github.com/argoproj/argo-cd/v3@v3.2.1/docs/snyk/v2.14.17/ghcr.io_dexidp_dex_v2.41.1.html (about) 1 <!DOCTYPE html> 2 <html lang="en"> 3 4 <head> 5 <meta http-equiv="Content-type" content="text/html; charset=utf-8"> 6 <meta http-equiv="Content-Language" content="en-us"> 7 <meta name="viewport" content="width=device-width, initial-scale=1.0"> 8 <meta http-equiv="X-UA-Compatible" content="IE=edge"> 9 <title>Snyk test report</title> 10 <meta name="description" content="33 known vulnerabilities found in 78 vulnerable dependency paths."> 11 <base target="_blank"> 12 <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png" 13 sizes="194x194"> 14 <link rel="shortcut icon" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.ico"> 15 <style type="text/css"> 16 17 body { 18 -moz-font-feature-settings: "pnum"; 19 -webkit-font-feature-settings: "pnum"; 20 font-variant-numeric: proportional-nums; 21 display: flex; 22 flex-direction: column; 23 font-feature-settings: "pnum"; 24 font-size: 100%; 25 line-height: 1.5; 26 min-height: 100vh; 27 -webkit-text-size-adjust: 100%; 28 margin: 0; 29 padding: 0; 30 background-color: #F5F5F5; 31 font-family: 'Arial', 'Helvetica', Calibri, sans-serif; 32 } 33 34 h1, 35 h2, 36 h3, 37 h4, 38 h5, 39 h6 { 40 font-weight: 500; 41 } 42 43 a, 44 a:link, 45 a:visited { 46 border-bottom: 1px solid #4b45a9; 47 text-decoration: none; 48 color: #4b45a9; 49 } 50 51 a:hover, 52 a:focus, 53 a:active { 54 border-bottom: 1px solid #4b45a9; 55 } 56 57 hr { 58 border: none; 59 margin: 1em 0; 60 border-top: 1px solid #c5c5c5; 61 } 62 63 ul { 64 padding: 0 1em; 65 margin: 1em 0; 66 } 67 68 code { 69 background-color: #EEE; 70 color: #333; 71 padding: 0.25em 0.5em; 72 border-radius: 0.25em; 73 } 74 75 pre { 76 background-color: #333; 77 font-family: monospace; 78 padding: 0.5em 1em 0.75em; 79 border-radius: 0.25em; 80 font-size: 14px; 81 } 82 83 pre code { 84 padding: 0; 85 background-color: transparent; 86 color: #fff; 87 } 88 89 a code { 90 border-radius: .125rem .125rem 0 0; 91 padding-bottom: 0; 92 color: #4b45a9; 93 } 94 95 a[href^="http://"]:after, 96 a[href^="https://"]:after { 97 background-image: linear-gradient(transparent,transparent),url("data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20112%20109%22%3E%3Cg%20id%3D%22Page-1%22%20fill%3D%22none%22%20fill-rule%3D%22evenodd%22%3E%3Cg%20id%3D%22link-external%22%3E%3Cg%20id%3D%22arrow%22%3E%3Cpath%20id%3D%22Line%22%20stroke%3D%22%234B45A9%22%20stroke-width%3D%2215%22%20d%3D%22M88.5%2021l-43%2042.5%22%20stroke-linecap%3D%22square%22%2F%3E%3Cpath%20id%3D%22Triangle%22%20fill%3D%22%234B45A9%22%20d%3D%22M111.2%200v50L61%200z%22%2F%3E%3C%2Fg%3E%3Cpath%20id%3D%22square%22%20fill%3D%22%234B45A9%22%20d%3D%22M66%2015H0v94h94V44L79%2059v35H15V30h36z%22%2F%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E"); 98 background-repeat: no-repeat; 99 background-size: .75rem; 100 content: ""; 101 display: inline-block; 102 height: .75rem; 103 margin-left: .25rem; 104 width: .75rem; 105 } 106 107 108 /* Layout */ 109 110 [class*=layout-container] { 111 margin: 0 auto; 112 max-width: 71.25em; 113 padding: 1.9em 1.3em; 114 position: relative; 115 } 116 .layout-container--short { 117 padding-top: 0; 118 padding-bottom: 0; 119 max-width: 48.75em; 120 } 121 122 .layout-container--short:after { 123 display: block; 124 content: ""; 125 clear: both; 126 } 127 