github.com/argoproj/argo-cd/v3@v3.2.1/docs/snyk/master/ghcr.io_dexidp_dex_v2.43.0.html (about) 1 <!DOCTYPE html> 2 <html lang="en"> 3 4 <head> 5 <meta http-equiv="Content-type" content="text/html; charset=utf-8"> 6 <meta http-equiv="Content-Language" content="en-us"> 7 <meta name="viewport" content="width=device-width, initial-scale=1.0"> 8 <meta http-equiv="X-UA-Compatible" content="IE=edge"> 9 <title>Snyk test report</title> 10 <meta name="description" content="25 known vulnerabilities found in 34 vulnerable dependency paths."> 11 <base target="_blank"> 12 <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png" 13 sizes="194x194"> 14 <link rel="shortcut icon" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.ico"> 15 <style type="text/css"> 16 17 body { 18 -moz-font-feature-settings: "pnum"; 19 -webkit-font-feature-settings: "pnum"; 20 font-variant-numeric: proportional-nums; 21 display: flex; 22 flex-direction: column; 23 font-feature-settings: "pnum"; 24 font-size: 100%; 25 line-height: 1.5; 26 min-height: 100vh; 27 -webkit-text-size-adjust: 100%; 28 margin: 0; 29 padding: 0; 30 background-color: #F5F5F5; 31 font-family: 'Arial', 'Helvetica', Calibri, sans-serif; 32 } 33 34 h1, 35 h2, 36 h3, 37 h4, 38 h5, 39 h6 { 40 font-weight: 500; 41 } 42 43 a, 44 a:link, 45 a:visited { 46 border-bottom: 1px solid #4b45a9; 47 text-decoration: none; 48 color: #4b45a9; 49 } 50 51 a:hover, 52 a:focus, 53 a:active { 54 border-bottom: 1px solid #4b45a9; 55 } 56 57 hr { 58 border: none; 59 margin: 1em 0; 60 border-top: 1px solid #c5c5c5; 61 } 62 63 ul { 64 padding: 0 1em; 65 margin: 1em 0; 66 } 67 68 code { 69 background-color: #EEE; 70 color: #333; 71 padding: 0.25em 0.5em; 72 border-radius: 0.25em; 73 } 74 75 pre { 76 background-color: #333; 77 font-family: monospace; 78 padding: 0.5em 1em 0.75em; 79 border-radius: 0.25em; 80 font-size: 14px; 81 } 82 83 pre code { 84 padding: 0; 85 background-color: transparent; 86 color: #fff; 87 } 88 89 a code { 90 border-radius: .125rem .125rem 0 0; 91 padding-bottom: 0; 92 color: #4b45a9; 93 } 94 95 a[href^="http://"]:after, 96 a[href^="https://"]:after { 97 background-image: linear-gradient(transparent,transparent),url("data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20112%20109%22%3E%3Cg%20id%3D%22Page-1%22%20fill%3D%22none%22%20fill-rule%3D%22evenodd%22%3E%3Cg%20id%3D%22link-external%22%3E%3Cg%20id%3D%22arrow%22%3E%3Cpath%20id%3D%22Line%22%20stroke%3D%22%234B45A9%22%20stroke-width%3D%2215%22%20d%3D%22M88.5%2021l-43%2042.5%22%20stroke-linecap%3D%22square%22%2F%3E%3Cpath%20id%3D%22Triangle%22%20fill%3D%22%234B45A9%22%20d%3D%22M111.2%200v50L61%200z%22%2F%3E%3C%2Fg%3E%3Cpath%20id%3D%22square%22%20fill%3D%22%234B45A9%22%20d%3D%22M66%2015H0v94h94V44L79%2059v35H15V30h36z%22%2F%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E"); 98 background-repeat: no-repeat; 99 background-size: .75rem; 100 content: ""; 101 display: inline-block; 102 height: .75rem; 103 margin-left: .25rem; 104 width: .75rem; 105 } 106 107 108 /* Layout */ 109 110 [class*=layout-container] { 111 margin: 0 auto; 112 max-width: 71.25em; 113 padding: 1.9em 1.3em; 114 position: relative; 115 } 116 .layout-container--short { 117 padding-top: 0; 118 padding-bottom: 0; 119 max-width: 48.75em; 120 } 121 122 .layout-container--short:after { 123 display: block; 124 content: ""; 125 clear: both; 126 } 127 128 /* Header */ 129 130 .header { 131 padding-bottom: 1px; 132 } 133 134 .paths { 135 margin-left: 8px; 136 } 137 .header-wrap { 138 display: flex; 139 flex-direction: row; 140 justify-content: space-between; 141 padding-top: 2em; 142 } 143 .project__header { 144 background-color: #030328; 145 color: #fff; 146 margin-bottom: -1px; 147 padding-top: 1em; 148 padding-bottom: 0.25em; 149 border-bottom: 2px solid #BBB; 150 } 151 152 .project__header__title { 153 overflow-wrap: break-word; 154 word-wrap: break-word; 155 word-break: break-all; 156 margin-bottom: .1em; 157 margin-top: 0; 158 } 159 160 .timestamp { 161 float: right; 162 clear: none; 163 margin-bottom: 0; 164 } 165 166 .meta-counts { 167 clear: both; 168 display: block; 169 flex-wrap: wrap; 170 justify-content: space-between; 171 margin: 0 0 1.5em; 172 color: #fff; 173 clear: both; 174 font-size: 1.1em; 175 } 176 177 .meta-count { 178 display: block; 179 flex-basis: 100%; 180 margin: 0 1em 1em 0; 181 float: left; 182 padding-right: 1em; 183 border-right: 2px solid #fff; 184 } 185 186 .meta-count:last-child { 187 border-right: 0; 188 padding-right: 0; 189 margin-right: 0; 190 } 191 192 /* Card */ 193 194 .card { 195 background-color: #fff; 196 border: 1px solid #c5c5c5; 197 border-radius: .25rem; 198 margin: 0 0 2em 0; 199 position: relative; 200 min-height: 40px; 201 padding: 1.5em; 202 } 203 204 .card__labels { 205 position: absolute; 206 top: 1.1em; 207 left: 0; 208 display: flex; 209 align-items: center; 210 gap: 8px; 211 } 212 213 .card .label { 214 background-color: #767676; 215 border: 2px solid #767676; 216 color: white; 217 padding: 0.25rem 0.75rem; 218 font-size: 0.875rem; 219 text-transform: uppercase; 220 display: inline-block; 221 margin: 0; 222 border-radius: 0.25rem; 223 } 224 225 .card .label__text { 226 vertical-align: text-top; 227 font-weight: bold; 228 } 229 230 .card .label--critical { 231 background-color: #AB1A1A; 232 border-color: #AB1A1A; 233 } 234 235 .card .label--high { 236 background-color: #CE5019; 237 border-color: #CE5019; 238 } 239 240 .card .label--medium { 241 background-color: #D68000; 242 border-color: #D68000; 243 } 244 245 .card .label--low { 246 background-color: #88879E; 247 border-color: #88879E; 248 } 249 250 .severity--low { 251 border-color: #88879E; 252 } 253 254 .severity--medium { 255 border-color: #D68000; 256 } 257 258 .severity--high { 259 border-color: #CE5019; 260 } 261 262 .severity--critical { 263 border-color: #AB1A1A; 264 } 265 266 .card--vuln { 267 padding-top: 4em; 268 } 269 270 .card--vuln .card__labels > .label:first-child { 271 padding-left: 1.9em; 272 padding-right: 1.9em; 273 border-radius: 0 0.25rem 0.25rem 0; 274 } 275 276 .card--vuln .card__section h2 { 277 font-size: 22px; 278 margin-bottom: 0.5em; 279 } 280 281 .card--vuln .card__section p { 282 margin: 0 0 0.5em 0; 283 } 284 285 .card--vuln .card__meta { 286 padding: 0 0 0 1em; 287 margin: 0; 288 font-size: 1.1em; 289 } 290 291 .card .card__meta__paths { 292 font-size: 0.9em; 293 } 294 295 .card--vuln .card__title { 296 font-size: 28px; 297 margin-top: 0; 298 margin-right: 100px; /* Ensure space for the risk score */ 299 } 300 301 .card--vuln .card__cta p { 302 margin: 0; 303 text-align: right; 304 } 305 306 .risk-score-display { 307 position: absolute; 308 top: 1.5em; 309 right: 1.5em; 310 text-align: right; 311 z-index: 10; 312 } 313 314 .risk-score-display__label { 315 font-size: 0.7em; 316 font-weight: bold; 317 color: #586069; 318 text-transform: uppercase; 319 line-height: 1; 320 margin-bottom: 3px; 321 } 322 323 .risk-score-display__value { 324 font-size: 1.9em; 325 font-weight: 600; 326 color: #24292e; 327 line-height: 1; 328 } 329 330 .source-panel { 331 clear: both; 332 display: flex; 333 justify-content: flex-start; 334 flex-direction: column; 335 align-items: flex-start; 336 padding: 0.5em 0; 337 width: fit-content; 338 } 339 340 341 342 </style> 343 <style type="text/css"> 344 .metatable { 345 text-size-adjust: 100%; 346 -webkit-font-smoothing: antialiased; 347 -webkit-box-direction: