github.com/argoproj/argo-cd/v2@v2.10.9/docs/snyk/master/ghcr.io_dexidp_dex_v2.37.0.html (about) 1 <!DOCTYPE html> 2 <html lang="en"> 3 4 <head> 5 <meta http-equiv="Content-type" content="text/html; charset=utf-8"> 6 <meta http-equiv="Content-Language" content="en-us"> 7 <meta name="viewport" content="width=device-width, initial-scale=1.0"> 8 <meta http-equiv="X-UA-Compatible" content="IE=edge"> 9 <title>Snyk test report</title> 10 <meta name="description" content="28 known vulnerabilities found in 79 vulnerable dependency paths."> 11 <base target="_blank"> 12 <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png" 13 sizes="194x194"> 14 <link rel="shortcut icon" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.ico"> 15 <style type="text/css"> 16 17 body { 18 -moz-font-feature-settings: "pnum"; 19 -webkit-font-feature-settings: "pnum"; 20 font-variant-numeric: proportional-nums; 21 display: flex; 22 flex-direction: column; 23 font-feature-settings: "pnum"; 24 font-size: 100%; 25 line-height: 1.5; 26 min-height: 100vh; 27 -webkit-text-size-adjust: 100%; 28 margin: 0; 29 padding: 0; 30 background-color: #F5F5F5; 31 font-family: 'Arial', 'Helvetica', Calibri, sans-serif; 32 } 33 34 h1, 35 h2, 36 h3, 37 h4, 38 h5, 39 h6 { 40 font-weight: 500; 41 } 42 43 a, 44 a:link, 45 a:visited { 46 border-bottom: 1px solid #4b45a9; 47 text-decoration: none; 48 color: #4b45a9; 49 } 50 51 a:hover, 52 a:focus, 53 a:active { 54 border-bottom: 1px solid #4b45a9; 55 } 56 57 hr { 58 border: none; 59 margin: 1em 0; 60 border-top: 1px solid #c5c5c5; 61 } 62 63 ul { 64 padding: 0 1em; 65 margin: 1em 0; 66 } 67 68 code { 69 background-color: #EEE; 70 color: #333; 71 padding: 0.25em 0.5em; 72 border-radius: 0.25em; 73 } 74 75 pre { 76 background-color: #333; 77 font-family: monospace; 78 padding: 0.5em 1em 0.75em; 79 border-radius: 0.25em; 80 font-size: 14px; 81 } 82 83 pre code { 84 padding: 0; 85 background-color: transparent; 86 color: #fff; 87 } 88 89 a code { 90 border-radius: .125rem .125rem 0 0; 91 padding-bottom: 0; 92 color: #4b45a9; 93 } 94 95 a[href^="http://"]:after, 96 a[href^="https://"]:after { 97 background-image: linear-gradient(transparent,transparent),url("data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20112%20109%22%3E%3Cg%20id%3D%22Page-1%22%20fill%3D%22none%22%20fill-rule%3D%22evenodd%22%3E%3Cg%20id%3D%22link-external%22%3E%3Cg%20id%3D%22arrow%22%3E%3Cpath%20id%3D%22Line%22%20stroke%3D%22%234B45A9%22%20stroke-width%3D%2215%22%20d%3D%22M88.5%2021l-43%2042.5%22%20stroke-linecap%3D%22square%22%2F%3E%3Cpath%20id%3D%22Triangle%22%20fill%3D%22%234B45A9%22%20d%3D%22M111.2%200v50L61%200z%22%2F%3E%3C%2Fg%3E%3Cpath%20id%3D%22square%22%20fill%3D%22%234B45A9%22%20d%3D%22M66%2015H0v94h94V44L79%2059v35H15V30h36z%22%2F%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E"); 98 background-repeat: no-repeat; 99 background-size: .75rem; 100 content: ""; 101 display: inline-block; 102 height: .75rem; 103 margin-left: .25rem; 104 width: .75rem; 105 } 106 107 108 /* Layout */ 109 110 [class*=layout-container] { 111 margin: 0 auto; 112 max-width: 71.25em; 113 padding: 1.9em 1.3em; 114 position: relative; 115 } 116 .layout-container--short { 117 padding-top: 0; 118 padding-bottom: 0; 119 max-width: 48.75em; 120 } 121 122 .layout-container--short:after { 123 display: block; 124 content: ""; 125 clear: both; 126 } 127 128 /* Header */ 129 130 .header { 131 padding-bottom: 1px; 132 } 133 134 .paths { 135 margin-left: 8px; 136 } 137 .header-wrap { 138 display: flex; 139 flex-direction: row; 140 justify-content: space-between; 141 padding-top: 2em; 142 } 143 .project__header { 144 background-color: #4b45a9; 145 color: #fff; 146 margin-bottom: -1px; 147 padding-top: 1em; 148 padding-bottom: 0.25em; 149 border-bottom: 2px solid #BBB; 150 } 151 152 .project__header__title { 153 overflow-wrap: break-word; 154 word-wrap: break-word; 155 word-break: break-all; 156 margin-bottom: .1em; 157 margin-top: 0; 158 } 159 160 .timestamp { 161 float: right; 162 clear: none; 163 margin-bottom: 0; 164 } 165 166 .meta-counts { 167 clear: both; 168 display: block; 169 flex-wrap: wrap; 170 justify-content: space-between; 171 margin: 0 0 1.5em; 172 color: #fff; 173 clear: both; 174 font-size: 1.1em; 175 } 176 177 .meta-count { 178 display: block; 179 flex-basis: 100%; 180 margin: 0 1em 1em 0; 181 float: left; 182 padding-right: 1em; 183 border-right: 2px solid #fff; 184 } 185 186 .meta-count:last-child { 187 border-right: 0; 188 padding-right: 0; 189 margin-right: 0; 190 } 191 192 /* Card */ 193 194 .card { 195 background-color: #fff; 196 border: 1px solid #c5c5c5; 197 border-radius: .25rem; 198 margin: 0 0 2em 0; 199 position: relative; 200 min-height: 40px; 201 padding: 1.5em; 202 } 203 204 .card .label { 205 background-color: #767676; 206 border: 2px solid #767676; 207 color: white; 208 padding: 0.25rem 0.75rem; 209 font-size: 0.875rem; 210 text-transform: uppercase; 211 display: inline-block; 212 margin: 0; 213 border-radius: 0.25rem; 214 } 215 216 .card .label__text { 217 vertical-align: text-top; 218 font-weight: bold; 219 } 220 221 .card .label--critical { 222 background-color: #AB1A1A; 223 border-color: #AB1A1A; 224 } 225 226 .card .label--high { 227 background-color: #CE5019; 228 border-color: #CE5019; 229 } 230 231 .card .label--medium { 232 background-color: #D68000; 233 border-color: #D68000; 234 } 235 236 .card .label--low { 237 background-color: #88879E; 238 border-color: #88879E; 239 } 240 241 .severity--low { 242 border-color: #88879E; 243 } 244 245 .severity--medium { 246 border-color: #D68000; 247 } 248 249 .severity--high { 250 border-color: #CE5019; 251 } 252 253 .severity--critical { 254 border-color: #AB1A1A; 255 } 256 257 .card--vuln { 258 padding-top: 4em; 259 } 260 261 .card--vuln .label { 262 left: 0; 263 position: absolute; 264 top: 1.1em; 265 padding-left: 1.9em; 266 padding-right: 1.9em; 267 border-radius: 0 0.25rem 0.25rem 0; 268 } 269 270 .card--vuln .card__section h2 { 271 font-size: 22px; 272 margin-bottom: 0.5em; 273 } 274 275 .card--vuln .card__section p { 276 margin: 0 0 0.5em 0; 277 } 278 279 .card--vuln .card__meta { 280 padding: 0 0 0 1em; 281 margin: 0; 282 font-size: 1.1em; 283 } 284 285 .card .card__meta__paths { 286 font-size: 0.9em; 287 } 288 289 .card--vuln .card__title { 290 font-size: 28px; 291 margin-top: 0; 292 } 293 294 .card--vuln .card__cta p { 295 margin: 0; 296 text-align: right; 297 } 298 299 .source-panel { 300 clear: both; 301 display: flex; 302 justify-content: flex-start; 303 flex-direction: column; 304 align-items: flex-start; 305 padding: 0.5em 0; 306 width: fit-content; 307 } 308 309 310 311 </style> 312 <style type="text/css"> 313 .metatable { 314 text-size-adjust: 100%; 315 -webkit-font-smoothing: antialiased; 316 -webkit-box-direction: normal; 317 color: inherit; 318 font-feature-settings: "pnum"; 319 box-sizing: border-box; 320 background: transparent; 321 border: 0; 322 font: inherit; 323 font-size: 100%; 324 margin: 0; 325 outline: none; 326 padding: 0; 327 text-align: left; 328 text-decoration: none; 329 vertical-align: baseline; 330 z-index: auto; 331 margin-top: 12px; 332 border-collapse: collapse; 333 border-spacing: 0; 334 font-variant-numeric: tabular-nums; 335 max-width: 51.75em; 336 } 337 338 tbody { 339 text-size-adjust: 100%; 340 -webkit-font-smoothing: antialiased; 341 -webkit-box-direction: normal; 342 color: inherit; 343 font-feature-settings: "pnum"; 344 border-collapse: collapse; 345 border-spacing: 0; 346 box-sizing: border-box; 347 background: transparent; 348 border: 0; 349 font: inherit; 350 font-size: 100%; 351 margin: 0; 352 outline: none; 353 padding: 0; 354 text-align: left; 355 text-decoration: none; 356 vertical-align: baseline; 357 z-index: auto; 358 display: flex; 359 flex-wrap: wrap; 360 } 361 362 .meta-row { 363 text-size-adjust: 100%; 364 -webkit-font-smoothing: antialiased; 365 -webkit-box-direction: normal; 366 color: inherit; 367 font-feature-settings: "pnum"; 368 border-collapse: collapse; 369 border-spacing: 0; 370 box-sizing: border-box; 371 background: transparent; 372 border: 0; 373 font: inherit; 374 font-size: 100%; 375 outline: none; 376 text-align: left; 377 text-decoration: none; 378 vertical-align: baseline; 379 z-index: auto; 380 display: flex; 381 align-items: start; 382 border-top: 1px solid #d3d3d9; 383 padding: 8px 0 0 0; 384 border-bottom: none; 385 margin: 8px; 386 width: 47.75%; 387 } 388 389 .meta-row-label { 390 text-size-adjust: 100%; 391 -webkit-font-smoothing: antialiased; 392 -webkit-box-direction: normal; 393 font-feature-settings: "pnum"; 394 border-collapse: collapse; 395 border-spacing: 0; 396 color: #4c4a73; 397 box-sizing: border-box; 398 background: transparent; 399 border: 0; 400 font: inherit; 401 margin: 0; 402 outline: none; 403 text-decoration: none; 404 z-index: auto; 405 align-self: start; 406 flex: 1; 407 font-size: 1rem; 408 line-height: 1.5rem; 409 padding: 0; 410 text-align: left; 411 vertical-align: top; 412 text-transform: none; 413 letter-spacing: 0; 414 } 415 416 .meta-row-value { 417 text-size-adjust: 100%; 418 -webkit-font-smoothing: antialiased; 419 -webkit-box-direction: normal; 420 color: inherit; 421 font-feature-settings: "pnum"; 422 border-collapse: collapse; 423 border-spacing: 0; 424 word-break: break-word; 425 box-sizing: border-box; 426 background: transparent; 427 border: 0; 428 font: inherit; 429 font-size: 100%; 430 margin: 0; 431 outline: none; 432 padding: 0; 433 text-align: right; 434 text-decoration: none; 435 vertical-align: baseline; 436 z-index: auto; 437 } 438 </style> 439 </head> 440 441 <body class="section-projects"> 442 <main class="layout-stacked"> 443 <div class="layout-stacked__header header"> 444 <header class="project__header"> 445 <div class="layout-container"> 446 <a class="brand" href="https://snyk.io" title="Snyk"> 447 <svg width="68px" height="35px" viewBox="0 0 68 35" version="1.1" xmlns="http://www.w3.org/2000/svg" role="img"> 448 <title>Snyk - Open Source Security</title> 449 <g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd"> 450 <g fill="#fff"> 451 <path d="M5.732,27.278 C3.445,27.278 1.589,26.885 0,26.124 L0.483,22.472 C2.163,23.296 4.056,23.689 5.643,23.689 C6.801,23.689 7.563,23.295 7.563,22.599 C7.563,20.594 0.333,21.076 0.333,15.839 C0.333,12.491 3.407,10.729 7.259,10.729 C9.179,10.729 11.161,11.249 12.444,11.704 L11.924,15.294 C10.577,14.774 8.747,14.291 7.222,14.291 C6.282,14.291 5.518,14.621 5.518,15.231 C5.518,17.208 12.903,16.815 12.903,21.925 C12.903,25.325 9.877,27.277 5.733,27.277 L5.732,27.278 Z M25.726,26.936 L25.726,17.894 C25.726,15.827 24.811,14.85 23.069,14.85 C22.219,14.85 21.329,15.09 20.719,15.46 L20.719,26.936 