128 /* Header */ 129 130 .header { 131 padding-bottom: 1px; 132 } 133 134 .paths { 135 margin-left: 8px; 136 } 137 .header-wrap { 138 display: flex; 139 flex-direction: row; 140 justify-content: space-between; 141 padding-top: 2em; 142 } 143 .project__header { 144 background-color: #030328; 145 color: #fff; 146 margin-bottom: -1px; 147 padding-top: 1em; 148 padding-bottom: 0.25em; 149 border-bottom: 2px solid #BBB; 150 } 151 152 .project__header__title { 153 overflow-wrap: break-word; 154 word-wrap: break-word; 155 word-break: break-all; 156 margin-bottom: .1em; 157 margin-top: 0; 158 } 159 160 .timestamp { 161 float: right; 162 clear: none; 163 margin-bottom: 0; 164 } 165 166 .meta-counts { 167 clear: both; 168 display: block; 169 flex-wrap: wrap; 170 justify-content: space-between; 171 margin: 0 0 1.5em; 172 color: #fff; 173 clear: both; 174 font-size: 1.1em; 175 } 176 177 .meta-count { 178 display: block; 179 flex-basis: 100%; 180 margin: 0 1em 1em 0; 181 float: left; 182 padding-right: 1em; 183 border-right: 2px solid #fff; 184 } 185 186 .meta-count:last-child { 187 border-right: 0; 188 padding-right: 0; 189 margin-right: 0; 190 } 191 192 /* Card */ 193 194 .card { 195 background-color: #fff; 196 border: 1px solid #c5c5c5; 197 border-radius: .25rem; 198 margin: 0 0 2em 0; 199 position: relative; 200 min-height: 40px; 201 padding: 1.5em; 202 } 203 204 .card__labels { 205 position: absolute; 206 top: 1.1em; 207 left: 0; 208 display: flex; 209 align-items: center; 210 gap: 8px; 211 } 212 213 .card .label { 214 background-color: #767676; 215 border: 2px solid #767676; 216 color: white; 217 padding: 0.25rem 0.75rem; 218 font-size: 0.875rem; 219 text-transform: uppercase; 220 display: inline-block; 221 margin: 0; 222 border-radius: 0.25rem; 223 } 224 225 .card .label__text { 226 vertical-align: text-top; 227 font-weight: bold; 228 } 229 230 .card .label--critical { 231 background-color: #AB1A1A; 232 border-color: #AB1A1A; 233 } 234 235 .card .label--high { 236 background-color: #CE5019; 237 border-color: #CE5019; 238 } 239 240 .card .label--medium { 241 background-color: #D68000; 242 border-color: #D68000; 243 } 244 245 .card .label--low { 246 background-color: #88879E; 247 border-color: #88879E; 248 } 249 250 .severity--low { 251 border-color: #88879E; 252 } 253 254 .severity--medium { 255 border-color: #D68000; 256 } 257 258 .severity--high { 259 border-color: #CE5019; 260 } 261 262 .severity--critical { 263 border-color: #AB1A1A; 264 } 265 266 .card--vuln { 267 padding-top: 4em; 268 } 269 270 .card--vuln .card__labels > .label:first-child { 271 padding-left: 1.9em; 272 padding-right: 1.9em; 273 border-radius: 0 0.25rem 0.25rem 0; 274 } 275 276 .card--vuln .card__section h2 { 277 font-size: 22px; 278 margin-bottom: 0.5em; 279 } 280 281 .card--vuln .card__section p { 282 margin: 0 0 0.5em 0; 283 } 284 285 .card--vuln .card__meta { 286 padding: 0 0 0 1em; 287 margin: 0; 288 font-size: 1.1em; 289 } 290 291 .card .card__meta__paths { 292 font-size: 0.9em; 293 } 294 295 .card--vuln .card__title { 296 font-size: 28px; 297 margin-top: 0; 298 margin-right: 100px; /* Ensure space for the risk score */ 299 } 300 301 .card--vuln .card__cta p { 302 margin: 0; 303 text-align: right; 304 } 305 306 .risk-score-display { 307 position: absolute; 308 top: 1.5em; 309 right: 1.5em; 310 text-align: right; 311 z-index: 10; 312 } 313 314 .risk-score-display__label { 315 font-size: 0.7em; 316 font-weight: bold; 317 color: #586069; 318 text-transform: uppercase; 319 line-height: 1; 320 margin-bottom: 3px; 321 } 322 323 .risk-score-display__value { 324 font-size: 1.9em; 325 font-weight: 600; 326 color: #24292e; 327 line-height: 1; 328 } 329 330 .source-panel { 331 clear: both; 332 display: flex; 333 justify-content: flex-start; 334 flex-direction: column; 335 align-items: flex-start; 336 padding: 0.5em 0; 337 width: fit-content; 338 } 339 340 341 342 </style> 343 <style type="text/css"> 344 .metatable { 345 text-size-adjust: 100%; 346 -webkit-font-smoothing: antialiased; 347 -webkit-box-direction: normal; 348 color: inherit; 349 font-feature-settings: "pnum"; 350 box-sizing: border-box; 351 background: transparent; 352 border: 0; 353 font: inherit; 354 font-size: 100%; 355 margin: 0; 356 outline: none; 357 padding: 0; 358 text-align: left; 359 text-decoration: none; 360 vertical-align: baseline; 361 z-index: auto; 362 margin-top: 12px; 363 border-collapse: collapse; 364 border-spacing: 0; 365 font-variant-numeric: tabular-nums; 366 max-width: 51.75em; 367 } 368 369 tbody { 370 text-size-adjust: 100%; 371 -webkit-font-smoothing: antialiased; 372 -webkit-box-direction: normal; 373 color: inherit; 374 font-feature-settings: "pnum"; 375 border-collapse: collapse; 376 border-spacing: 0; 377 box-sizing: border-box; 378 background: transparent; 379 border: 0; 380 font: inherit; 381 font-size: 100%; 382 margin: 0; 383 outline: none; 384 padding: 0; 385 text-align: left; 386 text-decoration: none; 387 vertical-align: baseline; 388 z-index: auto; 389 display: flex; 390 flex-wrap: wrap; 391 } 392 393 .meta-row { 394 text-size-adjust: 100%; 395 -webkit-font-smoothing: antialiased; 396 -webkit-box-direction: normal; 397 color: inherit; 398 font-feature-settings: "pnum"; 399 border-collapse: collapse; 400 border-spacing: 0; 401 box-sizing: border-box; 402 background: transparent; 403 border: 0; 404 font: inherit; 405 font-size: 100%; 406 outline: none; 407 text-align: left; 408 text-decoration: none; 409 vertical-align: baseline; 410 z-index: auto; 411 display: flex; 412 align-items: start; 413 border-top: 1px solid #d3d3d9; 414 padding: 8px 0 0 0; 415 border-bottom: none; 416 margin: 8px; 417 width: 47.75%; 418 } 419 420 .meta-row-label { 421 text-size-adjust: 100%; 422 -webkit-font-smoothing: antialiased; 423 -webkit-box-direction: normal; 424 font-feature-settings: "pnum"; 425 border-collapse: collapse; 426 border-spacing: 0; 427 color: #4c4a73; 428 box-sizing: border-box; 429 background: transparent; 430 border: 0; 431 font: inherit; 432 margin: 0; 433 outline: none; 434 text-decoration: none; 435 z-index: auto; 436 align-self: start; 437 flex: 1; 438 font-size: 1rem; 439 line-height: 1.5rem; 440 padding: 0; 441 text-align: left; 442 vertical-align: top; 443 text-transform: none; 444 letter-spacing: 0; 445 } 446 447 .meta-row-value { 448 text-size-adjust: 100%; 449 -webkit-font-smoothing: antialiased; 450 -webkit-box-direction: normal; 451 color: inherit; 452 font-feature-settings: "pnum"; 453 border-collapse: collapse; 454 border-spacing: 0; 455 word-break: break-word; 456 box-sizing: border-box; 457 background: transparent; 458 border: 0; 459 font: inherit; 460 font-size: 100%; 461 margin: 0; 462 outline: none; 463 padding: 0; 464 text-align: right; 465 text-decoration: none; 466 vertical-align: baseline; 467 z-index: auto; 468 } 469 </style> 470 </head> 471 472 <body class="section-projects"> 473 <main class="layout-stacked"> 474 <div class="layout-stacked__header header"> 475 <header class="project__header"> 476 <div class="layout-container"> 477 <a class="brand" href="https://snyk.io" title="Snyk"> 478 <svg width="68px" height="35px" viewBox="0 0 68 35" version="1.1" xmlns="http://www.w3.org/2000/svg" role="img"> 479 <title>Snyk - Open Source Security</title> 480 <g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd"> 481 <g fill="#fff"> 482 <path d="M5.732,27.278 C3.445,27.278 1.589,26.885 0,26.124 L0.483,22.472 C2.163,23.296 4.056,23.689 5.643,23.689 C6.801,23.689 7.563,23.295 7.563,22.599 C7.563,20.594 0.333,21.076 0.333,15.839 C0.333,12.491 3.407,10.729 7.259,10.729 C9.179,10.729 11.161,11.249 12.444,11.704 L11.924,15.294 C10.577,14.774 8.747,14.291 7.222,14.291 C6.282,14.291 5.518,14.621 5.518,15.231 C5.518,17.208 12.903,16.815 12.903,21.925 C12.903,25.325 9.877,27.277 5.733,27.277 L5.732,27.278 Z M25.726,26.936 L25.726,17.894 C25.726,15.827 24.811,14.85 23.069,14.85 C22.219,14.85 21.329,15.09 20.719,15.46 L20.719,26.936 L15.352,26.936 L15.352,11.262 L20.602,10.83 L20.474,13.392 L20.652,13.392 C21.784,11.87 23.702,10.716 25.992,10.716 C28.736,10.716 31.112,12.416 31.112,16.436 L31.112,26.936 L25.724,26.936 L25.726,26.936 Z M61.175,26.936 L56.879,19.479 L56.446,19.479 L56.446,26.935 L51.082,26.935 L51.082,8.37 L56.447,0 L56.447,17.323 C57.515,16.017 61.112,11.059 61.112,11.059 L67.732,11.059 L61.454,17.689 L67.949,26.95 L61.175,26.95 L61.175,26.938 L61.175,26.936 Z M44.13,11.11 L41.93,18.262 C41.5,19.606 41.08,22.079 41.08,22.079 C41.08,22.079 40.75,19.516 40.292,18.172 L37.94,11.108 L31.928,11.108 L38.462,26.935 C37.572,29.04 36.199,30.815 34.369,30.815 C34.039,30.815 33.709,30.802 33.389,30.765 L31.255,34.061 C31.928,34.441 33.212,34.835 34.737,34.835 C38.703,34.835 41.359,31.627 43.215,26.885 L49.443,11.108 L44.132,11.108 L44.13,11.11 Z"></path> 483 </g> 484 </g> 485 </svg> 486 </a> 487 <div class="header-wrap"> 488 <h1 class="project__header__title">Snyk test report</h1> 489 490 <p class="timestamp">September 14th 2025, 12:29:50 am (UTC+00:00)</p> 491 </div> 492 <div class="source-panel"> 493 <span>Scanned the following paths:</span> 494 <ul> 495 <li class="paths">ghcr.io/dexidp/dex:v2.41.1/dexidp/dex (apk)</li> 496 <li class="paths">ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4//usr/local/bin/gomplate (gomodules)</li> 497 <li class="paths">ghcr.io/dexidp/dex:v2.41.1/dexidp/dex//usr/local/bin/docker-entrypoint (gomodules)</li> 498 <li class="paths">ghcr.io/dexidp/dex:v2.41.1/dexidp/dex//usr/local/bin/dex (gomodules)</li> 499 </ul> 500 </div> 501 502 <div class="meta-counts"> 503 <div class="meta-count"><span>33</span> <span>known vulnerabilities</span></div> 504 <div class="meta-count"><span>78 vulnerable dependency paths</span></div> 505 <div class="meta-count"><span>969</span> <span>dependencies</span></div> 506 </div><!-- .meta-counts --> 507 </div><!-- .layout-container--short --> 508 </header><!-- .project__header --> 509 </div><!