normal; 348 color: inherit; 349 font-feature-settings: "pnum"; 350 box-sizing: border-box; 351 background: transparent; 352 border: 0; 353 font: inherit; 354 font-size: 100%; 355 margin: 0; 356 outline: none; 357 padding: 0; 358 text-align: left; 359 text-decoration: none; 360 vertical-align: baseline; 361 z-index: auto; 362 margin-top: 12px; 363 border-collapse: collapse; 364 border-spacing: 0; 365 font-variant-numeric: tabular-nums; 366 max-width: 51.75em; 367 } 368 369 tbody { 370 text-size-adjust: 100%; 371 -webkit-font-smoothing: antialiased; 372 -webkit-box-direction: normal; 373 color: inherit; 374 font-feature-settings: "pnum"; 375 border-collapse: collapse; 376 border-spacing: 0; 377 box-sizing: border-box; 378 background: transparent; 379 border: 0; 380 font: inherit; 381 font-size: 100%; 382 margin: 0; 383 outline: none; 384 padding: 0; 385 text-align: left; 386 text-decoration: none; 387 vertical-align: baseline; 388 z-index: auto; 389 display: flex; 390 flex-wrap: wrap; 391 } 392 393 .meta-row { 394 text-size-adjust: 100%; 395 -webkit-font-smoothing: antialiased; 396 -webkit-box-direction: normal; 397 color: inherit; 398 font-feature-settings: "pnum"; 399 border-collapse: collapse; 400 border-spacing: 0; 401 box-sizing: border-box; 402 background: transparent; 403 border: 0; 404 font: inherit; 405 font-size: 100%; 406 outline: none; 407 text-align: left; 408 text-decoration: none; 409 vertical-align: baseline; 410 z-index: auto; 411 display: flex; 412 align-items: start; 413 border-top: 1px solid #d3d3d9; 414 padding: 8px 0 0 0; 415 border-bottom: none; 416 margin: 8px; 417 width: 47.75%; 418 } 419 420 .meta-row-label { 421 text-size-adjust: 100%; 422 -webkit-font-smoothing: antialiased; 423 -webkit-box-direction: normal; 424 font-feature-settings: "pnum"; 425 border-collapse: collapse; 426 border-spacing: 0; 427 color: #4c4a73; 428 box-sizing: border-box; 429 background: transparent; 430 border: 0; 431 font: inherit; 432 margin: 0; 433 outline: none; 434 text-decoration: none; 435 z-index: auto; 436 align-self: start; 437 flex: 1; 438 font-size: 1rem; 439 line-height: 1.5rem; 440 padding: 0; 441 text-align: left; 442 vertical-align: top; 443 text-transform: none; 444 letter-spacing: 0; 445 } 446 447 .meta-row-value { 448 text-size-adjust: 100%; 449 -webkit-font-smoothing: antialiased; 450 -webkit-box-direction: normal; 451 color: inherit; 452 font-feature-settings: "pnum"; 453 border-collapse: collapse; 454 border-spacing: 0; 455 word-break: break-word; 456 box-sizing: border-box; 457 background: transparent; 458 border: 0; 459 font: inherit; 460 font-size: 100%; 461 margin: 0; 462 outline: none; 463 padding: 0; 464 text-align: right; 465 text-decoration: none; 466 vertical-align: baseline; 467 z-index: auto; 468 } 469 </style> 470 </head> 471 472 <body class="section-projects"> 473 <main class="layout-stacked"> 474 <div class="layout-stacked__header header"> 475 <header class="project__header"> 476 <div class="layout-container"> 477 <a class="brand" href="https://snyk.io" title="Snyk"> 478 <svg width="68px" height="35px" viewBox="0 0 68 35" version="1.1" xmlns="http://www.w3.org/2000/svg" role="img"> 479 <title>Snyk - Open Source Security</title> 480 <g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd"> 481 <g fill="#fff"> 482 <path d="M5.732,27.278 C3.445,27.278 1.589,26.885 0,26.124 L0.483,22.472 C2.163,23.296 4.056,23.689 5.643,23.689 C6.801,23.689 7.563,23.295 7.563,22.599 C7.563,20.594 0.333,21.076 0.333,15.839 C0.333,12.491 3.407,10.729 7.259,10.729 C9.179,10.729 11.161,11.249 12.444,11.704 L11.924,15.294 C10.577,14.774 8.747,14.291 7.222,14.291 C6.282,14.291 5.518,14.621 5.518,15.231 C5.518,17.208 12.903,16.815 12.903,21.925 C12.903,25.325 9.877,27.277 5.733,27.277 L5.732,27.278 Z M25.726,26.936 L25.726,17.894 C25.726,15.827 24.811,14.85 23.069,14.85 C22.219,14.85 21.329,15.09 20.719,15.46 L20.719,26.936 L15.352,26.936 L15.352,11.262 L20.602,10.83 L20.474,13.392 L20.652,13.392 C21.784,11.87 23.702,10.716 25.992,10.716 C28.736,10.716 31.112,12.416 31.112,16.436 L31.112,26.936 L25.724,26.936 L25.726,26.936 Z M61.175,26.936 L56.879,19.479 L56.446,19.479 L56.446,26.935 L51.082,26.935 L51.082,8.37 L56.447,0 L56.447,17.323 C57.515,16.017 61.112,11.059 61.112,11.059 L67.732,11.059 L61.454,17.689 L67.949,26.95 L61.175,26.95 L61.175,26.938 L61.175,26.936 Z M44.13,11.11 L41.93,18.262 C41.5,19.606 41.08,22.079 41.08,22.079 C41.08,22.079 40.75,19.516 40.292,18.172 L37.94,11.108 L31.928,11.108 L38.462,26.935 C37.572,29.04 36.199,30.815 34.369,30.815 C34.039,30.815 33.709,30.802 33.389,30.765 L31.255,34.061 C31.928,34.441 33.212,34.835 34.737,34.835 C38.703,34.835 41.359,31.627 43.215,26.885 L49.443,11.108 L44.132,11.108 L44.13,11.11 Z"></path> 483 </g> 484 </g> 485 </svg> 486 </a> 487 <div class="header-wrap"> 488 <h1 class="project__header__title">Snyk test report</h1> 489 490 <p class="timestamp">September 14th 2025, 12:21:32 am (UTC+00:00)</p> 491 </div> 492 <div class="source-panel"> 493 <span>Scanned the following paths:</span> 494 <ul> 495 <li class="paths">ghcr.io/dexidp/dex:v2.43.0/dexidp/dex (apk)</li> 496 <li class="paths">ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4//usr/local/bin/gomplate (gomodules)</li> 497 <li class="paths">ghcr.io/dexidp/dex:v2.43.0/dexidp/dex//usr/local/bin/docker-entrypoint (gomodules)</li> 498 <li class="paths">ghcr.io/dexidp/dex:v2.43.0/dexidp/dex//usr/local/bin/dex (gomodules)</li> 499 </ul> 500 </div> 501 502 <div class="meta-counts"> 503 <div class="meta-count"><span>25</span> <span>known vulnerabilities</span></div> 504 <div class="meta-count"><span>34 vulnerable dependency paths</span></div> 505 <div class="meta-count"><span>1131</span> <span>dependencies</span></div> 506 </div><!-- .meta-counts --> 507 </div><!-- .layout-container--short --> 508 </header><!-- .project__header --> 509 </div><!-- .layout-stacked__header --> 510 511 <div class="layout-container" style="padding-top: 35px;"> 512 <div class="cards--vuln filter--patch filter--ignore"> 513 <div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high"> 514 <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2> 515 <div class="card__section"> 516 517 <div class="card__labels"> 518 <div class="label label--high"> 519 <span class="label__text">high severity</span> 520 </div> 521 </div> 522 523 <hr/> 524 525 <ul class="card__meta"> 526 <li class="card__meta__item"> 527 Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 528 </li> 529 <li class="card__meta__item"> 530 Package Manager: golang 531 </li> 532 <li class="card__meta__item"> 533 Vulnerable module: 534 535 golang.org/x/oauth2/jws 536 </li> 537 538 <li class="card__meta__item">Introduced through: 539 540 github.com/hairyhenderson/gomplate/v4@* and golang.org/x/oauth2/jws@v0.24.0 541 542 </li> 543 </ul> 544 545 <hr/> 546 547 548 <h3 class="card__section__title">Detailed paths</h3> 549 550 <ul class="card__meta__paths"> 551 <li> 552 <span class="list-paths__item__introduced"><em>Introduced through</em>: 553 github.com/hairyhenderson/gomplate/v4@* 554 <span class="list-paths__item__arrow">›</span> 555 golang.org/x/oauth2/jws@v0.24.0 556 557 </span> 558 559 </li> 560 </ul><!-- .list-paths --> 561 562 </div><!-- .card__section --> 563 564 <hr/> 565 <!-- Overview --> 566 <h2 id="overview">Overview</h2> 567 <p>Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper parsing of malformed tokens which can lead to memory consumption.