L15.352,26.936 L15.352,11.262 L20.602,10.83 L20.474,13.392 L20.652,13.392 C21.784,11.87 23.702,10.716 25.992,10.716 C28.736,10.716 31.112,12.416 31.112,16.436 L31.112,26.936 L25.724,26.936 L25.726,26.936 Z M61.175,26.936 L56.879,19.479 L56.446,19.479 L56.446,26.935 L51.082,26.935 L51.082,8.37 L56.447,0 L56.447,17.323 C57.515,16.017 61.112,11.059 61.112,11.059 L67.732,11.059 L61.454,17.689 L67.949,26.95 L61.175,26.95 L61.175,26.938 L61.175,26.936 Z M44.13,11.11 L41.93,18.262 C41.5,19.606 41.08,22.079 41.08,22.079 C41.08,22.079 40.75,19.516 40.292,18.172 L37.94,11.108 L31.928,11.108 L38.462,26.935 C37.572,29.04 36.199,30.815 34.369,30.815 C34.039,30.815 33.709,30.802 33.389,30.765 L31.255,34.061 C31.928,34.441 33.212,34.835 34.737,34.835 C38.703,34.835 41.359,31.627 43.215,26.885 L49.443,11.108 L44.132,11.108 L44.13,11.11 Z"></path> 452 </g> 453 </g> 454 </svg> 455 </a> 456 <div class="header-wrap"> 457 <h1 class="project__header__title">Snyk test report</h1> 458 459 <p class="timestamp">October 29th 2023, 12:14:53 am (UTC+00:00)</p> 460 </div> 461 <div class="source-panel"> 462 <span>Scanned the following paths:</span> 463 <ul> 464 <li class="paths">ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (apk)</li><li class="paths">ghcr.io/dexidp/dex:v2.37.0/hairyhenderson/gomplate/v3 (gomodules)</li><li class="paths">ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (gomodules)</li><li class="paths">ghcr.io/dexidp/dex:v2.37.0/dexidp/dex (gomodules)</li> 465 </ul> 466 </div> 467 468 <div class="meta-counts"> 469 <div class="meta-count"><span>28</span> <span>known vulnerabilities</span></div> 470 <div class="meta-count"><span>79 vulnerable dependency paths</span></div> 471 <div class="meta-count"><span>786</span> <span>dependencies</span></div> 472 </div><!-- .meta-counts --> 473 </div><!-- .layout-container--short --> 474 </header><!-- .project__header --> 475 </div><!-- .layout-stacked__header --> 476 477 <div class="layout-container" style="padding-top: 35px;"> 478 <div class="cards--vuln filter--patch filter--ignore"> 479 <div class="card card--vuln disclosure--not-new severity--critical" data-snyk-test="critical"> 480 <h2 class="card__title">Out-of-bounds Write</h2> 481 <div class="card__section"> 482 483 <div class="label label--critical"> 484 <span class="label__text">critical severity</span> 485 </div> 486 487 <hr/> 488 489 <ul class="card__meta"> 490 <li class="card__meta__item"> 491 Package Manager: alpine:3.18 492 </li> 493 <li class="card__meta__item"> 494 Vulnerable module: 495 496 busybox/busybox 497 </li> 498 499 <li class="card__meta__item">Introduced through: 500 501 docker-image|ghcr.io/dexidp/dex@v2.37.0 and busybox/busybox@1.36.1-r0 502 503 </li> 504 </ul> 505 506 <hr/> 507 508 509 <h3 class="card__section__title">Detailed paths</h3> 510 511 <ul class="card__meta__paths"> 512 <li> 513 <span class="list-paths__item__introduced"><em>Introduced through</em>: 514 docker-image|ghcr.io/dexidp/dex@v2.37.0 515 <span class="list-paths__item__arrow">›</span> 516 busybox/busybox@1.36.1-r0 517 518 </span> 519 520 </li> 521 <li> 522 <span class="list-paths__item__introduced"><em>Introduced through</em>: 523 docker-image|ghcr.io/dexidp/dex@v2.37.0 524 <span class="list-paths__item__arrow">›</span> 525 alpine-baselayout/alpine-baselayout@3.4.3-r1 526 <span class="list-paths__item__arrow">›</span> 527 busybox/busybox-binsh@1.36.1-r0 528 <span class="list-paths__item__arrow">›</span> 529 busybox/busybox@1.36.1-r0 530 531 </span> 532 533 </li> 534 <li> 535 <span class="list-paths__item__introduced"><em>Introduced through</em>: 536 docker-image|ghcr.io/dexidp/dex@v2.37.0 537 <span class="list-paths__item__arrow">›</span> 538 busybox/busybox-binsh@1.36.1-r0 539 540 </span> 541 542 </li> 543 <li> 544 <span class="list-paths__item__introduced"><em>Introduced through</em>: 545 docker-image|ghcr.io/dexidp/dex@v2.37.0 546 <span class="list-paths__item__arrow">›</span> 547 alpine-baselayout/alpine-baselayout@3.4.3-r1 548 <span class="list-paths__item__arrow">›</span> 549 busybox/busybox-binsh@1.36.1-r0 550 551 </span> 552 553 </li> 554 <li> 555 <span class="list-paths__item__introduced"><em>Introduced through</em>: 556 docker-image|ghcr.io/dexidp/dex@v2.37.0 557 <span class="list-paths__item__arrow">›</span> 558 busybox/ssl_client@1.36.1-r0 559 560 </span> 561 562 </li> 563 </ul><!-- .list-paths --> 564 565 </div><!-- .card__section --> 566 567 <hr/> 568 <!-- Overview --> 569 <h2 id="nvd-description">NVD Description</h2> 570 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>busybox</code> package and not the <code>busybox</code> package as distributed by <code>Alpine</code>.</em> 571 <em>See <code>How to fix?</code> for <code>Alpine:3.18</code> relevant fixed versions and status.</em></p> 572 <p>There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.</p> 573 <h2 id="remediation">Remediation</h2> 574 <p>Upgrade <code>Alpine:3.18</code> <code>busybox</code> to version 1.36.1-r1 or higher.</p> 575 <h2 id="references">References</h2> 576 <ul> 577 <li><a href="https://bugs.busybox.net/show_bug.cgi?id=15216">cve@mitre.org</a></li> 578 </ul> 579 580 <hr/> 581 582 <div class="cta card__cta"> 583 <p><a href="https://snyk.io/vuln/SNYK-ALPINE318-BUSYBOX-5890990">More about this vulnerability</a></p> 584 </div> 585 586 </div><!-- .card --> 587 <div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high"> 588 <h2 class="card__title">Denial of Service (DoS)</h2> 589 <div class="card__section"> 590 591 <div class="label label--high"> 592 <span class="label__text">high severity</span> 593 </div> 594 595 <hr/> 596 597 <ul class="card__meta"> 598 <li class="card__meta__item"> 599 Package Manager: golang 600 </li> 601 <li class="card__meta__item"> 602 Vulnerable module: 603 604 google.golang.org/grpc 605 </li> 606 607 <li class="card__meta__item">Introduced through: 608 609 github.com/hairyhenderson/gomplate/v3@* and google.golang.org/grpc@v1.46.2 610 611 </li> 612 </ul> 613 614 <hr/> 615 616 617 <h3 class="card__section__title">Detailed paths</h3> 618 619 <ul class="card__meta__paths"> 620 <li> 621 <span class="list-paths__item__introduced"><em>Introduced through</em>: 622 github.com/hairyhenderson/gomplate/v3@* 623 <span class="list-paths__item__arrow">›</span> 624 google.golang.org/grpc@v1.46.2 625 626 </span> 627 628 </li> 629 <li> 630 <span class="list-paths__item__introduced"><em>Introduced through</em>: 631 github.com/dexidp/dex@* 632 <span class="list-paths__item__arrow">›</span> 633 google.golang.org/grpc@v1.56.1 634 635 </span> 636 637 </li> 638 </ul><!-- .list-paths --> 639 640 </div><!-- .card__section --> 641 642 <hr/> 643 <!-- Overview --> 644 <h2 id="overview">Overview</h2> 645 <p><a href="https://pkg.go.dev/google.golang.org/grpc">google.golang.org/grpc</a> is a Go implementation of gRPC</p> 646 <p>Affected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.</p> 647 <h2 id="remediation">Remediation</h2> 648 <p>Upgrade <code>google.golang.org/grpc</code> to version 1.56.3, 1.57.1, 1.58.3 or higher.</p> 649 <h2 id="references">References</h2> 650 <ul> 651 <li><a href="https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79">Github Commit</a></li> 652 <li><a href="https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49">GitHub Commit</a></li> 653 <li><a href="https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e">GitHub Commit</a></li> 654 <li><a href="https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148">GitHub Commit</a></li> 655 <li><a href="https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f">GitHub Commit</a></li> 656 <li><a href="https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5">GitHub Commit</a></li> 657 <li><a href="https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61">GitHub Commit</a></li> 658 <li><a href="https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832">GitHub Commit</a></li> 659 <li><a href="https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13">GitHub Commit</a></li> 660 <li><a href="https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/">Snyk Blog</a></li> 661 <li><a href="https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/">Vulnerability Discovery</a></li> 662 <li><a href="https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack">Vulnerability Explanation</a></li> 663 <li><a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog">CISA - Known Exploited Vulnerabilities</a></li> 664 </ul> 665 666 <hr/> 667 668 <div class="cta card__cta"> 669 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328">More about this vulnerability</a></p> 670 </div> 671 672 </div><!-- .card --> 673 <div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high"> 674 <h2 class="card__title">Denial of Service (DoS)</h2> 675 <div class="card__section"> 676 677 <div class="label label--high"> 678 <span class="label__text">high severity</span> 679 </div> 680 681 <hr/> 682 683 <ul class="card__meta"> 684 <li class="card__meta__item"> 685 Package Manager: golang 686 </li> 687 <li class="card__meta__item"> 688 Vulnerable module: 689 690 golang.org/x/net/http2 691 </li> 692 693 <li class="card__meta__item">Introduced through: 694 695 github.com/hairyhenderson/gomplate/v3@* and golang.org/x/net/http2@v0.7.0 696 697 </li> 698 </ul> 699 700 <hr/> 701 702 703 <h3 class="card__section__title">Detailed paths</h3> 704 705 <ul class="card__meta__paths"> 706 <li> 707 <span class="list-paths__item__introduced"><em>Introduced through</em>: 708 github.com/hairyhenderson/gomplate/v3@* 709 <span class="list-paths__item__arrow">›</span> 710 golang.org/x/net/http2@v0.7.0 711 712 </span> 713 714 </li> 715 <li> 716 <span class="list-paths__item__introduced"><em>Introduced through</em>: 717 github.com/dexidp/dex@* 718 <span class="list-paths__item__arrow">›</span> 719 golang.org/x/net/http2@v0.11.0 720 721 </span> 722 723 </li> 724 </ul><!-- .list-paths --> 725 726 </div><!-- .card__section --> 727 728 <hr/> 729 <!-- Overview --> 730 <h2 id="overview">Overview</h2> 731 <p><a href="https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme">golang.org/x/net/http2</a> is a work-in-progress HTTP/2 implementation for Go.</p> 732 <p>Affected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.</p> 733 <h2 id="remediation">Remediation</h2> 734 <p>Upgrade <code>golang.org/x/net/http2</code> to version 0.17.0 or higher.