-- .layout-stacked__header --> 510 511 <div class="layout-container" style="padding-top: 35px;"> 512 <div class="cards--vuln filter--patch filter--ignore"> 513 <div class="card card--vuln disclosure--not-new severity--critical" data-snyk-test="critical"> 514 <h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2> 515 <div class="card__section"> 516 517 <div class="card__labels"> 518 <div class="label label--critical"> 519 <span class="label__text">critical severity</span> 520 </div> 521 </div> 522 523 <hr/> 524 525 <ul class="card__meta"> 526 <li class="card__meta__item"> 527 Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 528 </li> 529 <li class="card__meta__item"> 530 Package Manager: golang 531 </li> 532 <li class="card__meta__item"> 533 Vulnerable module: 534 535 golang.org/x/crypto/ssh 536 </li> 537 538 <li class="card__meta__item">Introduced through: 539 540 github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.24.0 541 542 </li> 543 </ul> 544 545 <hr/> 546 547 548 <h3 class="card__section__title">Detailed paths</h3> 549 550 <ul class="card__meta__paths"> 551 <li> 552 <span class="list-paths__item__introduced"><em>Introduced through</em>: 553 github.com/hairyhenderson/gomplate/v4@* 554 <span class="list-paths__item__arrow">›</span> 555 golang.org/x/crypto/ssh@v0.24.0 556 557 </span> 558 559 </li> 560 </ul><!-- .list-paths --> 561 562 </div><!-- .card__section --> 563 564 <hr/> 565 <!-- Overview --> 566 <h2 id="overview">Overview</h2> 567 <p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p> 568 <p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p> 569 <p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states "A call to this function does not guarantee that the key offered is in fact used to authenticate." The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p> 570 <h2 id="remediation">Remediation</h2> 571 <p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p> 572 <h2 id="references">References</h2> 573 <ul> 574 <li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li> 575 <li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li> 576 <li><a href="https://go.dev/cl/635315">go.dev Commit</a></li> 577 <li><a href="https://go.dev/issue/70779">go.dev Issue</a></li> 578 <li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li> 579 <li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li> 580 <li><a href="https://github.com/NHAS/CVE-2024-45337-POC">PoC</a></li> 581 </ul> 582 583 <hr/> 584 585 <div class="cta card__cta"> 586 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p> 587 </div> 588 589 </div><!-- .card --> 590 <div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high"> 591 <h2 class="card__title">Access of Resource Using Incompatible Type ('Type Confusion')</h2> 592 <div class="card__section"> 593 594 <div class="card__labels"> 595 <div class="label label--high"> 596 <span class="label__text">high severity</span> 597 </div> 598 </div> 599 600 <hr/> 601 602 <ul class="card__meta"> 603 <li class="card__meta__item"> 604 Package Manager: alpine:3.20 605 </li> 606 <li class="card__meta__item"> 607 Vulnerable module: 608 609 openssl/libcrypto3 610 </li> 611 612 <li class="card__meta__item">Introduced through: 613 614 docker-image|ghcr.io/dexidp/dex@v2.41.1 and openssl/libcrypto3@3.3.1-r3 615 616 </li> 617 </ul> 618 619 <hr/> 620 621 622 <h3 class="card__section__title">Detailed paths</h3> 623 624 <ul class="card__meta__paths"> 625 <li> 626 <span class="list-paths__item__introduced"><em>Introduced through</em>: 627 docker-image|ghcr.io/dexidp/dex@v2.41.1 