</p> 568 <h2 id="remediation">Remediation</h2> 569 <p>Upgrade <code>golang.org/x/oauth2/jws</code> to version 0.27.0 or higher.</p> 570 <h2 id="references">References</h2> 571 <ul> 572 <li><a href="https://github.com/golang/oauth2/commit/681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3">GitHub Commit</a></li> 573 <li><a href="https://github.com/lestrrat-go/jwx/commit/d0bb4610154d45b7dce7d706a8068ea72586d249">GitHub Commit</a></li> 574 <li><a href="https://github.com/golang/go/issues/71490">GitHub Issue</a></li> 575 <li><a href="https://github.com/lestrrat-go/jwx/pull/1308">GitHub PR</a></li> 576 <li><a href="https://pkg.go.dev/vuln/GO-2025-3488">Go Advisory</a></li> 577 </ul> 578 579 <hr/> 580 581 <div class="cta card__cta"> 582 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXOAUTH2JWS-8749594">More about this vulnerability</a></p> 583 </div> 584 585 </div><!-- .card --> 586 <div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high"> 587 <h2 class="card__title">Server-side Request Forgery (SSRF)</h2> 588 <div class="card__section"> 589 590 <div class="card__labels"> 591 <div class="label label--high"> 592 <span class="label__text">high severity</span> 593 </div> 594 </div> 595 596 <hr/> 597 598 <ul class="card__meta"> 599 <li class="card__meta__item"> 600 Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 601 </li> 602 <li class="card__meta__item"> 603 Package Manager: golang 604 </li> 605 <li class="card__meta__item"> 606 Vulnerable module: 607 608 golang.org/x/net/http/httpproxy 609 </li> 610 611 <li class="card__meta__item">Introduced through: 612 613 github.com/hairyhenderson/gomplate/v4@* and golang.org/x/net/http/httpproxy@v0.32.0 614 615 </li> 616 </ul> 617 618 <hr/> 619 620 621 <h3 class="card__section__title">Detailed paths</h3> 622 623 <ul class="card__meta__paths"> 624 <li> 625 <span class="list-paths__item__introduced"><em>Introduced through</em>: 626 github.com/hairyhenderson/gomplate/v4@* 627 <span class="list-paths__item__arrow">›</span> 628 golang.org/x/net/http/httpproxy@v0.32.0 629 630 </span> 631 632 </li> 633 </ul><!-- .list-paths --> 634 635 </div><!-- .card__section --> 636 637 <hr/> 638 <!-- Overview --> 639 <h2 id="overview">Overview</h2> 640 <p><a href="https://pkg.go.dev/golang.org/x/net/http/httpproxy">golang.org/x/net/http/httpproxy</a> is a package for HTTP proxy determination based on environment variables, as provided by net/http's ProxyFromEnvironment function</p> 641 <p>Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in <code>proxy.go</code>, because hostname matching against proxy patterns may treat an IPv6 zone ID as a hostname component. An environment variable value like <code>*.example.com</code> could be matched to a request intended for <code>[::1%25.example.com]:80</code>.</p> 642 <h2 id="remediation">Remediation</h2> 643 <p>Upgrade <code>golang.org/x/net/http/httpproxy</code> to version 0.36.0 or higher.</p> 644 <h2 id="references">References</h2> 645 <ul> 646 <li><a href="https://go-review.googlesource.com/c/go/+/654717/4/src/vendor/golang.org/x/net/http/httpproxy/proxy.go">Git Commit</a></li> 647 <li><a href="https://github.com/golang/go/commit/3705a6f1f0a66e70916bb09f50f4fcd1c520df53">GitHub Commit</a></li> 648 <li><a href="https://github.com/golang/net/commit/76f9bf3279eff2e596db4960a78a2665d0ff9405">GitHub Commit</a></li> 649 <li><a href="https://github.com/golang/go/issues/71984">GitHub Issue</a></li> 650 </ul> 651 652 <hr/> 653 654 <div class="cta card__cta"> 655 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTPHTTPPROXY-9058601">More about this vulnerability</a></p> 656 </div> 657 658 </div><!-- .card --> 659 <div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high"> 660 <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2> 661 <div class="card__section"> 662 663 <div class="card__labels"> 664 <div class="label label--high"> 665 <span class="label__text">high severity</span> 666 </div> 667 </div> 668 669 <hr/> 670 671 <ul class="card__meta"> 672 <li class="card__meta__item"> 673 Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 674 </li> 675 <li class="card__meta__item"> 676 Package Manager: golang 677 </li> 678 <li class="card__meta__item"> 679 Vulnerable module: 680 681 golang.org/x/crypto/ssh 682 </li> 683 684 <li class="card__meta__item">Introduced through: 685 686 github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.31.0 687 688 </li> 689 </ul> 690 691 <hr/> 692 693 694 <h3 class="card__section__title">Detailed paths</h3> 695 696 <ul class="card__meta__paths"> 697 <li> 698 <span class="list-paths__item__introduced"><em>Introduced through</em>: 699 github.com/hairyhenderson/gomplate/v4@* 700 <span class="list-paths__item__arrow">›</span> 701 golang.org/x/crypto/ssh@v0.31.0 702 703 </span> 704 705 </li> 706 </ul><!-- .list-paths --> 707 708 </div><!-- .card__section --> 709 710 <hr/> 711 <!-- Overview --> 712 <h2 id="overview">Overview</h2> 713 <p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p> 714 <p>Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in <code>handshakeTransport</code> in <code>handshake.go</code>. An internal queue gets populated with received packets during the key exchange process, while waiting for the client to send a <code>SSH_MSG_KEXINIT</code>. An attacker can cause the server to become unresponsive to new connections by delaying or withholding this message, or by causing the queue to consume all available memory.</p> 715 <h2 id="remediation">Remediation</h2> 716 <p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.35.0 or higher.</p> 717 <h2 id="references">References</h2> 718 <ul> 719 <li><a href="https://go.dev/cl/652135">Git Commit</a></li> 720 <li><a href="https://go.dev/issue/71931">Go Issue</a></li> 721 <li><a href="https://pkg.go.dev/vuln/GO-2025-3487">Vulnerability Advisory</a></li> 722 </ul> 723 724 <hr/> 725 726 <div class="cta card__cta"> 727 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8747056">More about this vulnerability</a></p> 728 </div> 729 730 </div><!-- .card --> 731 <div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high"> 732 <h2 class="card__title">Asymmetric Resource Consumption (Amplification)</h2> 733 <div class="card__section"> 734 735 <div class="card__labels"> 736 <div class="label label--high"> 737 <span class="label__text">high severity</span> 738 </div> 739 </div> 740 741 <hr/> 742 743 <ul class="card__meta"> 744 <li class="card__meta__item"> 745 Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 746 </li> 747 <li class="card__meta__item"> 748 Package Manager: golang 749 </li> 750 <li class="card__meta__item"> 751 Vulnerable module: 752 753 github.com/golang-jwt/jwt/v5 754 </li> 755 756 <li class="card__meta__item">Introduced through: 757 758 github.com/hairyhenderson/gomplate/v4@* and github.com/golang-jwt/jwt/v5@v5.2.1 759 760 </li> 761 </ul> 762 763 <hr/> 764 765 766 <h3 class="card__section__title">Detailed paths</h3> 767 768 <ul class="card__meta__paths"> 769 <li> 770 <span class="list-paths__item__introduced"><em>Introduced through</em>: 771 github.com/hairyhenderson/gomplate/v4@* 772 <span class="list-paths__item__arrow">›</span> 773 github.com/golang-jwt/jwt/v5@v5.2.1 774 775 </span> 776 777 </li> 778 </ul><!-- .list-paths --> 779 780 </div><!-- .card__section --> 781 782 <hr/> 783 <!