-2021-38561

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2021-0113

Release Date: 2021-08-12

Fix Resolution: v0.3.7

Vulnerable Library - golang.org/x/text/language-v0.3.5

Package language implements BCP 47 language tags and related functionality.

Library home page: https://proxy.golang.org/golang.org/x/text/@v/v0.3.5.zip

Dependency Hierarchy:

• github.com/circonus-labs/circonus-unified-agent/plugins/inputs/fibaro-v0.0.10 (Root Library)
  • github.com/circonus-labs/circonus-unified-agent/plugins/inputs-v0.0.10
    • github.com/circonus-labs/circonus-unified-agent/plugins/inputs/postgresql_extensible-v0.0.10
      • github.com/jackc/pgx/stdlib-v4.11.0
        • github.com/jackc/pgconn-v1.8.1
          • golang.org/x/text/secure/precis-75a595aef632b07c6eeaaa805adb6f0f66e4130e
            • ❌ golang.org/x/text/language-v0.3.5 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.

Publish Date: 2022-10-14

URL: CVE-2022-32149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-32149

Release Date: 2022-10-14

Fix Resolution: v0.3.8