628 <span class="list-paths__item__arrow">›</span> 629 openssl/libcrypto3@3.3.1-r3 630 631 </span> 632 633 </li> 634 <li> 635 <span class="list-paths__item__introduced"><em>Introduced through</em>: 636 docker-image|ghcr.io/dexidp/dex@v2.41.1 637 <span class="list-paths__item__arrow">›</span> 638 apk-tools/apk-tools@2.14.4-r0 639 <span class="list-paths__item__arrow">›</span> 640 openssl/libcrypto3@3.3.1-r3 641 642 </span> 643 644 </li> 645 <li> 646 <span class="list-paths__item__introduced"><em>Introduced through</em>: 647 docker-image|ghcr.io/dexidp/dex@v2.41.1 648 <span class="list-paths__item__arrow">›</span> 649 busybox/ssl_client@1.36.1-r29 650 <span class="list-paths__item__arrow">›</span> 651 openssl/libcrypto3@3.3.1-r3 652 653 </span> 654 655 </li> 656 <li> 657 <span class="list-paths__item__introduced"><em>Introduced through</em>: 658 docker-image|ghcr.io/dexidp/dex@v2.41.1 659 <span class="list-paths__item__arrow">›</span> 660 apk-tools/apk-tools@2.14.4-r0 661 <span class="list-paths__item__arrow">›</span> 662 openssl/libssl3@3.3.1-r3 663 <span class="list-paths__item__arrow">›</span> 664 openssl/libcrypto3@3.3.1-r3 665 666 </span> 667 668 </li> 669 <li> 670 <span class="list-paths__item__introduced"><em>Introduced through</em>: 671 docker-image|ghcr.io/dexidp/dex@v2.41.1 672 <span class="list-paths__item__arrow">›</span> 673 openssl/libssl3@3.3.1-r3 674 675 </span> 676 677 </li> 678 <li> 679 <span class="list-paths__item__introduced"><em>Introduced through</em>: 680 docker-image|ghcr.io/dexidp/dex@v2.41.1 681 <span class="list-paths__item__arrow">›</span> 682 apk-tools/apk-tools@2.14.4-r0 683 <span class="list-paths__item__arrow">›</span> 684 openssl/libssl3@3.3.1-r3 685 686 </span> 687 688 </li> 689 <li> 690 <span class="list-paths__item__introduced"><em>Introduced through</em>: 691 docker-image|ghcr.io/dexidp/dex@v2.41.1 692 <span class="list-paths__item__arrow">›</span> 693 busybox/ssl_client@1.36.1-r29 694 <span class="list-paths__item__arrow">›</span> 695 openssl/libssl3@3.3.1-r3 696 697 </span> 698 699 </li> 700 </ul><!-- .list-paths --> 701 702 </div><!-- .card__section --> 703 704 <hr/> 705 <!-- Overview --> 706 <h2 id="nvd-description">NVD Description</h2> 707 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Alpine</code>.</em> 708 <em>See <code>How to fix?</code> for <code>Alpine:3.20</code> relevant fixed versions and status.</em></p> 709 <p>Issue summary: Applications performing certificate name checks (e.g., TLS 710 clients checking server certificates) may attempt to read an invalid memory 711 address resulting in abnormal termination of the application process.</p> 712 <p>Impact summary: Abnormal termination of an application can a cause a denial of 713 service.</p> 714 <p>Applications performing certificate name checks (e.g., TLS clients checking 715 server certificates) may attempt to read an invalid memory address when 716 comparing the expected name with an <code>otherName</code> subject alternative name of an 717 X.509 certificate. This may result in an exception that terminates the 718 application program.</p> 719 <p>Note that basic certificate chain validation (signatures, dates, ...) is not 720 affected, the denial of service can occur only when the application also 721 specifies an expected DNS name, Email address or IP address.