-- Overview --> 784 <h2 id="overview">Overview</h2> 785 <p>Affected versions of this package are vulnerable to Asymmetric Resource Consumption (Amplification) through the <code>parse.ParseUnverified</code> function. An attacker can cause excessive memory allocation by sending a crafted request with many period characters in the <code>Authorization</code> header.</p> 786 <h2 id="remediation">Remediation</h2> 787 <p>Upgrade <code>github.com/golang-jwt/jwt/v5</code> to version 5.2.2 or higher.</p> 788 <h2 id="references">References</h2> 789 <ul> 790 <li><a href="https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3">GitHub Commit</a></li> 791 <li><a href="https://github.com/golang-jwt/jwt/releases/tag/v4.5.2">GitHub Release 4.5.2</a></li> 792 <li><a href="https://github.com/golang-jwt/jwt/releases/tag/v5.2.2">GitHub Release 5.2.2</a></li> 793 </ul> 794 795 <hr/> 796 797 <div class="cta card__cta"> 798 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOLANGJWTJWTV5-9510922">More about this vulnerability</a></p> 799 </div> 800 801 </div><!-- .card --> 802 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 803 <h2 class="card__title">MPL-2.0 license</h2> 804 <div class="card__section"> 805 806 <div class="card__labels"> 807 <div class="label label--medium"> 808 <span class="label__text">medium severity</span> 809 </div> 810 </div> 811 812 <hr/> 813 814 <ul class="card__meta"> 815 <li class="card__meta__item"> 816 Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 817 </li> 818 <li class="card__meta__item"> 819 Package Manager: golang 820 </li> 821 <li class="card__meta__item"> 822 Module: 823 824 github.com/hashicorp/vault/api 825 </li> 826 827 <li class="card__meta__item">Introduced through: 828 829 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/vault/api@v1.15.0 830 831 </li> 832 </ul> 833 834 <hr/> 835 836 837 <h3 class="card__section__title">Detailed paths</h3> 838 839 <ul class="card__meta__paths"> 840 <li> 841 <span class="list-paths__item__introduced"><em>Introduced through</em>: 842 github.com/hairyhenderson/gomplate/v4@* 843 <span class="list-paths__item__arrow">›</span> 844 github.com/hashicorp/vault/api@v1.15.0 845 846 </span> 847 848 </li> 849 </ul><!-- .list-paths --> 850 851 </div><!-- .card__section --> 852 853 <hr/> 854 <!-- Overview --> 855 <p>MPL-2.0 license</p> 856 857 <hr/> 858 859 <div class="cta card__cta"> 860 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:vault:api:MPL-2.0">More about this vulnerability</a></p> 861 </div> 862 863 </div><!-- .card --> 864 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 865 <h2 class="card__title">MPL-2.0 license</h2> 866 <div class="card__section"> 867 868 <div class="card__labels"> 869 <div class="label label--medium"> 870 <span class="label__text">medium severity</span> 871 </div> 872 </div> 873 874 <hr/> 875 876 <ul class="card__meta"> 877 <li class="card__meta__item"> 878 Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 879 </li> 880 <li class="card__meta__item"> 881 Package Manager: golang 882 </li> 883 <li class="card__meta__item"> 884 Module: 885 886 github.com/hashicorp/serf/coordinate 887 </li> 888 889 <li class="card__meta__item">Introduced through: 890 891 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/serf/coordinate@v0.10.1 892 893 </li> 894 </ul> 895 896 <hr/> 897 898 899 <h3 class="card__section__title">Detailed paths</h3> 900 901 <ul class="card__meta__paths"> 902 <li> 903 <span class="list-paths__item__introduced"><em>Introduced through</em>: 904 github.com/hairyhenderson/gomplate/v4@* 905 <span class="list-paths__item__arrow">›</span> 906 github.com/hashicorp/serf/coordinate@v0.10.1 907 908 </span> 909 910 </li> 911 </ul><!-- .list-paths --> 912 913 </div><!-- .card__section --> 914 915 <hr/> 916 <!-- Overview --> 917 <p>MPL-2.0 license</p> 918 919 <hr/> 920 921 <div class="cta card__cta"> 922 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:serf:MPL-2.0">More about this vulnerability</a></p> 923 </div> 924 925 </div><!-- .card --> 926 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 927 <h2 class="card__title">MPL-2.0 license</h2> 928 <div class="card__section"> 929 930 <div class="card__labels"> 931 <div class="label label--medium"> 932 <span class="label__text">medium severity</span> 933 </div> 934 </div> 935 936 <hr/> 937 938 <ul class="card__meta"> 939 <li class="card__meta__item"> 940 Manifest file: ghcr.io/dexidp/dex:v2.43.0/dexidp/dex <span class="list-paths__item__arrow">›</span> /usr/local/bin/dex 941 </li> 942 <li class="card__meta__item"> 943 Package Manager: golang 944 </li> 945 <li class="card__meta__item"> 946 Module: 947 948 github.com/hashicorp/hcl/v2 949 </li> 950 951 <li class="card__meta__item">Introduced through: 952 953 github.com/dexidp/dex@* and github.com/hashicorp/hcl/v2@v2.13.0 954 955 </li> 956 </ul> 957 958 <hr/> 959 960 961 <h3 class="card__section__title">Detailed paths</h3> 962 963 <ul class="card__meta__paths"> 964 <li> 965 <span class="list-paths__item__introduced"><em>Introduced through</em>: 966 github.com/dexidp/dex@* 967 <span class="list-paths__item__arrow">›</span> 968 github.com/hashicorp/hcl/v2@v2.13.0 969 970 </span> 971 972 </li> 973 <li> 974 <span class="list-paths__item__introduced"><em>Introduced through</em>: 975 github.com/dexidp/dex@* 976 <span class="list-paths__item__arrow">›</span> 977 github.com/hashicorp/hcl/v2/ext/customdecode@v2.13.0 978 979 </span> 980 981 </li> 982 <li> 983 <span class="list-paths__item__introduced"><em>Introduced through</em>: 984 github.com/dexidp/dex@* 985 <span class="list-paths__item__arrow">›</span> 986 github.com/hashicorp/hcl/v2/ext/tryfunc@v2.13.0 987 988 </span> 989 990 </li> 991 <li> 992 <span class="list-paths__item__introduced"><em>Introduced through</em>: 993 github.com/dexidp/dex@* 994 <span class="list-paths__item__arrow">›</span> 995 github.com/hashicorp/hcl/v2/gohcl@v2.13.0 996 997 </span> 998 999 </li> 1000 <li> 1001 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1002 github.com/dexidp/dex@* 1003 <span class="list-paths__item__arrow">›</span> 1004 github.com/hashicorp/hcl/v2/hclparse@v2.13.0 1005 1006 </span> 1007 1008 </li> 1009 <li> 1010 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1011 github.com/dexidp/dex@* 1012 <span class="list-paths__item__arrow">›</span> 1013 github.com/hashicorp/hcl/v2/hclsyntax@v2.13.0 1014 1015 </span> 1016 1017 </li> 1018 <li> 1019 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1020 github.com/dexidp/dex@* 1021 <span class="list-paths__item__arrow">›</span> 1022 github.com/hashicorp/hcl/v2/hclwrite@v2.13.0 1023 1024 </span> 1025 1026 </li> 1027 <li> 1028 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1029 github.com/dexidp/dex@* 1030 <span class="list-paths__item__arrow">›</span> 1031 github.com/hashicorp/hcl/v2/json@v2.13.0 1032 1033 </span> 1034 1035 </li> 1036 </ul><!-- .list-paths --> 1037 1038 </div><!-- .card__section --> 1039 1040 <hr/> 1041 <!-- Overview --> 1042 <p>MPL-2.0 license</p> 1043 1044 <hr/> 1045 1046 <div class="cta card__cta"> 1047 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:hcl:v2:MPL-2.0">More about this vulnerability</a></p> 1048 </div> 1049 1050 </div><!