</p> 735 <h2 id="references">References</h2> 736 <ul> 737 <li><a href="https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79">Github Commit</a></li> 738 <li><a href="https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49">GitHub Commit</a></li> 739 <li><a href="https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e">GitHub Commit</a></li> 740 <li><a href="https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148">GitHub Commit</a></li> 741 <li><a href="https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f">GitHub Commit</a></li> 742 <li><a href="https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5">GitHub Commit</a></li> 743 <li><a href="https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61">GitHub Commit</a></li> 744 <li><a href="https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832">GitHub Commit</a></li> 745 <li><a href="https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13">GitHub Commit</a></li> 746 <li><a href="https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/">Snyk Blog</a></li> 747 <li><a href="https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/">Vulnerability Discovery</a></li> 748 <li><a href="https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack">Vulnerability Explanation</a></li> 749 <li><a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog">CISA - Known Exploited Vulnerabilities</a></li> 750 </ul> 751 752 <hr/> 753 754 <div class="cta card__cta"> 755 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327">More about this vulnerability</a></p> 756 </div> 757 758 </div><!-- .card --> 759 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 760 <h2 class="card__title">Improper Authentication</h2> 761 <div class="card__section"> 762 763 <div class="label label--medium"> 764 <span class="label__text">medium severity</span> 765 </div> 766 767 <hr/> 768 769 <ul class="card__meta"> 770 <li class="card__meta__item"> 771 Package Manager: alpine:3.18 772 </li> 773 <li class="card__meta__item"> 774 Vulnerable module: 775 776 openssl/libcrypto3 777 </li> 778 779 <li class="card__meta__item">Introduced through: 780 781 docker-image|ghcr.io/dexidp/dex@v2.37.0 and openssl/libcrypto3@3.1.1-r1 782 783 </li> 784 </ul> 785 786 <hr/> 787 788 789 <h3 class="card__section__title">Detailed paths</h3> 790 791 <ul class="card__meta__paths"> 792 <li> 793 <span class="list-paths__item__introduced"><em>Introduced through</em>: 794 docker-image|ghcr.io/dexidp/dex@v2.37.0 795 <span class="list-paths__item__arrow">›</span> 796 openssl/libcrypto3@3.1.1-r1 797 798 </span> 799 800 </li> 801 <li> 802 <span class="list-paths__item__introduced"><em>Introduced through</em>: 803 docker-image|ghcr.io/dexidp/dex@v2.37.0 804 <span class="list-paths__item__arrow">›</span> 805 apk-tools/apk-tools@2.14.0-r2 806 <span class="list-paths__item__arrow">›</span> 807 openssl/libcrypto3@3.1.1-r1 808 809 </span> 810 811 </li> 812 <li> 813 <span class="list-paths__item__introduced"><em>Introduced through</em>: 814 docker-image|ghcr.io/dexidp/dex@v2.37.0 815 <span class="list-paths__item__arrow">›</span> 816 busybox/ssl_client@1.36.1-r0 817 <span class="list-paths__item__arrow">›</span> 818 openssl/libcrypto3@3.1.1-r1 819 820 </span> 821 822 </li> 823 <li> 824 <span class="list-paths__item__introduced"><em>Introduced through</em>: 825 docker-image|ghcr.io/dexidp/dex@v2.37.0 826 <span class="list-paths__item__arrow">›</span> 827 apk-tools/apk-tools@2.14.0-r2 828 <span class="list-paths__item__arrow">›</span> 829 openssl/libssl3@3.1.1-r1 830 <span class="list-paths__item__arrow">›</span> 831 openssl/libcrypto3@3.1.1-r1 832 833 </span> 834 835 </li> 836 <li> 837 <span class="list-paths__item__introduced"><em>Introduced through</em>: 838 docker-image|ghcr.io/dexidp/dex@v2.37.0 839 <span class="list-paths__item__arrow">›</span> 840 openssl/libssl3@3.1.1-r1 841 842 </span> 843 844 </li> 845 <li> 846 <span class="list-paths__item__introduced"><em>Introduced through</em>: 847 docker-image|ghcr.io/dexidp/dex@v2.37.0 848 <span class="list-paths__item__arrow">›</span> 849 apk-tools/apk-tools@2.14.0-r2 850 <span class="list-paths__item__arrow">›</span> 851 openssl/libssl3@3.1.1-r1 852 853 </span> 854 855 </li> 856 <li> 857 <span class="list-paths__item__introduced"><em>Introduced through</em>: 858 docker-image|ghcr.io/dexidp/dex@v2.37.0 859 <span class="list-paths__item__arrow">›</span> 860 busybox/ssl_client@1.36.1-r0 861 <span class="list-paths__item__arrow">›</span> 862 openssl/libssl3@3.1.1-r1 863 864 </span> 865 866 </li> 867 </ul><!-- .list-paths --> 868 869 </div><!-- .card__section --> 870 871 <hr/> 872 <!-- Overview --> 873 <h2 id="nvd-description">NVD Description</h2> 874 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Alpine:3.18</code>.</em> 875 <em>See <code>How to fix?</code> for <code>Alpine:3.18</code> relevant fixed versions and status.</em></p> 876 <p>Issue summary: The AES-SIV cipher implementation contains a bug that causes 877 it to ignore empty associated data entries which are unauthenticated as 878 a consequence.</p> 879 <p>Impact summary: Applications that use the AES-SIV algorithm and want to 880 authenticate empty data entries as associated data can be mislead by removing 881 adding or reordering such empty entries as these are ignored by the OpenSSL 882 implementation. We are currently unaware of any such applications.</p> 883 <p>The AES-SIV algorithm allows for authentication of multiple associated 884 data entries along with the encryption. To authenticate empty data the 885 application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with 886 NULL pointer as the output buffer and 0 as the input buffer length. 887 The AES-SIV implementation in OpenSSL just returns success for such a call 888 instead of performing the associated data authentication operation. 889 The empty data thus will not be authenticated.</p> 890 <p>As this issue does not affect non-empty associated data authentication and 891 we expect it to be rare for an application to use empty associated data 892 entries this is qualified as Low severity issue.</p> 893 <h2 id="remediation">Remediation</h2> 894 <p>Upgrade <code>Alpine:3.18</code> <code>openssl</code> to version 3.1.1-r2 or higher.</p> 895 <h2 id="references">References</h2> 896 <ul> 897 <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=00e2f5eea29994d19293ec4e8c8775ba73678598">openssl-security@openssl.org</a></li> 898 <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc">openssl-security@openssl.org</a></li> 899 <li><a href="https://www.openssl.org/news/secadv/20230714.txt">openssl-security@openssl.org</a></li> 900 <li><a href="http://www.openwall.com/lists/oss-security/2023/07/15/1">openssl-security@openssl.org</a></li> 901 <li><a href="http://www.openwall.com/lists/oss-security/2023/07/19/5">openssl-security@openssl.org</a></li> 902 <li><a href="https://security.netapp.com/advisory/ntap-20230725-0004/">openssl-security@openssl.org</a></li> 903 </ul> 904 905 <hr/> 906 907 <div class="cta card__cta"> 908 <p><a href="https://snyk.io/vuln/SNYK-ALPINE318-OPENSSL-5776808">More about this vulnerability</a></p> 909 </div> 910 911 </div><!-- .card --> 912 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 913 <h2 class="card__title">Inefficient Regular Expression Complexity</h2> 914 <div class="card__section"> 915 916 <div class="label label--medium"> 917 <span class="label__text">medium severity</span> 918 </div> 919 920 <hr/> 921 922 <ul class="card__meta"> 923 <li class="card__meta__item"> 924 Package Manager: alpine:3.18 925 </li> 926 <li class="card__meta__item"> 927 Vulnerable module: 928 929 openssl/libcrypto3 930 </li> 931 932 <li class="card__meta__item">Introduced through: 933 934 docker-image|ghcr.io/dexidp/dex@v2.37.0 and openssl/libcrypto3@3.1.1-r1 935 936 </li> 937 </ul> 938 939 <hr/> 940 941 942 <h3 class="card__section__title">Detailed paths</h3> 943 944 <ul class="card__meta__paths"> 945 <li> 946 <span class="list-paths__item__introduced"><em>Introduced through</em>: 947 docker-image|ghcr.io/dexidp/dex@v2.37.0 948 <span class="list-paths__item__arrow">›</span> 949 openssl/libcrypto3@3.1.1-r1 950 951 </span> 952 953 </li> 954 <li> 955 <span class="list-paths__item__introduced"><em>Introduced through</em>: 956 docker-image|ghcr.io/dexidp/dex@v2.37.0 957 <span class="list-paths__item__arrow">›</span> 958 apk-tools/apk-tools@2.14.0-r2 959 <span class="list-paths__item__arrow">›</span> 960 openssl/libcrypto3@3.1.1-r1 961 962 </span> 963 964 </li> 965 <li> 966 <span class="list-paths__item__introduced"><em>Introduced through</em>: 967 docker-image|ghcr.io/dexidp/dex@v2.37.0 968 <span class="list-paths__item__arrow">›</span> 969 busybox/ssl_client@1.36.1-r0 970 <span class="list-paths__item__arrow">›</span> 971 openssl/libcrypto3@3.1.1-r1 972 973 </span> 974 975 </li> 976 <li> 977 <span class="list-paths__item__introduced"><em>Introduced through</em>: 978 docker-image|ghcr.io/dexidp/dex@v2.37.0 979 <span class="list-paths__item__arrow">›</span> 980 apk-tools/apk-tools@2.14.0-r2 981 <span class="list-paths__item__arrow">›</span> 982 openssl/libssl3@3.1.1-r1 983 <span class="list-paths__item__arrow">›</span> 984 openssl/libcrypto3@3.1.1-r1 985 986 </span> 987 988 </li> 989 <li> 990 <span class="list-paths__item__introduced"><em>Introduced through</em>: 991 docker-image|ghcr.io/dexidp/dex@v2.37.0 992 <span class="list-paths__item__arrow">›</span> 993 openssl/libssl3@3.1.1-r1 994 995 </span> 996 997 </li> 998 <li> 999 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1000 docker-image|ghcr.io/dexidp/dex@v2.37.0 1001 <span class="list-paths__item__arrow">›</span> 1002 apk-tools/apk-tools@2.14.0-r2 1003 <span class="list-paths__item__arrow">›</span> 1004 openssl/libssl3@3.1.1-r1 1005 1006 </span> 1007 1008 </li> 1009 <li> 1010 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1011 docker-image|ghcr.io/dexidp/dex@v2.37.0 1012 <span class="list-paths__item__arrow">›</span> 1013 busybox/ssl_client@1.36.1-r0 1014 <span class="list-paths__item__arrow">›</span> 1015 openssl/libssl3@3.1.1-r1 1016 1017 </span> 1018 1019 </li> 1020 </ul><!-- .list-paths --> 1021 1022 </div><!-- .card__section --> 1023 1024 <hr/> 1025 <!-- Overview --> 1026 <h2 id="nvd-description">NVD Description</h2> 1027 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Alpine</code>.</em> 1028 <em>See <code>How to fix?</code> for <code>Alpine:3.18</code> relevant fixed versions and status.</em></p> 1029 <p>Issue summary: Checking excessively long DH keys or parameters may be very slow.</p> 1030 <p>Impact summary: Applications that use the functions DH_check(), DH_check_ex() 1031 or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long 1032 delays. Where the key or parameters that are being checked have been obtained 1033 from an untrusted source this may lead to a Denial of Service.</p> 1034 <p>The function DH_check() performs various checks on DH parameters. One of those 1035 checks confirms that the modulus ('p' parameter) is not too large. Trying to use 1036 a very large modulus is slow and OpenSSL will not normally use a modulus which 1037 is over 10,000 bits in length.