</p> 722 <p>TLS servers rarely solicit client certificates, and even when they do, they 723 generally don't perform a name check against a reference identifier (expected 724 identity), but rather extract the presented identity after checking the 725 certificate chain. So TLS servers are generally not affected and the severity 726 of the issue is Moderate.</p> 727 <p>The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.</p> 728 <h2 id="remediation">Remediation</h2> 729 <p>Upgrade <code>Alpine:3.20</code> <code>openssl</code> to version 3.3.2-r0 or higher.</p> 730 <h2 id="references">References</h2> 731 <ul> 732 <li><a href="https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f">https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f</a></li> 733 <li><a href="https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6">https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6</a></li> 734 <li><a href="https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2">https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2</a></li> 735 <li><a href="https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0">https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0</a></li> 736 <li><a href="https://openssl-library.org/news/secadv/20240903.txt">https://openssl-library.org/news/secadv/20240903.txt</a></li> 737 <li><a href="http://www.openwall.com/lists/oss-security/2024/09/03/4">http://www.openwall.com/lists/oss-security/2024/09/03/4</a></li> 738 <li><a href="https://lists.freebsd.org/archives/freebsd-security/2024-September/000303.html">https://lists.freebsd.org/archives/freebsd-security/2024-September/000303.html</a></li> 739 <li><a href="https://security.netapp.com/advisory/ntap-20240912-0001/">https://security.netapp.com/advisory/ntap-20240912-0001/</a></li> 740 </ul> 741 742 <hr/> 743 744 <div class="cta card__cta"> 745 <p><a href="https://snyk.io/vuln/SNYK-ALPINE320-OPENSSL-7895537">More about this vulnerability</a></p> 746 </div> 747 748 </div><!-- .card --> 749 <div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high"> 750 <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2> 751 <div class="card__section"> 752 753 <div class="card__labels"> 754 <div class="label label--high"> 755 <span class="label__text">high severity</span> 756 </div> 757 </div> 758 759 <hr/> 760 761 <ul class="card__meta"> 762 <li class="card__meta__item"> 763 Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 764 </li> 765 <li class="card__meta__item"> 766 Package Manager: golang 767 </li> 768 <li class="card__meta__item"> 769 Vulnerable module: 770 771 golang.org/x/oauth2/jws 772 </li> 773 774 <li class="card__meta__item">Introduced through: 775 776 github.com/hairyhenderson/gomplate/v4@* and golang.org/x/oauth2/jws@v0.21.0 777 778 </li> 779 </ul> 780 781 <hr/> 782 783 784 <h3 class="card__section__title">Detailed paths</h3> 785 786 <ul class="card__meta__paths"> 787 <li> 788 <span class="list-paths__item__introduced"><em>Introduced through</em>: 789 github.com/hairyhenderson/gomplate/v4@* 790 <span class="list-paths__item__arrow">›</span> 791 golang.org/x/oauth2/jws@v0.21.0 792 793 </span> 794 795 </li> 796 <li> 797 <span class="list-paths__item__introduced"><em>Introduced through</em>: 798 github.com/dexidp/dex@* 799 <span class="list-paths__item__arrow">›</span> 800 golang.org/x/oauth2/jws@v0.21.0 801 802 </span> 803 804 </li> 805 </ul><!