-- .card --> 1051 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1052 <h2 class="card__title">MPL-2.0 license</h2> 1053 <div class="card__section"> 1054 1055 <div class="card__labels"> 1056 <div class="label label--medium"> 1057 <span class="label__text">medium severity</span> 1058 </div> 1059 </div> 1060 1061 <hr/> 1062 1063 <ul class="card__meta"> 1064 <li class="card__meta__item"> 1065 Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1066 </li> 1067 <li class="card__meta__item"> 1068 Package Manager: golang 1069 </li> 1070 <li class="card__meta__item"> 1071 Module: 1072 1073 github.com/hashicorp/hcl 1074 </li> 1075 1076 <li class="card__meta__item">Introduced through: 1077 1078 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/hcl@v1.0.0 1079 1080 </li> 1081 </ul> 1082 1083 <hr/> 1084 1085 1086 <h3 class="card__section__title">Detailed paths</h3> 1087 1088 <ul class="card__meta__paths"> 1089 <li> 1090 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1091 github.com/hairyhenderson/gomplate/v4@* 1092 <span class="list-paths__item__arrow">›</span> 1093 github.com/hashicorp/hcl@v1.0.0 1094 1095 </span> 1096 1097 </li> 1098 <li> 1099 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1100 github.com/hairyhenderson/gomplate/v4@* 1101 <span class="list-paths__item__arrow">›</span> 1102 github.com/hashicorp/hcl/hcl/token@v1.0.0 1103 1104 </span> 1105 1106 </li> 1107 </ul><!-- .list-paths --> 1108 1109 </div><!-- .card__section --> 1110 1111 <hr/> 1112 <!-- Overview --> 1113 <p>MPL-2.0 license</p> 1114 1115 <hr/> 1116 1117 <div class="cta card__cta"> 1118 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0">More about this vulnerability</a></p> 1119 </div> 1120 1121 </div><!-- .card --> 1122 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1123 <h2 class="card__title">MPL-2.0 license</h2> 1124 <div class="card__section"> 1125 1126 <div class="card__labels"> 1127 <div class="label label--medium"> 1128 <span class="label__text">medium severity</span> 1129 </div> 1130 </div> 1131 1132 <hr/> 1133 1134 <ul class="card__meta"> 1135 <li class="card__meta__item"> 1136 Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1137 </li> 1138 <li class="card__meta__item"> 1139 Package Manager: golang 1140 </li> 1141 <li class="card__meta__item"> 1142 Module: 1143 1144 github.com/hashicorp/golang-lru/simplelru 1145 </li> 1146 1147 <li class="card__meta__item">Introduced through: 1148 1149 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/golang-lru/simplelru@v1.0.2 1150 1151 </li> 1152 </ul> 1153 1154 <hr/> 1155 1156 1157 <h3 class="card__section__title">Detailed paths</h3> 1158 1159 <ul class="card__meta__paths"> 1160 <li> 1161 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1162 github.com/hairyhenderson/gomplate/v4@* 1163 <span class="list-paths__item__arrow">›</span> 1164 github.com/hashicorp/golang-lru/simplelru@v1.0.2 1165 1166 </span> 1167 1168 </li> 1169 </ul><!-- .list-paths --> 1170 1171 </div><!-- .card__section --> 1172 1173 <hr/> 1174 <!-- Overview --> 1175 <p>MPL-2.0 license</p> 1176 1177 <hr/> 1178 1179 <div class="cta card__cta"> 1180 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:golang-lru:MPL-2.0">More about this vulnerability</a></p> 1181 </div> 1182 1183 </div><!-- .card --> 1184 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1185 <h2 class="card__title">MPL-2.0 license</h2> 1186 <div class="card__section"> 1187 1188 <div class="card__labels"> 1189 <div class="label label--medium"> 1190 <span class="label__text">medium severity</span> 1191 </div> 1192 </div> 1193 1194 <hr/> 1195 1196 <ul class="card__meta"> 1197 <li class="card__meta__item"> 1198 Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1199 </li> 1200 <li class="card__meta__item"> 1201 Package Manager: golang 1202 </li> 1203 <li class="card__meta__item"> 1204 Module: 1205 1206 github.com/hashicorp/go-uuid 1207 </li> 1208 1209 <li class="card__meta__item">Introduced through: 1210 1211 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-uuid@v1.0.3 1212 1213 </li> 1214 </ul> 1215 1216 <hr/> 1217 1218 1219 <h3 class="card__section__title">Detailed paths</h3> 1220 1221 <ul class="card__meta__paths"> 1222 <li> 1223 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1224 github.com/hairyhenderson/gomplate/v4@* 1225 <span class="list-paths__item__arrow">›</span> 1226 github.com/hashicorp/go-uuid@v1.0.3 1227 1228 </span> 1229 1230 </li> 1231 </ul><!-- .list-paths --> 1232 1233 </div><!-- .card__section --> 1234 1235 <hr/> 1236 <!-- Overview --> 1237 <p>MPL-2.0 license</p> 1238 1239 <hr/> 1240 1241 <div class="cta card__cta"> 1242 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-uuid:MPL-2.0">More about this vulnerability</a></p> 1243 </div> 1244 1245 </div><!-- .card --> 1246 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1247 <h2 class="card__title">MPL-2.0 license</h2> 1248 <div class="card__section"> 1249 1250 <div class="card__labels"> 1251 <div class="label label--medium"> 1252 <span class="label__text">medium severity</span> 1253 </div> 1254 </div> 1255 1256 <hr/> 1257 1258 <ul class="card__meta"> 1259 <li class="card__meta__item"> 1260 Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1261 </li> 1262 <li class="card__meta__item"> 1263 Package Manager: golang 1264 </li> 1265 <li class="card__meta__item"> 1266 Module: 1267 1268 github.com/hashicorp/go-sockaddr 1269 </li> 1270 1271 <li class="card__meta__item">Introduced through: 1272 1273 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-sockaddr@v1.0.7 1274 1275 </li> 1276 </ul> 1277 1278 <hr/> 1279 1280 1281 <h3 class="card__section__title">Detailed paths</h3> 1282 1283 <ul class="card__meta__paths"> 1284 <li> 1285 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1286 github.com/hairyhenderson/gomplate/v4@* 1287 <span class="list-paths__item__arrow">›</span> 1288 github.com/hashicorp/go-sockaddr@v1.0.7 1289 1290 </span> 1291 1292 </li> 1293 <li> 1294 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1295 github.com/hairyhenderson/gomplate/v4@* 1296 <span class="list-paths__item__arrow">›</span> 1297 github.com/hashicorp/go-sockaddr/template@v1.0.7 1298 1299 </span> 1300 1301 </li> 1302 </ul><!-- .list-paths --> 1303 1304 </div><!-- .card__section --> 1305 1306 <hr/> 1307 <!-- Overview --> 1308 <p>MPL-2.0 license</p> 1309 1310 <hr/> 1311 1312 <div class="cta card__cta"> 1313 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-sockaddr:MPL-2.0">More about this vulnerability</a></p> 1314 </div> 1315 1316 </div><!-- .card --> 1317 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1318 <h2 class="card__title">MPL-2.0 license</h2> 1319 <div class="card__section"> 1320 1321 <div class="card__labels"> 1322 <div class="label label--medium"> 1323 <span class="label__text">medium severity</span> 1324 </div> 1325 </div> 1326 1327 <hr/> 1328 1329 <ul class="card__meta"> 1330 <li class="card__meta__item"> 1331 Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1332 </li> 1333 <li class="card__meta__item"> 1334 Package Manager: golang 1335 </li> 1336 <li class="card__meta__item"> 1337 Module: 1338 1339 github.com/hashicorp/go-secure-stdlib/strutil 1340 </li> 1341 1342 <li class="card__meta__item">Introduced through: 1343 1344 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-secure-stdlib/strutil@v0.1.2 1345 1346 </li> 1347 </ul> 1348 1349 <hr/> 1350 1351 1352 <h3 class="card__section__title">Detailed paths</h3> 1353 1354 <ul class="card__meta__paths"> 1355 <li> 1356 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1357 github.com/hairyhenderson/gomplate/v4@* 1358 <span class="list-paths__item__arrow">›</span> 1359 github.com/hashicorp/go-secure-stdlib/strutil@v0.1.2 1360 1361 </span> 1362 1363 </li> 1364 </ul><!