</p> 1038 <p>However the DH_check() function checks numerous aspects of the key or parameters 1039 that have been supplied. Some of those checks use the supplied modulus value 1040 even if it has already been found to be too large.</p> 1041 <p>An application that calls DH_check() and supplies a key or parameters obtained 1042 from an untrusted source could be vulernable to a Denial of Service attack.</p> 1043 <p>The function DH_check() is itself called by a number of other OpenSSL functions. 1044 An application calling any of those other functions may similarly be affected. 1045 The other functions affected by this are DH_check_ex() and 1046 EVP_PKEY_param_check().</p> 1047 <p>Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications 1048 when using the '-check' option.</p> 1049 <p>The OpenSSL SSL/TLS implementation is not affected by this issue. 1050 The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.</p> 1051 <h2 id="remediation">Remediation</h2> 1052 <p>Upgrade <code>Alpine:3.18</code> <code>openssl</code> to version 3.1.1-r3 or higher.</p> 1053 <h2 id="references">References</h2> 1054 <ul> 1055 <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb">openssl-security@openssl.org</a></li> 1056 <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528">openssl-security@openssl.org</a></li> 1057 <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c">openssl-security@openssl.org</a></li> 1058 <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23">openssl-security@openssl.org</a></li> 1059 <li><a href="https://www.openssl.org/news/secadv/20230719.txt">openssl-security@openssl.org</a></li> 1060 <li><a href="http://www.openwall.com/lists/oss-security/2023/07/19/4">openssl-security@openssl.org</a></li> 1061 <li><a href="http://www.openwall.com/lists/oss-security/2023/07/19/5">openssl-security@openssl.org</a></li> 1062 <li><a href="http://www.openwall.com/lists/oss-security/2023/07/19/6">openssl-security@openssl.org</a></li> 1063 <li><a href="http://www.openwall.com/lists/oss-security/2023/07/31/1">openssl-security@openssl.org</a></li> 1064 <li><a href="https://security.netapp.com/advisory/ntap-20230803-0011/">openssl-security@openssl.org</a></li> 1065 <li><a href="https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html">openssl-security@openssl.org</a></li> 1066 </ul> 1067 1068 <hr/> 1069 1070 <div class="cta card__cta"> 1071 <p><a href="https://snyk.io/vuln/SNYK-ALPINE318-OPENSSL-5788370">More about this vulnerability</a></p> 1072 </div> 1073 1074 </div><!-- .card --> 1075 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1076 <h2 class="card__title">Excessive Iteration</h2> 1077 <div class="card__section"> 1078 1079 <div class="label label--medium"> 1080 <span class="label__text">medium severity</span> 1081 </div> 1082 1083 <hr/> 1084 1085 <ul class="card__meta"> 1086 <li class="card__meta__item"> 1087 Package Manager: alpine:3.18 1088 </li> 1089 <li class="card__meta__item"> 1090 Vulnerable module: 1091 1092 openssl/libcrypto3 1093 </li> 1094 1095 <li class="card__meta__item">Introduced through: 1096 1097 docker-image|ghcr.io/dexidp/dex@v2.37.0 and openssl/libcrypto3@3.1.1-r1 1098 1099 </li> 1100 </ul> 1101 1102 <hr/> 1103 1104 1105 <h3 class="card__section__title">Detailed paths</h3> 1106 1107 <ul class="card__meta__paths"> 1108 <li> 1109 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1110 docker-image|ghcr.io/dexidp/dex@v2.37.0 1111 <span class="list-paths__item__arrow">›</span> 1112 openssl/libcrypto3@3.1.1-r1 1113 1114 </span> 1115 1116 </li> 1117 <li> 1118 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1119 docker-image|ghcr.io/dexidp/dex@v2.37.0 1120 <span class="list-paths__item__arrow">›</span> 1121 apk-tools/apk-tools@2.14.0-r2 1122 <span class="list-paths__item__arrow">›</span> 1123 openssl/libcrypto3@3.1.1-r1 1124 1125 </span> 1126 1127 </li> 1128 <li> 1129 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1130 docker-image|ghcr.io/dexidp/dex@v2.37.0 1131 <span class="list-paths__item__arrow">›</span> 1132 busybox/ssl_client@1.36.1-r0 1133 <span class="list-paths__item__arrow">›</span> 1134 openssl/libcrypto3@3.1.1-r1 1135 1136 </span> 1137 1138 </li> 1139 <li> 1140 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1141 docker-image|ghcr.io/dexidp/dex@v2.37.0 1142 <span class="list-paths__item__arrow">›</span> 1143 apk-tools/apk-tools@2.14.0-r2 1144 <span class="list-paths__item__arrow">›</span> 1145 openssl/libssl3@3.1.1-r1 1146 <span class="list-paths__item__arrow">›</span> 1147 openssl/libcrypto3@3.1.1-r1 1148 1149 </span> 1150 1151 </li> 1152 <li> 1153 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1154 docker-image|ghcr.io/dexidp/dex@v2.37.0 1155 <span class="list-paths__item__arrow">›</span> 1156 openssl/libssl3@3.1.1-r1 1157 1158 </span> 1159 1160 </li> 1161 <li> 1162 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1163 docker-image|ghcr.io/dexidp/dex@v2.37.0 1164 <span class="list-paths__item__arrow">›</span> 1165 apk-tools/apk-tools@2.14.0-r2 1166 <span class="list-paths__item__arrow">›</span> 1167 openssl/libssl3@3.1.1-r1 1168 1169 </span> 1170 1171 </li> 1172 <li> 1173 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1174 docker-image|ghcr.io/dexidp/dex@v2.37.0 1175 <span class="list-paths__item__arrow">›</span> 1176 busybox/ssl_client@1.36.1-r0 1177 <span class="list-paths__item__arrow">›</span> 1178 openssl/libssl3@3.1.1-r1 1179 1180 </span> 1181 1182 </li> 1183 </ul><!-- .list-paths --> 1184 1185 </div><!-- .card__section --> 1186 1187 <hr/> 1188 <!-- Overview --> 1189 <h2 id="nvd-description">NVD Description</h2> 1190 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Alpine</code>.</em> 1191 <em>See <code>How to fix?</code> for <code>Alpine:3.18</code> relevant fixed versions and status.</em></p> 1192 <p>Issue summary: Checking excessively long DH keys or parameters may be very slow.</p> 1193 <p>Impact summary: Applications that use the functions DH_check(), DH_check_ex() 1194 or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long 1195 delays. Where the key or parameters that are being checked have been obtained 1196 from an untrusted source this may lead to a Denial of Service.</p> 1197 <p>The function DH_check() performs various checks on DH parameters. After fixing 1198 CVE-2023-3446 it was discovered that a large q parameter value can also trigger 1199 an overly long computation during some of these checks. A correct q value, 1200 if present, cannot be larger than the modulus p parameter, thus it is 1201 unnecessary to perform these checks if q is larger than p.</p> 1202 <p>An application that calls DH_check() and supplies a key or parameters obtained 1203 from an untrusted source could be vulnerable to a Denial of Service attack.</p> 1204 <p>The function DH_check() is itself called by a number of other OpenSSL functions. 1205 An application calling any of those other functions may similarly be affected. 1206 The other functions affected by this are DH_check_ex() and 1207 EVP_PKEY_param_check().</p> 1208 <p>Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications 1209 when using the "-check" option.</p> 1210 <p>The OpenSSL SSL/TLS implementation is not affected by this issue.</p> 1211 <p>The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.</p> 1212 <h2 id="remediation">Remediation</h2> 1213 <p>Upgrade <code>Alpine:3.18</code> <code>openssl</code> to version 3.1.2-r0 or higher.</p> 1214 <h2 id="references">References</h2> 1215 <ul> 1216 <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5">openssl-security@openssl.org</a></li> 1217 <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644">openssl-security@openssl.org</a></li> 1218 <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f">openssl-security@openssl.org</a></li> 1219 <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5">openssl-security@openssl.org</a></li> 1220 <li><a href="https://www.openssl.org/news/secadv/20230731.txt">openssl-security@openssl.org</a></li> 1221 <li><a href="http://www.openwall.com/lists/oss-security/2023/07/31/1">openssl-security@openssl.org</a></li> 1222 <li><a href="http://seclists.org/fulldisclosure/2023/Jul/43">openssl-security@openssl.org</a></li> 1223 <li><a href="https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html">openssl-security@openssl.org</a></li> 1224 <li><a href="https://security.netapp.com/advisory/ntap-20230818-0014/">openssl-security@openssl.org</a></li> 1225 <li><a href="http://www.openwall.com/lists/oss-security/2023/09/22/9">openssl-security@openssl.org</a></li> 1226 <li><a href="http://www.openwall.com/lists/oss-security/2023/09/22/11">openssl-security@openssl.org</a></li> 1227 <li><a href="https://security.netapp.com/advisory/ntap-20231027-0008/">openssl-security@openssl.org</a></li> 1228 </ul> 1229 1230 <hr/> 1231 1232 <div class="cta card__cta"> 1233 <p><a href="https://snyk.io/vuln/SNYK-ALPINE318-OPENSSL-5821142">More about this vulnerability</a></p> 1234 </div> 1235 1236 </div><!-- .card --> 1237 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1238 <h2 class="card__title">Cross-site Scripting (XSS)</h2> 1239 <div class="card__section"> 1240 1241 <div class="label label--medium"> 1242 <span class="label__text">medium severity</span> 1243 </div> 1244 1245 <hr/> 1246 1247 <ul class="card__meta"> 1248 <li class="card__meta__item"> 1249 Package Manager: golang 1250 </li> 1251 <li class="card__meta__item"> 1252 Vulnerable module: 1253 1254 golang.org/x/net/html 1255 </li> 1256 1257 <li class="card__meta__item">Introduced through: 1258 1259 github.com/dexidp/dex@* and golang.org/x/net/html@v0.11.0 1260 1261 </li> 1262 </ul> 1263 1264 <hr/> 1265 1266 1267 <h3 class="card__section__title">Detailed paths</h3> 1268 1269 <ul class="card__meta__paths"> 1270 <li> 1271 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1272 github.com/dexidp/dex@* 1273 <span class="list-paths__item__arrow">›</span> 1274 golang.org/x/net/html@v0.11.0 1275 1276 </span> 1277 1278 </li> 1279 </ul><!-- .list-paths --> 1280 1281 </div><!-- .card__section --> 1282 1283 <hr/> 1284 <!-- Overview --> 1285 <h2 id="overview">Overview</h2> 1286 <p><a href="https://pkg.go.dev/golang.org/x/net/html">golang.org/x/net/html</a> is a package that implements an HTML5-compliant tokenizer and parser.</p> 1287 <p>Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the <code>render1()</code> function in <code>render.go</code>. Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be.</p> 1288 <h2 id="details">Details</h2> 1289 <p>A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.