-- .list-paths --> 1365 1366 </div><!-- .card__section --> 1367 1368 <hr/> 1369 <!-- Overview --> 1370 <p>MPL-2.0 license</p> 1371 1372 <hr/> 1373 1374 <div class="cta card__cta"> 1375 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-secure-stdlib:strutil:MPL-2.0">More about this vulnerability</a></p> 1376 </div> 1377 1378 </div><!-- .card --> 1379 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1380 <h2 class="card__title">MPL-2.0 license</h2> 1381 <div class="card__section"> 1382 1383 <div class="card__labels"> 1384 <div class="label label--medium"> 1385 <span class="label__text">medium severity</span> 1386 </div> 1387 </div> 1388 1389 <hr/> 1390 1391 <ul class="card__meta"> 1392 <li class="card__meta__item"> 1393 Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1394 </li> 1395 <li class="card__meta__item"> 1396 Package Manager: golang 1397 </li> 1398 <li class="card__meta__item"> 1399 Module: 1400 1401 github.com/hashicorp/go-secure-stdlib/parseutil 1402 </li> 1403 1404 <li class="card__meta__item">Introduced through: 1405 1406 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-secure-stdlib/parseutil@v0.1.8 1407 1408 </li> 1409 </ul> 1410 1411 <hr/> 1412 1413 1414 <h3 class="card__section__title">Detailed paths</h3> 1415 1416 <ul class="card__meta__paths"> 1417 <li> 1418 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1419 github.com/hairyhenderson/gomplate/v4@* 1420 <span class="list-paths__item__arrow">›</span> 1421 github.com/hashicorp/go-secure-stdlib/parseutil@v0.1.8 1422 1423 </span> 1424 1425 </li> 1426 </ul><!-- .list-paths --> 1427 1428 </div><!-- .card__section --> 1429 1430 <hr/> 1431 <!-- Overview --> 1432 <p>MPL-2.0 license</p> 1433 1434 <hr/> 1435 1436 <div class="cta card__cta"> 1437 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-secure-stdlib:parseutil:MPL-2.0">More about this vulnerability</a></p> 1438 </div> 1439 1440 </div><!-- .card --> 1441 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1442 <h2 class="card__title">MPL-2.0 license</h2> 1443 <div class="card__section"> 1444 1445 <div class="card__labels"> 1446 <div class="label label--medium"> 1447 <span class="label__text">medium severity</span> 1448 </div> 1449 </div> 1450 1451 <hr/> 1452 1453 <ul class="card__meta"> 1454 <li class="card__meta__item"> 1455 Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1456 </li> 1457 <li class="card__meta__item"> 1458 Package Manager: golang 1459 </li> 1460 <li class="card__meta__item"> 1461 Module: 1462 1463 github.com/hashicorp/go-secure-stdlib/awsutil 1464 </li> 1465 1466 <li class="card__meta__item">Introduced through: 1467 1468 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-secure-stdlib/awsutil@v0.3.0 1469 1470 </li> 1471 </ul> 1472 1473 <hr/> 1474 1475 1476 <h3 class="card__section__title">Detailed paths</h3> 1477 1478 <ul class="card__meta__paths"> 1479 <li> 1480 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1481 github.com/hairyhenderson/gomplate/v4@* 1482 <span class="list-paths__item__arrow">›</span> 1483 github.com/hashicorp/go-secure-stdlib/awsutil@v0.3.0 1484 1485 </span> 1486 1487 </li> 1488 </ul><!-- .list-paths --> 1489 1490 </div><!-- .card__section --> 1491 1492 <hr/> 1493 <!-- Overview --> 1494 <p>MPL-2.0 license</p> 1495 1496 <hr/> 1497 1498 <div class="cta card__cta"> 1499 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-secure-stdlib:awsutil:MPL-2.0">More about this vulnerability</a></p> 1500 </div> 1501 1502 </div><!-- .card --> 1503 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1504 <h2 class="card__title">MPL-2.0 license</h2> 1505 <div class="card__section"> 1506 1507 <div class="card__labels"> 1508 <div class="label label--medium"> 1509 <span class="label__text">medium severity</span> 1510 </div> 1511 </div> 1512 1513 <hr/> 1514 1515 <ul class="card__meta"> 1516 <li class="card__meta__item"> 1517 Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1518 </li> 1519 <li class="card__meta__item"> 1520 Package Manager: golang 1521 </li> 1522 <li class="card__meta__item"> 1523 Module: 1524 1525 github.com/hashicorp/go-rootcerts 1526 </li> 1527 1528 <li class="card__meta__item">Introduced through: 1529 1530 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-rootcerts@v1.0.2 1531 1532 </li> 1533 </ul> 1534 1535 <hr/> 1536 1537 1538 <h3 class="card__section__title">Detailed paths</h3> 1539 1540 <ul class="card__meta__paths"> 1541 <li> 1542 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1543 github.com/hairyhenderson/gomplate/v4@* 1544 <span class="list-paths__item__arrow">›</span> 1545 github.com/hashicorp/go-rootcerts@v1.0.2 1546 1547 </span> 1548 1549 </li> 1550 </ul><!-- .list-paths --> 1551 1552 </div><!-- .card__section --> 1553 1554 <hr/> 1555 <!-- Overview --> 1556 <p>MPL-2.0 license</p> 1557 1558 <hr/> 1559 1560 <div class="cta card__cta"> 1561 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-rootcerts:MPL-2.0">More about this vulnerability</a></p> 1562 </div> 1563 1564 </div><!-- .card --> 1565 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1566 <h2 class="card__title">MPL-2.0 license</h2> 1567 <div class="card__section"> 1568 1569 <div class="card__labels"> 1570 <div class="label label--medium"> 1571 <span class="label__text">medium severity</span> 1572 </div> 1573 </div> 1574 1575 <hr/> 1576 1577 <ul class="card__meta"> 1578 <li class="card__meta__item"> 1579 Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1580 </li> 1581 <li class="card__meta__item"> 1582 Package Manager: golang 1583 </li> 1584 <li class="card__meta__item"> 1585 Module: 1586 1587 github.com/hashicorp/go-retryablehttp 1588 </li> 1589 1590 <li class="card__meta__item">Introduced through: 1591 1592 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-retryablehttp@v0.7.7 1593 1594 </li> 1595 </ul> 1596 1597 <hr/> 1598 1599 1600 <h3 class="card__section__title">Detailed paths</h3> 1601 1602 <ul class="card__meta__paths"> 1603 <li> 1604 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1605 github.com/hairyhenderson/gomplate/v4@* 1606 <span class="list-paths__item__arrow">›</span> 1607 github.com/hashicorp/go-retryablehttp@v0.7.7 1608 1609 </span> 1610 1611 </li> 1612 </ul><!-- .list-paths --> 1613 1614 </div><!-- .card__section --> 1615 1616 <hr/> 1617 <!-- Overview --> 1618 <p>MPL-2.0 license</p> 1619 1620 <hr/> 1621 1622 <div class="cta card__cta"> 1623 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-retryablehttp:MPL-2.0">More about this vulnerability</a></p> 1624 </div> 1625 1626 </div><!-- .card --> 1627 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1628 <h2 class="card__title">MPL-2.0 license</h2> 1629 <div class="card__section"> 1630 1631 <div class="card__labels"> 1632 <div class="label label--medium"> 1633 <span class="label__text">medium severity</span> 1634 </div> 1635 </div> 1636 1637 <hr/> 1638 1639 <ul class="card__meta"> 1640 <li class="card__meta__item"> 1641 Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1642 </li> 1643 <li class="card__meta__item"> 1644 Package Manager: golang 1645 </li> 1646 <li class="card__meta__item"> 1647 Module: 1648 1649 github.com/hashicorp/go-multierror 1650 </li> 1651 1652 <li class="card__meta__item">Introduced through: 1653 1654 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-multierror@v1.1.1 1655 1656 </li> 1657 </ul> 1658 1659 <hr/> 1660 1661 1662 <h3 class="card__section__title">Detailed paths</h3> 1663 1664 <ul class="card__meta__paths"> 1665 <li> 1666 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1667 github.com/hairyhenderson/gomplate/v4@* 1668 <span class="list-paths__item__arrow">›</span> 1669 github.com/hashicorp/go-multierror@v1.1.1 1670 1671 </span> 1672 1673 </li> 1674 </ul><!-- .list-paths --> 1675 1676 </div><!-- .card__section --> 1677 1678 <hr/> 1679 <!-- Overview --> 1680 <p>MPL-2.0 license</p> 1681 1682 <hr/> 1683 1684 <div class="cta card__cta"> 1685 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-multierror:MPL-2.0">More about this vulnerability</a></p> 1686 </div> 1687 1688 </div><!-- .card --> 1689 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1690 <h2 class="card__title">MPL-2.0 license</h2> 1691 <div class="card__section"> 1692 1693 <div class="card__labels"> 1694 <div class="label label--medium"> 1695 <span class="label__text">medium severity</span> 1696 </div> 1697 </div> 1698 1699 <hr/> 1700 1701 <ul class="card__meta"> 1702 <li class="card__meta__item"> 1703 Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1704 </li> 1705 <li class="card__meta__item"> 1706 Package Manager: golang 1707 </li> 1708 <li class="card__meta__item"> 1709 Module: 1710 1711 github.com/hashicorp/go-immutable-radix 1712 </li> 1713 1714 <li class="card__meta__item">Introduced through: 1715 1716 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-immutable-radix@v1.3.1 1717 1718 </li> 1719 </ul> 1720 1721 <hr/> 1722 1723 1724 <h3 class="card__section__title">Detailed paths</h3> 1725 1726 <ul class="card__meta__paths"> 1727 <li> 1728 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1729 github.com/hairyhenderson/gomplate/v4@* 1730 <span class="list-paths__item__arrow">›</span> 1731 github.com/hashicorp/go-immutable-radix@v1.3.1 1732 1733 </span> 1734 1735 </li> 1736 </ul><!-- .list-paths --> 1737 1738 </div><!-- .card__section --> 1739 1740 <hr/> 1741 <!-- Overview --> 1742 <p>MPL-2.0 license</p> 1743 1744 <hr/> 1745 1746 <div class="cta card__cta"> 1747 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-immutable-radix:MPL-2.0">More about this vulnerability</a></p> 1748 </div> 1749 1750 </div><!-- .card --> 1751 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1752 <h2 class="card__title">MPL-2.0 license</h2> 1753 <div class="card__section"> 1754 1755 <div class="card__labels"> 1756 <div class="label label--medium"> 1757 <span class="label__text">medium severity</span> 1758 </div> 1759 </div> 1760 1761 <hr/> 1762 1763 <ul class="card__meta"> 1764 <li class="card__meta__item"> 1765 Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1766 </li> 1767 <li class="card__meta__item"> 1768 Package Manager: golang 1769 </li> 1770 <li class="card__meta__item"> 1771 Module: 1772 1773 github.com/hashicorp/go-cleanhttp 1774 </li> 1775 1776 <li class="card__meta__item">Introduced through: 1777 1778 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-cleanhttp@v0.5.2 1779 1780 </li> 1781 </ul> 1782 1783 <hr/> 1784 1785 1786 <h3 class="card__section__title">Detailed paths</h3> 1787 1788 <ul class="card__meta__paths"> 1789 <li> 1790 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1791 github.com/hairyhenderson/gomplate/v4@* 1792 <span class="list-paths__item__arrow">›</span> 1793 github.com/hashicorp/go-cleanhttp@v0.5.2 1794 1795 </span> 1796 1797 </li> 1798 </ul><!-- .list-paths --> 1799 1800 </div><!-- .card__section --> 1801 1802 <hr/> 1803 <!-- Overview --> 1804 <p>MPL-2.0 license</p> 1805 1806 <hr/> 1807 1808 <div class="cta card__cta"> 1809 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-cleanhttp:MPL-2.0">More about this vulnerability</a></p> 1810 </div> 1811 1812 </div><!-- .card --> 1813 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1814 <h2 class="card__title">MPL-2.0 license</h2> 1815 <div class="card__section"> 1816 1817 <div class="card__labels"> 1818 <div class="label label--medium"> 1819 <span class="label__text">medium severity</span> 1820 </div> 1821 </div> 1822 1823 <hr/> 1824 1825 <ul class="card__meta"> 1826 <li class="card__meta__item"> 1827 Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1828 </li> 1829 <li class="card__meta__item"> 1830 Package Manager: golang 1831 </li> 1832 <li class="card__meta__item"> 1833 Module: 1834 1835 github.com/hashicorp/errwrap 1836 </li> 1837 1838 <li class="card__meta__item">Introduced through: 1839 1840 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/errwrap@v1.1.0 1841 1842 </li> 1843 </ul> 1844 1845 <hr/> 1846 1847 1848 <h3 class="card__section__title">Detailed paths</h3> 1849 1850 <ul class="card__meta__paths"> 1851 <li> 1852 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1853 github.com/hairyhenderson/gomplate/v4@* 1854 <span class="list-paths__item__arrow">›</span> 1855 github.com/hashicorp/errwrap@v1.1.0 1856 1857 </span> 1858 1859 </li> 1860 </ul><!-- .list-paths --> 1861 1862 </div><!-- .card__section --> 1863 1864 <hr/> 1865 <!-- Overview --> 1866 <p>MPL-2.0 license</p> 1867 1868 <hr/> 1869 1870 <div class="cta card__cta"> 1871 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:errwrap:MPL-2.0">More about this vulnerability</a></p> 1872 </div> 1873 1874 </div><!-- .card --> 1875 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1876 <h2 class="card__title">MPL-2.0 license</h2> 1877 <div class="card__section"> 1878 1879 <div class="card__labels"> 1880 <div class="label label--medium"> 1881 <span class="label__text">medium severity</span> 1882 </div> 1883 </div> 1884 1885 <hr/> 1886 1887 <ul class="card__meta"> 1888 <li class="card__meta__item"> 1889 Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1890 </li> 1891 <li class="card__meta__item"> 1892 Package Manager: golang 1893 </li> 1894 <li class="card__meta__item"> 1895 Module: 1896 1897 github.com/hashicorp/consul/api 1898 </li> 1899 1900 <li class="card__meta__item">Introduced through: 1901 1902 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/consul/api@v1.30.0 1903 1904 </li> 1905 </ul> 1906 1907 <hr/> 1908 1909 1910 <h3 class="card__section__title">Detailed paths</h3> 1911 1912 <ul class="card__meta__paths"> 1913 <li> 1914 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1915 github.com/hairyhenderson/gomplate/v4@* 1916 <span class="list-paths__item__arrow">›</span> 1917 github.com/hashicorp/consul/api@v1.30.0 1918 1919 </span> 1920 1921 </li> 1922 </ul><!-- .list-paths --> 1923 1924 </div><!-- .card__section --> 1925 1926 <hr/> 1927 <!-- Overview --> 1928 <p>MPL-2.0 license</p> 1929 1930 <hr/> 1931 1932 <div class="cta card__cta"> 1933 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:consul:api:MPL-2.0">More about this vulnerability</a></p> 1934 </div> 1935 1936 </div><!-- .card --> 1937 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1938 <h2 class="card__title">MPL-2.0 license</h2> 1939 <div class="card__section"> 1940 1941 <div class="card__labels"> 1942 <div class="label label--medium"> 1943 <span class="label__text">medium severity</span> 1944 </div> 1945 </div> 1946 1947 <hr/> 1948 1949 <ul class="card__meta"> 1950 <li class="card__meta__item"> 1951 Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1952 </li> 1953 <li class="card__meta__item"> 1954 Package Manager: golang 1955 </li> 1956 <li class="card__meta__item"> 1957 Module: 1958 1959 github.com/gosimple/slug 1960 </li> 1961 1962 <li class="card__meta__item">Introduced through: 1963 1964 github.com/hairyhenderson/gomplate/v4@* and github.com/gosimple/slug@v1.14.0 1965 1966 </li> 1967 </ul> 1968 1969 <hr/> 1970 1971 1972 <h3 class="card__section__title">Detailed paths</h3> 1973 1974 <ul class="card__meta__paths"> 1975 <li> 1976 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1977 github.com/hairyhenderson/gomplate/v4@* 1978 <span class="list-paths__item__arrow">›</span> 1979 github.com/gosimple/slug@v1.14.0 1980 1981 </span> 1982 1983 </li> 1984 </ul><!