</p> 1290 <p>This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.</p> 1291 <p>Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.</p> 1292 <p>Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, <code><</code> can be coded as <code>&lt</code>; and <code>></code> can be coded as <code>&gt</code>; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses <code><</code> and <code>></code> as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.</p> 1293 <p>The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. </p> 1294 <h3 id="types-of-attacks">Types of attacks</h3> 1295 <p>There are a few methods by which XSS can be manipulated:</p> 1296 <table> 1297 <thead> 1298 <tr> 1299 <th>Type</th> 1300 <th>Origin</th> 1301 <th>Description</th> 1302 </tr> 1303 </thead> 1304 <tbody><tr> 1305 <td><strong>Stored</strong></td> 1306 <td>Server</td> 1307 <td>The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.</td> 1308 </tr> 1309 <tr> 1310 <td><strong>Reflected</strong></td> 1311 <td>Server</td> 1312 <td>The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.</td> 1313 </tr> 1314 <tr> 1315 <td><strong>DOM-based</strong></td> 1316 <td>Client</td> 1317 <td>The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.</td> 1318 </tr> 1319 <tr> 1320 <td><strong>Mutated</strong></td> 1321 <td></td> 1322 <td>The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.</td> 1323 </tr> 1324 </tbody></table> 1325 <h3 id="affected-environments">Affected environments</h3> 1326 <p>The following environments are susceptible to an XSS attack:</p> 1327 <ul> 1328 <li>Web servers</li> 1329 <li>Application servers</li> 1330 <li>Web application environments</li> 1331 </ul> 1332 <h3 id="how-to-prevent">How to prevent</h3> 1333 <p>This section describes the top best practices designed to specifically protect your code: </p> 1334 <ul> 1335 <li>Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. </li> 1336 <li>Convert special characters such as <code>?</code>, <code>&</code>, <code>/</code>, <code><</code>, <code>></code> and spaces to their respective HTML or URL encoded equivalents. </li> 1337 <li>Give users the option to disable client-side scripts.</li> 1338 <li>Redirect invalid requests.</li> 1339 <li>Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.</li> 1340 <li>Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.</li> 1341 <li>Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.</li> 1342 </ul> 1343 <h2 id="remediation">Remediation</h2> 1344 <p>Upgrade <code>golang.org/x/net/html</code> to version 0.13.0 or higher.</p> 1345 <h2 id="references">References</h2> 1346 <ul> 1347 <li><a href="https://github.com/golang/net/commit/8ffa475fbdb33da97e8bf79cc5791ee8751fca5e">GitHub Commit</a></li> 1348 <li><a href="https://go.dev/issue/61615">GitHub Issue</a></li> 1349 <li><a href="https://go.dev/cl/514896">Golang PR</a></li> 1350 <li><a href="https://pkg.go.dev/vuln/GO-2023-1988">Vulnerability Advisory</a></li> 1351 </ul> 1352 1353 <hr/> 1354 1355 <div class="cta card__cta"> 1356 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTML-5816820">More about this vulnerability</a></p> 1357 </div> 1358 1359 </div><!-- .card --> 1360 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1361 <h2 class="card__title">MPL-2.0 license</h2> 1362 <div class="card__section"> 1363 1364 <div class="label label--medium"> 1365 <span class="label__text">medium severity</span> 1366 </div> 1367 1368 <hr/> 1369 1370 <ul class="card__meta"> 1371 <li class="card__meta__item"> 1372 Package Manager: golang 1373 </li> 1374 <li class="card__meta__item"> 1375 Module: 1376 1377 github.com/hashicorp/vault/sdk/helper/certutil 1378 </li> 1379 1380 <li class="card__meta__item">Introduced through: 1381 1382 github.com/hairyhenderson/gomplate/v3@* and github.com/hashicorp/vault/sdk/helper/certutil@v0.5.0 1383 1384 </li> 1385 </ul> 1386 1387 <hr/> 1388 1389 1390 <h3 class="card__section__title">Detailed paths</h3> 1391 1392 <ul class="card__meta__paths"> 1393 <li> 1394 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1395 github.com/hairyhenderson/gomplate/v3@* 1396 <span class="list-paths__item__arrow">›</span> 1397 github.com/hashicorp/vault/sdk/helper/certutil@v0.5.0 1398 1399 </span> 1400 1401 </li> 1402 <li> 1403 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1404 github.com/hairyhenderson/gomplate/v3@* 1405 <span class="list-paths__item__arrow">›</span> 1406 github.com/hashicorp/vault/sdk/helper/compressutil@v0.5.0 1407 1408 </span> 1409 1410 </li> 1411 <li> 1412 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1413 github.com/hairyhenderson/gomplate/v3@* 1414 <span class="list-paths__item__arrow">›</span> 1415 github.com/hashicorp/vault/sdk/helper/consts@v0.5.0 1416 1417 </span> 1418 1419 </li> 1420 <li> 1421 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1422 github.com/hairyhenderson/gomplate/v3@* 1423 <span class="list-paths__item__arrow">›</span> 1424 github.com/hashicorp/vault/sdk/helper/jsonutil@v0.5.0 1425 1426 </span> 1427 1428 </li> 1429 <li> 1430 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1431 github.com/hairyhenderson/gomplate/v3@* 1432 <span class="list-paths__item__arrow">›</span> 1433 github.com/hashicorp/vault/sdk/helper/pluginutil@v0.5.0 1434 1435 </span> 1436 1437 </li> 1438 <li> 1439 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1440 github.com/hairyhenderson/gomplate/v3@* 1441 <span class="list-paths__item__arrow">›</span> 1442 github.com/hashicorp/vault/sdk/helper/strutil@v0.5.0 1443 1444 </span> 1445 1446 </li> 1447 <li> 1448 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1449 github.com/hairyhenderson/gomplate/v3@* 1450 <span class="list-paths__item__arrow">›</span> 1451 github.com/hashicorp/vault/sdk/logical@v0.5.0 1452 1453 </span> 1454 1455 </li> 1456 <li> 1457 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1458 github.com/hairyhenderson/gomplate/v3@* 1459 <span class="list-paths__item__arrow">›</span> 1460 github.com/hashicorp/vault/sdk/physical@v0.5.0 1461 1462 </span> 1463 1464 </li> 1465 <li> 1466 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1467 github.com/hairyhenderson/gomplate/v3@* 1468 <span class="list-paths__item__arrow">›</span> 1469 github.com/hashicorp/vault/sdk/physical/inmem@v0.5.0 1470 1471 </span> 1472 1473 </li> 1474 </ul><!-- .list-paths --> 1475 1476 </div><!-- .card__section --> 1477 1478 <hr/> 1479 <!-- Overview --> 1480 <p>MPL-2.0 license</p> 1481 1482 <hr/> 1483 1484 <div class="cta card__cta"> 1485 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:vault:sdk:MPL-2.0">More about this vulnerability</a></p> 1486 </div> 1487 1488 </div><!-- .card --> 1489 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1490 <h2 class="card__title">MPL-2.0 license</h2> 1491 <div class="card__section"> 1492 1493 <div class="label label--medium"> 1494 <span class="label__text">medium severity</span> 1495 </div> 1496 1497 <hr/> 1498 1499 <ul class="card__meta"> 1500 <li class="card__meta__item"> 1501 Package Manager: golang 1502 </li> 1503 <li class="card__meta__item"> 1504 Module: 1505 1506 github.com/hashicorp/vault/api 1507 </li> 1508 1509 <li class="card__meta__item">Introduced through: 1510 1511 github.com/hairyhenderson/gomplate/v3@* and github.com/hashicorp/vault/api@v1.6.0 1512 1513 </li> 1514 </ul> 1515 1516 <hr/> 1517 1518 1519 <h3 class="card__section__title">Detailed paths</h3> 1520 1521 <ul class="card__meta__paths"> 1522 <li> 1523 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1524 github.com/hairyhenderson/gomplate/v3@* 1525 <span class="list-paths__item__arrow">›</span> 1526 github.com/hashicorp/vault/api@v1.6.0 1527 1528 </span> 1529 1530 </li> 1531 </ul><!-- .list-paths --> 1532 1533 </div><!-- .card__section --> 1534 1535 <hr/> 1536 <!-- Overview --> 1537 <p>MPL-2.0 license</p> 1538 1539 <hr/> 1540 1541 <div class="cta card__cta"> 1542 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:vault:api:MPL-2.0">More about this vulnerability</a></p> 1543 </div> 1544 1545 </div><!-- .card --> 1546 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1547 <h2 class="card__title">MPL-2.0 license</h2> 1548 <div class="card__section"> 1549 1550 <div class="label label--medium"> 1551 <span class="label__text">medium severity</span> 1552 </div> 1553 1554 <hr/> 1555 1556 <ul class="card__meta"> 1557 <li class="card__meta__item"> 1558 Package Manager: golang 1559 </li> 1560 <li class="card__meta__item"> 1561 Module: 1562 1563 github.com/hashicorp/serf/coordinate 1564 </li> 1565 1566 <li class="card__meta__item">Introduced through: 1567 1568 github.com/hairyhenderson/gomplate/v3@* and github.com/hashicorp/serf/coordinate@v0.9.7 1569 1570 </li> 1571 </ul> 1572 1573 <hr/> 1574 1575 1576 <h3 class="card__section__title">Detailed paths</h3> 1577 1578 <ul class="card__meta__paths"> 1579 <li> 1580 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1581 github.com/hairyhenderson/gomplate/v3@* 1582 <span class="list-paths__item__arrow">›</span> 1583 github.com/hashicorp/serf/coordinate@v0.9.7 1584 1585 </span> 1586 1587 </li> 1588 </ul><!-- .list-paths --> 1589 1590 </div><!-- .card__section --> 1591 1592 <hr/> 1593 <!-- Overview --> 1594 <p>MPL-2.0 license</p> 1595 1596 <hr/> 1597 1598 <div class="cta card__cta"> 1599 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:serf:MPL-2.0">More about this vulnerability</a></p> 1600 </div> 1601 1602 </div><!