-- .list-paths --> 1985 1986 </div><!-- .card__section --> 1987 1988 <hr/> 1989 <!-- Overview --> 1990 <p>MPL-2.0 license</p> 1991 1992 <hr/> 1993 1994 <div class="cta card__cta"> 1995 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:gosimple:slug:MPL-2.0">More about this vulnerability</a></p> 1996 </div> 1997 1998 </div><!-- .card --> 1999 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2000 <h2 class="card__title">MPL-2.0 license</h2> 2001 <div class="card__section"> 2002 2003 <div class="card__labels"> 2004 <div class="label label--medium"> 2005 <span class="label__text">medium severity</span> 2006 </div> 2007 </div> 2008 2009 <hr/> 2010 2011 <ul class="card__meta"> 2012 <li class="card__meta__item"> 2013 Manifest file: ghcr.io/dexidp/dex:v2.43.0/dexidp/dex <span class="list-paths__item__arrow">›</span> /usr/local/bin/dex 2014 </li> 2015 <li class="card__meta__item"> 2016 Package Manager: golang 2017 </li> 2018 <li class="card__meta__item"> 2019 Module: 2020 2021 github.com/go-sql-driver/mysql 2022 </li> 2023 2024 <li class="card__meta__item">Introduced through: 2025 2026 github.com/dexidp/dex@* and github.com/go-sql-driver/mysql@v1.9.2 2027 2028 </li> 2029 </ul> 2030 2031 <hr/> 2032 2033 2034 <h3 class="card__section__title">Detailed paths</h3> 2035 2036 <ul class="card__meta__paths"> 2037 <li> 2038 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2039 github.com/dexidp/dex@* 2040 <span class="list-paths__item__arrow">›</span> 2041 github.com/go-sql-driver/mysql@v1.9.2 2042 2043 </span> 2044 2045 </li> 2046 </ul><!-- .list-paths --> 2047 2048 </div><!-- .card__section --> 2049 2050 <hr/> 2051 <!-- Overview --> 2052 <p>MPL-2.0 license</p> 2053 2054 <hr/> 2055 2056 <div class="cta card__cta"> 2057 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:go-sql-driver:mysql:MPL-2.0">More about this vulnerability</a></p> 2058 </div> 2059 2060 </div><!-- .card --> 2061 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2062 <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2> 2063 <div class="card__section"> 2064 2065 <div class="card__labels"> 2066 <div class="label label--medium"> 2067 <span class="label__text">medium severity</span> 2068 </div> 2069 </div> 2070 2071 <hr/> 2072 2073 <ul class="card__meta"> 2074 <li class="card__meta__item"> 2075 Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 2076 </li> 2077 <li class="card__meta__item"> 2078 Package Manager: golang 2079 </li> 2080 <li class="card__meta__item"> 2081 Vulnerable module: 2082 2083 github.com/go-jose/go-jose/v4 2084 </li> 2085 2086 <li class="card__meta__item">Introduced through: 2087 2088 github.com/hairyhenderson/gomplate/v4@* and github.com/go-jose/go-jose/v4@v4.0.2 2089 2090 </li> 2091 </ul> 2092 2093 <hr/> 2094 2095 2096 <h3 class="card__section__title">Detailed paths</h3> 2097 2098 <ul class="card__meta__paths"> 2099 <li> 2100 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2101 github.com/hairyhenderson/gomplate/v4@* 2102 <span class="list-paths__item__arrow">›</span> 2103 github.com/go-jose/go-jose/v4@v4.0.2 2104 2105 </span> 2106 2107 </li> 2108 </ul><!-- .list-paths --> 2109 2110 </div><!-- .card__section --> 2111 2112 <hr/> 2113 <!-- Overview --> 2114 <h2 id="overview">Overview</h2> 2115 <p>Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the use of <code>strings.Split</code> to split JWT tokens. An attacker can cause memory exhaustion and service disruption by sending numerous malformed tokens with a large number of <code>.</code> characters. </p> 2116 <h2 id="workaround">Workaround</h2> 2117 <p>This vulnerability can be mitigated by pre-validating that payloads passed to Go JOSE do not contain an excessive number of <code>.</code> characters.</p> 2118 <h2 id="remediation">Remediation</h2> 2119 <p>Upgrade <code>github.com/go-jose/go-jose/v4</code> to version 4.0.5 or higher.</p> 2120 <h2 id="references">References</h2> 2121 <ul> 2122 <li><a href="https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22">GitHub Commit</a></li> 2123 <li><a href="https://github.com/go-jose/go-jose/releases/tag/v4.0.5">GitHub Release</a></li> 2124 </ul> 2125 2126 <hr/> 2127 2128 <div class="cta card__cta"> 2129 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV4-8745975">More about this vulnerability</a></p> 2130 </div> 2131 2132 </div><!-- .card --> 2133 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2134 <h2 class="card__title">Synchronous Access of Remote Resource without Timeout</h2> 2135 <div class="card__section"> 2136 2137 <div class="card__labels"> 2138 <div class="label label--low"> 2139 <span class="label__text">low severity</span> 2140 </div> 2141 </div> 2142 2143 <hr/> 2144 2145 <ul class="card__meta"> 2146 <li class="card__meta__item"> 2147 Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 2148 </li> 2149 <li class="card__meta__item"> 2150 Package Manager: golang 2151 </li> 2152 <li class="card__meta__item"> 2153 Vulnerable module: 2154 2155 github.com/hashicorp/vault/api 2156 </li> 2157 2158 <li class="card__meta__item">Introduced through: 2159 2160 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/vault/api@v1.15.0 2161 2162 </li> 2163 </ul> 2164 2165 <hr/> 2166 2167 2168 <h3 class="card__section__title">Detailed paths</h3> 2169 2170 <ul class="card__meta__paths"> 2171 <li> 2172 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2173 github.com/hairyhenderson/gomplate/v4@* 2174 <span class="list-paths__item__arrow">›</span> 2175 github.com/hashicorp/vault/api@v1.15.0 2176 2177 </span> 2178 2179 </li> 2180 </ul><!-- .list-paths --> 2181 2182 </div><!-- .card__section --> 2183 2184 <hr/> 2185 <!-- Overview --> 2186 <h2 id="overview">Overview</h2> 2187 <p>Affected versions of this package are vulnerable to Synchronous Access of Remote Resource without Timeout via the <code>rekey</code> and <code>recovery key</code> operations. An attacker can disrupt service availability by triggering uncontrolled cancellation actions during these processes, which can lead to denial of service.</p> 2188 <h2 id="remediation">Remediation</h2> 2189 <p>Upgrade <code>github.com/hashicorp/vault/api</code> to version 1.20.0 or higher.</p> 2190 <h2 id="references">References</h2> 2191 <ul> 2192 <li><a href="https://github.com/hashicorp/vault/commit/318f8582134a4a79a45ee2a6edad3072d865739b">GitHub Commit</a></li> 2193 <li><a href="https://github.com/hashicorp/vault/pull/30794">GitHub PR</a></li> 2194 <li><a href="https://discuss.hashicorp.com/t/hcsec-2025-11-vault-vulnerable-to-recovery-key-cancellation-denial-of-service/75570">HashiCorp Discuss</a></li> 2195 </ul> 2196 2197 <hr/> 2198 2199 <div class="cta card__cta"> 2200 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPVAULTAPI-10562144">More about this vulnerability</a></p> 2201 </div> 2202 2203 </div><!-- .card --> 2204 </div><!-- cards --> 2205 </div> 2206 </main><!-- .layout-stacked__content --> 2207 </body> 2208 2209 </html>