-- .card --> 1603 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1604 <h2 class="card__title">MPL-2.0 license</h2> 1605 <div class="card__section"> 1606 1607 <div class="label label--medium"> 1608 <span class="label__text">medium severity</span> 1609 </div> 1610 1611 <hr/> 1612 1613 <ul class="card__meta"> 1614 <li class="card__meta__item"> 1615 Package Manager: golang 1616 </li> 1617 <li class="card__meta__item"> 1618 Module: 1619 1620 github.com/hashicorp/hcl/v2 1621 </li> 1622 1623 <li class="card__meta__item">Introduced through: 1624 1625 github.com/dexidp/dex@* and github.com/hashicorp/hcl/v2@v2.13.0 1626 1627 </li> 1628 </ul> 1629 1630 <hr/> 1631 1632 1633 <h3 class="card__section__title">Detailed paths</h3> 1634 1635 <ul class="card__meta__paths"> 1636 <li> 1637 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1638 github.com/dexidp/dex@* 1639 <span class="list-paths__item__arrow">›</span> 1640 github.com/hashicorp/hcl/v2@v2.13.0 1641 1642 </span> 1643 1644 </li> 1645 <li> 1646 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1647 github.com/dexidp/dex@* 1648 <span class="list-paths__item__arrow">›</span> 1649 github.com/hashicorp/hcl/v2/ext/customdecode@v2.13.0 1650 1651 </span> 1652 1653 </li> 1654 <li> 1655 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1656 github.com/dexidp/dex@* 1657 <span class="list-paths__item__arrow">›</span> 1658 github.com/hashicorp/hcl/v2/ext/tryfunc@v2.13.0 1659 1660 </span> 1661 1662 </li> 1663 <li> 1664 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1665 github.com/dexidp/dex@* 1666 <span class="list-paths__item__arrow">›</span> 1667 github.com/hashicorp/hcl/v2/gohcl@v2.13.0 1668 1669 </span> 1670 1671 </li> 1672 <li> 1673 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1674 github.com/dexidp/dex@* 1675 <span class="list-paths__item__arrow">›</span> 1676 github.com/hashicorp/hcl/v2/hclparse@v2.13.0 1677 1678 </span> 1679 1680 </li> 1681 <li> 1682 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1683 github.com/dexidp/dex@* 1684 <span class="list-paths__item__arrow">›</span> 1685 github.com/hashicorp/hcl/v2/hclsyntax@v2.13.0 1686 1687 </span> 1688 1689 </li> 1690 <li> 1691 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1692 github.com/dexidp/dex@* 1693 <span class="list-paths__item__arrow">›</span> 1694 github.com/hashicorp/hcl/v2/hclwrite@v2.13.0 1695 1696 </span> 1697 1698 </li> 1699 <li> 1700 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1701 github.com/dexidp/dex@* 1702 <span class="list-paths__item__arrow">›</span> 1703 github.com/hashicorp/hcl/v2/json@v2.13.0 1704 1705 </span> 1706 1707 </li> 1708 </ul><!-- .list-paths --> 1709 1710 </div><!-- .card__section --> 1711 1712 <hr/> 1713 <!-- Overview --> 1714 <p>MPL-2.0 license</p> 1715 1716 <hr/> 1717 1718 <div class="cta card__cta"> 1719 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:hcl:v2:MPL-2.0">More about this vulnerability</a></p> 1720 </div> 1721 1722 </div><!-- .card --> 1723 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1724 <h2 class="card__title">MPL-2.0 license</h2> 1725 <div class="card__section"> 1726 1727 <div class="label label--medium"> 1728 <span class="label__text">medium severity</span> 1729 </div> 1730 1731 <hr/> 1732 1733 <ul class="card__meta"> 1734 <li class="card__meta__item"> 1735 Package Manager: golang 1736 </li> 1737 <li class="card__meta__item"> 1738 Module: 1739 1740 github.com/hashicorp/hcl 1741 </li> 1742 1743 <li class="card__meta__item">Introduced through: 1744 1745 github.com/hairyhenderson/gomplate/v3@* and github.com/hashicorp/hcl@v1.0.0 1746 1747 </li> 1748 </ul> 1749 1750 <hr/> 1751 1752 1753 <h3 class="card__section__title">Detailed paths</h3> 1754 1755 <ul class="card__meta__paths"> 1756 <li> 1757 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1758 github.com/hairyhenderson/gomplate/v3@* 1759 <span class="list-paths__item__arrow">›</span> 1760 github.com/hashicorp/hcl@v1.0.0 1761 1762 </span> 1763 1764 </li> 1765 <li> 1766 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1767 github.com/hairyhenderson/gomplate/v3@* 1768 <span class="list-paths__item__arrow">›</span> 1769 github.com/hashicorp/hcl/hcl/parser@v1.0.0 1770 1771 </span> 1772 1773 </li> 1774 <li> 1775 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1776 github.com/hairyhenderson/gomplate/v3@* 1777 <span class="list-paths__item__arrow">›</span> 1778 github.com/hashicorp/hcl/hcl/strconv@v1.0.0 1779 1780 </span> 1781 1782 </li> 1783 <li> 1784 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1785 github.com/hairyhenderson/gomplate/v3@* 1786 <span class="list-paths__item__arrow">›</span> 1787 github.com/hashicorp/hcl/hcl/token@v1.0.0 1788 1789 </span> 1790 1791 </li> 1792 <li> 1793 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1794 github.com/hairyhenderson/gomplate/v3@* 1795 <span class="list-paths__item__arrow">›</span> 1796 github.com/hashicorp/hcl/json/parser@v1.0.0 1797 1798 </span> 1799 1800 </li> 1801 </ul><!-- .list-paths --> 1802 1803 </div><!-- .card__section --> 1804 1805 <hr/> 1806 <!-- Overview --> 1807 <p>MPL-2.0 license</p> 1808 1809 <hr/> 1810 1811 <div class="cta card__cta"> 1812 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0">More about this vulnerability</a></p> 1813 </div> 1814 1815 </div><!-- .card --> 1816 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1817 <h2 class="card__title">MPL-2.0 license</h2> 1818 <div class="card__section"> 1819 1820 <div class="label label--medium"> 1821 <span class="label__text">medium severity</span> 1822 </div> 1823 1824 <hr/> 1825 1826 <ul class="card__meta"> 1827 <li class="card__meta__item"> 1828 Package Manager: golang 1829 </li> 1830 <li class="card__meta__item"> 1831 Module: 1832 1833 github.com/hashicorp/golang-lru/simplelru 1834 </li> 1835 1836 <li class="card__meta__item">Introduced through: 1837 1838 github.com/hairyhenderson/gomplate/v3@* and github.com/hashicorp/golang-lru/simplelru@v0.5.4 1839 1840 </li> 1841 </ul> 1842 1843 <hr/> 1844 1845 1846 <h3 class="card__section__title">Detailed paths</h3> 1847 1848 <ul class="card__meta__paths"> 1849 <li> 1850 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1851 github.com/hairyhenderson/gomplate/v3@* 1852 <span class="list-paths__item__arrow">›</span> 1853 github.com/hashicorp/golang-lru/simplelru@v0.5.4 1854 1855 </span> 1856 1857 </li> 1858 </ul><!-- .list-paths --> 1859 1860 </div><!-- .card__section --> 1861 1862 <hr/> 1863 <!-- Overview --> 1864 <p>MPL-2.0 license</p> 1865 1866 <hr/> 1867 1868 <div class="cta card__cta"> 1869 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:golang-lru:MPL-2.0">More about this vulnerability</a></p> 1870 </div> 1871 1872 </div><!-- .card --> 1873 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1874 <h2 class="card__title">MPL-2.0 license</h2> 1875 <div class="card__section"> 1876 1877 <div class="label label--medium"> 1878 <span class="label__text">medium severity</span> 1879 </div> 1880 1881 <hr/> 1882 1883 <ul class="card__meta"> 1884 <li class="card__meta__item"> 1885 Package Manager: golang 1886 </li> 1887 <li class="card__meta__item"> 1888 Module: 1889 1890 github.com/hashicorp/go-version 1891 </li> 1892 1893 <li class="card__meta__item">Introduced through: 1894 1895 github.com/hairyhenderson/gomplate/v3@* and github.com/hashicorp/go-version@v1.5.0 1896 1897 </li> 1898 </ul> 1899 1900 <hr/> 1901 1902 1903 <h3 class="card__section__title">Detailed paths</h3> 1904 1905 <ul class="card__meta__paths"> 1906 <li> 1907 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1908 github.com/hairyhenderson/gomplate/v3@* 1909 <span class="list-paths__item__arrow">›</span> 1910 github.com/hashicorp/go-version@v1.5.0 1911 1912 </span> 1913 1914 </li> 1915 </ul><!-- .list-paths --> 1916 1917 </div><!-- .card__section --> 1918 1919 <hr/> 1920 <!-- Overview --> 1921 <p>MPL-2.0 license</p> 1922 1923 <hr/> 1924 1925 <div class="cta card__cta"> 1926 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-version:MPL-2.0">More about this vulnerability</a></p> 1927 </div> 1928 1929 </div><!-- .card --> 1930 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1931 <h2 class="card__title">MPL-2.0 license</h2> 1932 <div class="card__section"> 1933 1934 <div class="label label--medium"> 1935 <span class="label__text">medium severity</span> 1936 </div> 1937 1938 <hr/> 1939 1940 <ul class="card__meta"> 1941 <li class="card__meta__item"> 1942 Package Manager: golang 1943 </li> 1944 <li class="card__meta__item"> 1945 Module: 1946 1947 github.com/hashicorp/go-sockaddr 1948 </li> 1949 1950 <li class="card__meta__item">Introduced through: 1951 1952 github.com/hairyhenderson/gomplate/v3@* and github.com/hashicorp/go-sockaddr@v1.0.2 1953 1954 </li> 1955 </ul> 1956 1957 <hr/> 1958 1959 1960 <h3 class="card__section__title">Detailed paths</h3> 1961 1962 <ul class="card__meta__paths"> 1963 <li> 1964 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1965 github.com/hairyhenderson/gomplate/v3@* 1966 <span class="list-paths__item__arrow">›</span> 1967 github.com/hashicorp/go-sockaddr@v1.0.2 1968 1969 </span> 1970 1971 </li> 1972 <li> 1973 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1974 github.com/hairyhenderson/gomplate/v3@* 1975 <span class="list-paths__item__arrow">›</span> 1976 github.com/hashicorp/go-sockaddr/template@v1.0.2 1977 1978 </span> 1979 1980 </li> 1981 </ul><!-- .list-paths --> 1982 1983 </div><!-- .card__section --> 1984 1985 <hr/> 1986 <!-- Overview --> 1987 <p>MPL-2.0 license</p> 1988 1989 <hr/> 1990 1991 <div class="cta card__cta"> 1992 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-sockaddr:MPL-2.0">More about this vulnerability</a></p> 1993 </div> 1994 1995 </div><!-- .card --> 1996 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1997 <h2 class="card__title">MPL-2.0 license</h2> 1998 <div class="card__section"> 1999 2000 <div class="label label--medium"> 2001 <span class="label__text">medium severity</span> 2002 </div> 2003 2004 <hr/> 2005 2006 <ul class="card__meta"> 2007 <li class="card__meta__item"> 2008 Package Manager: golang 2009 </li> 2010 <li class="card__meta__item"> 2011 Module: 2012 2013 github.com/hashicorp/go-secure-stdlib/strutil 2014 </li> 2015 2016 <li class="card__meta__item">Introduced through: 2017 2018 github.com/hairyhenderson/gomplate/v3@* and github.com/hashicorp/go-secure-stdlib/strutil@v0.1.2 2019 2020 </li> 2021 </ul> 2022 2023 <hr/> 2024 2025 2026 <h3 class="card__section__title">Detailed paths</h3> 2027 2028 <ul class="card__meta__paths"> 2029 <li> 2030 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2031 github.com/hairyhenderson/gomplate/v3@* 2032 <span class="list-paths__item__arrow">›</span> 2033 github.com/hashicorp/go-secure-stdlib/strutil@v0.1.2 2034 2035 </span> 2036 2037 </li> 2038 </ul><!-- .list-paths --> 2039 2040 </div><!-- .card__section --> 2041 2042 <hr/> 2043 <!-- Overview --> 2044 <p>MPL-2.0 license</p> 2045 2046 <hr/> 2047 2048 <div class="cta card__cta"> 2049 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-secure-stdlib:strutil:MPL-2.0">More about this vulnerability</a></p> 2050 </div> 2051 2052 </div><!-- .card --> 2053 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2054 <h2 class="card__title">MPL-2.0 license</h2> 2055 <div class="card__section"> 2056 2057 <div class="label label--medium"> 2058 <span class="label__text">medium severity</span> 2059 </div> 2060 2061 <hr/> 2062 2063 <ul class="card__meta"> 2064 <li class="card__meta__item"> 2065 Package Manager: golang 2066 </li> 2067 <li class="card__meta__item"> 2068 Module: 2069 2070 github.com/hashicorp/go-secure-stdlib/parseutil 2071 </li> 2072 2073 <li class="card__meta__item">Introduced through: 2074 2075 github.com/hairyhenderson/gomplate/v3@* and github.com/hashicorp/go-secure-stdlib/parseutil@v0.1.5 2076 2077 </li> 2078 </ul> 2079 2080 <hr/> 2081 2082 2083 <h3 class="card__section__title">Detailed paths</h3> 2084 2085 <ul class="card__meta__paths"> 2086 <li> 2087 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2088 github.com/hairyhenderson/gomplate/v3@* 2089 <span class="list-paths__item__arrow">›</span> 2090 github.com/hashicorp/go-secure-stdlib/parseutil@v0.1.5 2091 2092 </span> 2093 2094 </li> 2095 </ul><!-- .list-paths --> 2096 2097 </div><!-- .card__section --> 2098 2099 <hr/> 2100 <!-- Overview --> 2101 <p>MPL-2.0 license</p> 2102 2103 <hr/> 2104 2105 <div class="cta card__cta"> 2106 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-secure-stdlib:parseutil:MPL-2.0">More about this vulnerability</a></p> 2107 </div> 2108 2109 </div><!-- .card --> 2110 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2111 <h2 class="card__title">MPL-2.0 license</h2> 2112 <div class="card__section"> 2113 2114 <div class="label label--medium"> 2115 <span class="label__text">medium severity</span> 2116 </div> 2117 2118 <hr/> 2119 2120 <ul class="card__meta"> 2121 <li class="card__meta__item"> 2122 Package Manager: golang 2123 </li> 2124 <li class="card__meta__item"> 2125 Module: 2126 2127 github.com/hashicorp/go-secure-stdlib/mlock 2128 </li> 2129 2130 <li class="card__meta__item">Introduced through: 2131 2132 github.com/hairyhenderson/gomplate/v3@* and github.com/hashicorp/go-secure-stdlib/mlock@v0.1.2 2133 2134 </li> 2135 </ul> 2136 2137 <hr/> 2138 2139 2140 <h3 class="card__section__title">Detailed paths</h3> 2141 2142 <ul class="card__meta__paths"> 2143 <li> 2144 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2145 github.com/hairyhenderson/gomplate/v3@* 2146 <span class="list-paths__item__arrow">›</span> 2147 github.com/hashicorp/go-secure-stdlib/mlock@v0.1.2 2148 2149 </span> 2150 2151 </li> 2152 </ul><!-- .list-paths --> 2153 2154 </div><!-- .card__section --> 2155 2156 <hr/> 2157 <!-- Overview --> 2158 <p>MPL-2.0 license</p> 2159 2160 <hr/> 2161 2162 <div class="cta card__cta"> 2163 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-secure-stdlib:mlock:MPL-2.0">More about this vulnerability</a></p> 2164 </div> 2165 2166 </div><!-- .card --> 2167 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2168 <h2 class="card__title">MPL-2.0 license</h2> 2169 <div class="card__section"> 2170 2171 <div class="label label--medium"> 2172 <span class="label__text">medium severity</span> 2173 </div> 2174 2175 <hr/> 2176 2177 <ul class="card__meta"> 2178 <li class="card__meta__item"> 2179 Package Manager: golang 2180 </li> 2181 <li class="card__meta__item"> 2182 Module: 2183 2184 github.com/hashicorp/go-rootcerts 2185 </li> 2186 2187 <li class="card__meta__item">Introduced through: 2188 2189 github.com/hairyhenderson/gomplate/v3@* and github.com/hashicorp/go-rootcerts@v1.0.2 2190 2191 </li> 2192 </ul> 2193 2194 <hr/> 2195 2196 2197 <h3 class="card__section__title">Detailed paths</h3> 2198 2199 <ul class="card__meta__paths"> 2200 <li> 2201 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2202 github.com/hairyhenderson/gomplate/v3@* 2203 <span class="list-paths__item__arrow">›</span> 2204 github.com/hashicorp/go-rootcerts@v1.0.2 2205 2206 </span> 2207 2208 </li> 2209 </ul><!-- .list-paths --> 2210 2211 </div><!-- .card__section --> 2212 2213 <hr/> 2214 <!-- Overview --> 2215 <p>MPL-2.0 license</p> 2216 2217 <hr/> 2218 2219 <div class="cta card__cta"> 2220 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-rootcerts:MPL-2.0">More about this vulnerability</a></p> 2221 </div> 2222 2223 </div><!-- .card --> 2224 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2225 <h2 class="card__title">MPL-2.0 license</h2> 2226 <div class="card__section"> 2227 2228 <div class="label label--medium"> 2229 <span class="label__text">medium severity</span> 2230 </div> 2231 2232 <hr/> 2233 2234 <ul class="card__meta"> 2235 <li class="card__meta__item"> 2236 Package Manager: golang 2237 </li> 2238 <li class="card__meta__item"> 2239 Module: 2240 2241 github.com/hashicorp/go-retryablehttp 2242 </li> 2243 2244 <li class="card__meta__item">Introduced through: 2245 2246 github.com/hairyhenderson/gomplate/v3@* and github.com/hashicorp/go-retryablehttp@v0.7.1 2247 2248 </li> 2249 </ul> 2250 2251 <hr/> 2252 2253 2254 <h3 class="card__section__title">Detailed paths</h3> 2255 2256 <ul class="card__meta__paths"> 2257 <li> 2258 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2259 github.com/hairyhenderson/gomplate/v3@* 2260 <span class="list-paths__item__arrow">›</span> 2261 github.com/hashicorp/go-retryablehttp@v0.7.1 2262 2263 </span> 2264 2265 </li> 2266 </ul><!-- .list-paths --> 2267 2268 </div><!-- .card__section --> 2269 2270 <hr/> 2271 <!-- Overview --> 2272 <p>MPL-2.0 license</p> 2273 2274 <hr/> 2275 2276 <div class="cta card__cta"> 2277 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-retryablehttp:MPL-2.0">More about this vulnerability</a></p> 2278 </div> 2279 2280 </div><!-- .card --> 2281 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2282 <h2 class="card__title">MPL-2.0 license</h2> 2283 <div class="card__section"> 2284 2285 <div class="label label--medium"> 2286 <span class="label__text">medium severity</span> 2287 </div> 2288 2289 <hr/> 2290 2291 <ul class="card__meta"> 2292 <li class="card__meta__item"> 2293 Package Manager: golang 2294 </li> 2295 <li class="card__meta__item"> 2296 Module: 2297 2298 github.com/hashicorp/go-plugin 2299 </li> 2300 2301 <li class="card__meta__item">Introduced through: 2302 2303 github.com/hairyhenderson/gomplate/v3@* and github.com/hashicorp/go-plugin@v1.4.4 2304 2305 </li> 2306 </ul> 2307 2308 <hr/> 2309 2310 2311 <h3 class="card__section__title">Detailed paths</h3> 2312 2313 <ul class="card__meta__paths"> 2314 <li> 2315 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2316 github.com/hairyhenderson/gomplate/v3@* 2317 <span class="list-paths__item__arrow">›</span> 2318 github.com/hashicorp/go-plugin@v1.4.4 2319 2320 </span> 2321 2322 </li> 2323 <li> 2324 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2325 github.com/hairyhenderson/gomplate/v3@* 2326 <span class="list-paths__item__arrow">›</span> 2327 github.com/hashicorp/go-plugin/internal/plugin@v1.4.4 2328 2329 </span> 2330 2331 </li> 2332 </ul><!-- .list-paths --> 2333 2334 </div><!-- .card__section --> 2335 2336 <hr/> 2337 <!-- Overview --> 2338 <p>MPL-2.0 license</p> 2339 2340 <hr/> 2341 2342 <div class="cta card__cta"> 2343 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-plugin:MPL-2.0">More about this vulnerability</a></p> 2344 </div> 2345 2346 </div><!-- .card --> 2347 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2348 <h2 class="card__title">MPL-2.0 license</h2> 2349 <div class="card__section"> 2350 2351 <div class="label label--medium"> 2352 <span class="label__text">medium severity</span> 2353 </div> 2354 2355 <hr/> 2356 2357 <ul class="card__meta"> 2358 <li class="card__meta__item"> 2359 Package Manager: golang 2360 </li> 2361 <li class="card__meta__item"> 2362 Module: 2363 2364 github.com/hashicorp/go-immutable-radix 2365 </li> 2366 2367 <li class="card__meta__item">Introduced through: 2368 2369 github.com/hairyhenderson/gomplate/v3@* and github.com/hashicorp/go-immutable-radix@v1.3.1 2370 2371 </li> 2372 </ul> 2373 2374 <hr/> 2375 2376 2377 <h3 class="card__section__title">Detailed paths</h3> 2378 2379 <ul class="card__meta__paths"> 2380 <li> 2381 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2382 github.com/hairyhenderson/gomplate/v3@* 2383 <span class="list-paths__item__arrow">›</span> 2384 github.com/hashicorp/go-immutable-radix@v1.3.1 2385 2386 </span> 2387 2388 </li> 2389 </ul><!-- .list-paths --> 2390 2391 </div><!-- .card__section --> 2392 2393 <hr/> 2394 <!-- Overview --> 2395 <p>MPL-2.0 license</p> 2396 2397 <hr/> 2398 2399 <div class="cta card__cta"> 2400 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-immutable-radix:MPL-2.0">More about this vulnerability</a></p> 2401 </div> 2402 2403 </div><!-- .card --> 2404 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2405 <h2 class="card__title">MPL-2.0 license</h2> 2406 <div class="card__section"> 2407 2408 <div class="label label--medium"> 2409 <span class="label__text">medium severity</span> 2410 </div> 2411 2412 <hr/> 2413 2414 <ul class="card__meta"> 2415 <li class="card__meta__item"> 2416 Package Manager: golang 2417 </li> 2418 <li class="card__meta__item"> 2419 Module: 2420 2421 github.com/hashicorp/go-cleanhttp 2422 </li> 2423 2424 <li class="card__meta__item">Introduced through: 2425 2426 github.com/hairyhenderson/gomplate/v3@* and github.com/hashicorp/go-cleanhttp@v0.5.2 2427 2428 </li> 2429 </ul> 2430 2431 <hr/> 2432 2433 2434 <h3 class="card__section__title">Detailed paths</h3> 2435 2436 <ul class="card__meta__paths"> 2437 <li> 2438 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2439 github.com/hairyhenderson/gomplate/v3@* 2440 <span class="list-paths__item__arrow">›</span> 2441 github.com/hashicorp/go-cleanhttp@v0.5.2 2442 2443 </span> 2444 2445 </li> 2446 </ul><!-- .list-paths --> 2447 2448 </div><!-- .card__section --> 2449 2450 <hr/> 2451 <!-- Overview --> 2452 <p>MPL-2.0 license</p> 2453 2454 <hr/> 2455 2456 <div class="cta card__cta"> 2457 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-cleanhttp:MPL-2.0">More about this vulnerability</a></p> 2458 </div> 2459 2460 </div><!-- .card --> 2461 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2462 <h2 class="card__title">MPL-2.0 license</h2> 2463 <div class="card__section"> 2464 2465 <div class="label label--medium"> 2466 <span class="label__text">medium severity</span> 2467 </div> 2468 2469 <hr/> 2470 2471 <ul class="card__meta"> 2472 <li class="card__meta__item"> 2473 Package Manager: golang 2474 </li> 2475 <li class="card__meta__item"> 2476 Module: 2477 2478 github.com/hashicorp/errwrap 2479 </li> 2480 2481 <li class="card__meta__item">Introduced through: 2482 2483 github.com/hairyhenderson/gomplate/v3@* and github.com/hashicorp/errwrap@v1.1.0 2484 2485 </li> 2486 </ul> 2487 2488 <hr/> 2489 2490 2491 <h3 class="card__section__title">Detailed paths</h3> 2492 2493 <ul class="card__meta__paths"> 2494 <li> 2495 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2496 github.com/hairyhenderson/gomplate/v3@* 2497 <span class="list-paths__item__arrow">›</span> 2498 github.com/hashicorp/errwrap@v1.1.0 2499 2500 </span> 2501 2502 </li> 2503 </ul><!-- .list-paths --> 2504 2505 </div><!-- .card__section --> 2506 2507 <hr/> 2508 <!-- Overview --> 2509 <p>MPL-2.0 license</p> 2510 2511 <hr/> 2512 2513 <div class="cta card__cta"> 2514 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:errwrap:MPL-2.0">More about this vulnerability</a></p> 2515 </div> 2516 2517 </div><!-- .card --> 2518 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2519 <h2 class="card__title">MPL-2.0 license</h2> 2520 <div class="card__section"> 2521 2522 <div class="label label--medium"> 2523 <span class="label__text">medium severity</span> 2524 </div> 2525 2526 <hr/> 2527 2528 <ul class="card__meta"> 2529 <li class="card__meta__item"> 2530 Package Manager: golang 2531 </li> 2532 <li class="card__meta__item"> 2533 Module: 2534 2535 github.com/hashicorp/consul/api 2536 </li> 2537 2538 <li class="card__meta__item">Introduced through: 2539 2540 github.com/hairyhenderson/gomplate/v3@* and github.com/hashicorp/consul/api@v1.13.0 2541 2542 </li> 2543 </ul> 2544 2545 <hr/> 2546 2547 2548 <h3 class="card__section__title">Detailed paths</h3> 2549 2550 <ul class="card__meta__paths"> 2551 <li> 2552 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2553 github.com/hairyhenderson/gomplate/v3@* 2554 <span class="list-paths__item__arrow">›</span> 2555 github.com/hashicorp/consul/api@v1.13.0 2556 2557 </span> 2558 2559 </li> 2560 </ul><!-- .list-paths --> 2561 2562 </div><!-- .card__section --> 2563 2564 <hr/> 2565 <!-- Overview --> 2566 <p>MPL-2.0 license</p> 2567 2568 <hr/> 2569 2570 <div class="cta card__cta"> 2571 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:consul:api:MPL-2.0">More about this vulnerability</a></p> 2572 </div> 2573 2574 </div><!-- .card --> 2575 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2576 <h2 class="card__title">MPL-2.0 license</h2> 2577 <div class="card__section"> 2578 2579 <div class="label label--medium"> 2580 <span class="label__text">medium severity</span> 2581 </div> 2582 2583 <hr/> 2584 2585 <ul class="card__meta"> 2586 <li class="card__meta__item"> 2587 Package Manager: golang 2588 </li> 2589 <li class="card__meta__item"> 2590 Module: 2591 2592 github.com/gosimple/slug 2593 </li> 2594 2595 <li class="card__meta__item">Introduced through: 2596 2597 github.com/hairyhenderson/gomplate/v3@* and github.com/gosimple/slug@v1.12.0 2598 2599 </li> 2600 </ul> 2601 2602 <hr/> 2603 2604 2605 <h3 class="card__section__title">Detailed paths</h3> 2606 2607 <ul class="card__meta__paths"> 2608 <li> 2609 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2610 github.com/hairyhenderson/gomplate/v3@* 2611 <span class="list-paths__item__arrow">›</span> 2612 github.com/gosimple/slug@v1.12.0 2613 2614 </span> 2615 2616 </li> 2617 </ul><!-- .list-paths --> 2618 2619 </div><!-- .card__section --> 2620 2621 <hr/> 2622 <!-- Overview --> 2623 <p>MPL-2.0 license</p> 2624 2625 <hr/> 2626 2627 <div class="cta card__cta"> 2628 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:gosimple:slug:MPL-2.0">More about this vulnerability</a></p> 2629 </div> 2630 2631 </div><!-- .card --> 2632 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2633 <h2 class="card__title">MPL-2.0 license</h2> 2634 <div class="card__section"> 2635 2636 <div class="label label--medium"> 2637 <span class="label__text">medium severity</span> 2638 </div> 2639 2640 <hr/> 2641 2642 <ul class="card__meta"> 2643 <li class="card__meta__item"> 2644 Package Manager: golang 2645 </li> 2646 <li class="card__meta__item"> 2647 Module: 2648 2649 github.com/go-sql-driver/mysql 2650 </li> 2651 2652 <li class="card__meta__item">Introduced through: 2653 2654 github.com/dexidp/dex@* and github.com/go-sql-driver/mysql@v1.7.1 2655 2656 </li> 2657 </ul> 2658 2659 <hr/> 2660 2661 2662 <h3 class="card__section__title">Detailed paths</h3> 2663 2664 <ul class="card__meta__paths"> 2665 <li> 2666 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2667 github.com/dexidp/dex@* 2668 <span class="list-paths__item__arrow">›</span> 2669 github.com/go-sql-driver/mysql@v1.7.1 2670 2671 </span> 2672 2673 </li> 2674 </ul><!-- .list-paths --> 2675 2676 </div><!-- .card__section --> 2677 2678 <hr/> 2679 <!-- Overview --> 2680 <p>MPL-2.0 license</p> 2681 2682 <hr/> 2683 2684 <div class="cta card__cta"> 2685 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:go-sql-driver:mysql:MPL-2.0">More about this vulnerability</a></p> 2686 </div> 2687 2688 </div><!-- .card --> 2689 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2690 <h2 class="card__title">CVE-2023-5363</h2> 2691 <div class="card__section"> 2692 2693 <div class="label label--low"> 2694 <span class="label__text">low severity</span> 2695 </div> 2696 2697 <hr/> 2698 2699 <ul class="card__meta"> 2700 <li class="card__meta__item"> 2701 Package Manager: alpine:3.18 2702 </li> 2703 <li class="card__meta__item"> 2704 Vulnerable module: 2705 2706 openssl/libcrypto3 2707 </li> 2708 2709 <li class="card__meta__item">Introduced through: 2710 2711 docker-image|ghcr.io/dexidp/dex@v2.37.0 and openssl/libcrypto3@3.1.1-r1 2712 2713 </li> 2714 </ul> 2715 2716 <hr/> 2717 2718 2719 <h3 class="card__section__title">Detailed paths</h3> 2720 2721 <ul class="card__meta__paths"> 2722 <li> 2723 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2724 docker-image|ghcr.io/dexidp/dex@v2.37.0 2725 <span class="list-paths__item__arrow">›</span> 2726 openssl/libcrypto3@3.1.1-r1 2727 2728 </span> 2729 2730 </li> 2731 <li> 2732 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2733 docker-image|ghcr.io/dexidp/dex@v2.37.0 2734 <span class="list-paths__item__arrow">›</span> 2735 apk-tools/apk-tools@2.14.0-r2 2736 <span class="list-paths__item__arrow">›</span> 2737 openssl/libcrypto3@3.1.1-r1 2738 2739 </span> 2740 2741 </li> 2742 <li> 2743 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2744 docker-image|ghcr.io/dexidp/dex@v2.37.0 2745 <span class="list-paths__item__arrow">›</span> 2746 busybox/ssl_client@1.36.1-r0 2747 <span class="list-paths__item__arrow">›</span> 2748 openssl/libcrypto3@3.1.1-r1 2749 2750 </span> 2751 2752 </li> 2753 <li> 2754 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2755 docker-image|ghcr.io/dexidp/dex@v2.37.0 2756 <span class="list-paths__item__arrow">›</span> 2757 apk-tools/apk-tools@2.14.0-r2 2758 <span class="list-paths__item__arrow">›</span> 2759 openssl/libssl3@3.1.1-r1 2760 <span class="list-paths__item__arrow">›</span> 2761 openssl/libcrypto3@3.1.1-r1 2762 2763 </span> 2764 2765 </li> 2766 <li> 2767 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2768 docker-image|ghcr.io/dexidp/dex@v2.37.0 2769 <span class="list-paths__item__arrow">›</span> 2770 openssl/libssl3@3.1.1-r1 2771 2772 </span> 2773 2774 </li> 2775 <li> 2776 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2777 docker-image|ghcr.io/dexidp/dex@v2.37.0 2778 <span class="list-paths__item__arrow">›</span> 2779 apk-tools/apk-tools@2.14.0-r2 2780 <span class="list-paths__item__arrow">›</span> 2781 openssl/libssl3@3.1.1-r1 2782 2783 </span> 2784 2785 </li> 2786 <li> 2787 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2788 docker-image|ghcr.io/dexidp/dex@v2.37.0 2789 <span class="list-paths__item__arrow">›</span> 2790 busybox/ssl_client@1.36.1-r0 2791 <span class="list-paths__item__arrow">›</span> 2792 openssl/libssl3@3.1.1-r1 2793 2794 </span> 2795 2796 </li> 2797 </ul><!-- .list-paths --> 2798 2799 </div><!-- .card__section --> 2800 2801 <hr/> 2802 <!-- Overview --> 2803 <h2 id="nvd-description">NVD Description</h2> 2804 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Alpine</code>.</em> 2805 <em>See <code>How to fix?</code> for <code>Alpine:3.18</code> relevant fixed versions and status.</em></p> 2806 <p>Issue summary: A bug has been identified in the processing of key and 2807 initialisation vector (IV) lengths. This can lead to potential truncation 2808 or overruns during the initialisation of some symmetric ciphers.</p> 2809 <p>Impact summary: A truncation in the IV can result in non-uniqueness, 2810 which could result in loss of confidentiality for some cipher modes.</p> 2811 <p>When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or 2812 EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after 2813 the key and IV have been established. Any alterations to the key length, 2814 via the "keylen" parameter or the IV length, via the "ivlen" parameter, 2815 within the OSSL_PARAM array will not take effect as intended, potentially 2816 causing truncation or overreading of these values. The following ciphers 2817 and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.</p> 2818 <p>For the CCM, GCM and OCB cipher modes, truncation of the IV can result in 2819 loss of confidentiality. For example, when following NIST's SP 800-38D 2820 section 8.2.1 guidance for constructing a deterministic IV for AES in 2821 GCM mode, truncation of the counter portion could lead to IV reuse.</p> 2822 <p>Both truncations and overruns of the key and overruns of the IV will 2823 produce incorrect results and could, in some cases, trigger a memory 2824 exception. However, these issues are not currently assessed as security 2825 critical.</p> 2826 <p>Changing the key and/or IV lengths is not considered to be a common operation 2827 and the vulnerable API was recently introduced. Furthermore it is likely that 2828 application developers will have spotted this problem during testing since 2829 decryption would fail unless both peers in the communication were similarly 2830 vulnerable. For these reasons we expect the probability of an application being 2831 vulnerable to this to be quite low. However if an application is vulnerable then 2832 this issue is considered very serious. For these reasons we have assessed this 2833 issue as Moderate severity overall.</p> 2834 <p>The OpenSSL SSL/TLS implementation is not affected by this issue.</p> 2835 <p>The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because 2836 the issue lies outside of the FIPS provider boundary.</p> 2837 <p>OpenSSL 3.1 and 3.0 are vulnerable to this issue.</p> 2838 <h2 id="remediation">Remediation</h2> 2839 <p>Upgrade <code>Alpine:3.18</code> <code>openssl</code> to version 3.1.4-r0 or higher.</p> 2840 <h2 id="references">References</h2> 2841 <ul> 2842 <li><a href="http://www.openwall.com/lists/oss-security/2023/10/24/1">openssl-security@openssl.org</a></li> 2843 <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d">openssl-security@openssl.org</a></li> 2844 <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee">openssl-security@openssl.org</a></li> 2845 <li><a href="https://www.debian.org/security/2023/dsa-5532">openssl-security@openssl.org</a></li> 2846 <li><a href="https://www.openssl.org/news/secadv/20231024.txt">openssl-security@openssl.org</a></li> 2847 <li><a href="https://security.netapp.com/advisory/ntap-20231027-0010/">openssl-security@openssl.org</a></li> 2848 </ul> 2849 2850 <hr/> 2851 2852 <div class="cta card__cta"> 2853 <p><a href="https://snyk.io/vuln/SNYK-ALPINE318-OPENSSL-6032386">More about this vulnerability</a></p> 2854 </div> 2855 2856 </div><!-- .card --> 2857 </div><!-- cards --> 2858 </div> 2859 </main><!-- .layout-stacked__content --> 2860 </body> 2861 2862 </html>