-- .list-paths --> 806 807 </div><!-- .card__section --> 808 809 <hr/> 810 <!-- Overview --> 811 <h2 id="overview">Overview</h2> 812 <p>Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper parsing of malformed tokens which can lead to memory consumption.</p> 813 <h2 id="remediation">Remediation</h2> 814 <p>Upgrade <code>golang.org/x/oauth2/jws</code> to version 0.27.0 or higher.</p> 815 <h2 id="references">References</h2> 816 <ul> 817 <li><a href="https://github.com/golang/oauth2/commit/681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3">GitHub Commit</a></li> 818 <li><a href="https://github.com/lestrrat-go/jwx/commit/d0bb4610154d45b7dce7d706a8068ea72586d249">GitHub Commit</a></li> 819 <li><a href="https://github.com/golang/go/issues/71490">GitHub Issue</a></li> 820 <li><a href="https://github.com/lestrrat-go/jwx/pull/1308">GitHub PR</a></li> 821 <li><a href="https://pkg.go.dev/vuln/GO-2025-3488">Go Advisory</a></li> 822 </ul> 823 824 <hr/> 825 826 <div class="cta card__cta"> 827 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXOAUTH2JWS-8749594">More about this vulnerability</a></p> 828 </div> 829 830 </div><!-- .card --> 831 <div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high"> 832 <h2 class="card__title">Server-side Request Forgery (SSRF)</h2> 833 <div class="card__section"> 834 835 <div class="card__labels"> 836 <div class="label label--high"> 837 <span class="label__text">high severity</span> 838 </div> 839 </div> 840 841 <hr/> 842 843 <ul class="card__meta"> 844 <li class="card__meta__item"> 845 Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 846 </li> 847 <li class="card__meta__item"> 848 Package Manager: golang 849 </li> 850 <li class="card__meta__item"> 851 Vulnerable module: 852 853 golang.org/x/net/http/httpproxy 854 </li> 855 856 <li class="card__meta__item">Introduced through: 857 858 github.com/hairyhenderson/gomplate/v4@* and golang.org/x/net/http/httpproxy@v0.26.0 859 860 </li> 861 </ul> 862 863 <hr/> 864 865 866 <h3 class="card__section__title">Detailed paths</h3> 867 868 <ul class="card__meta__paths"> 869 <li> 870 <span class="list-paths__item__introduced"><em>Introduced through</em>: 871 github.com/hairyhenderson/gomplate/v4@* 872 <span class="list-paths__item__arrow">›</span> 873 golang.org/x/net/http/httpproxy@v0.26.0 874 875 </span> 876 877 </li> 878 <li> 879 <span class="list-paths__item__introduced"><em>Introduced through</em>: 880 github.com/dexidp/dex@* 881 <span class="list-paths__item__arrow">›</span> 882 golang.org/x/net/http/httpproxy@v0.27.0 883 884 </span> 885 886 </li> 887 </ul><!-- .list-paths --> 888 889 </div><!-- .card__section --> 890 891 <hr/> 892 <!-- Overview --> 893 <h2 id="overview">Overview</h2> 894 <p><a href="https://pkg.go.dev/golang.org/x/net/http/httpproxy">golang.org/x/net/http/httpproxy</a> is a package for HTTP proxy determination based on environment variables, as provided by net/http's ProxyFromEnvironment function</p> 895 <p>Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in <code>proxy.go</code>, because hostname matching against proxy patterns may treat an IPv6 zone ID as a hostname component. An environment variable value like <code>*.example.com</code> could be matched to a request intended for <code>[::1%25.example.com]:80</code>.</p> 896 <h2 id="remediation">Remediation</h2> 897 <p>Upgrade <code>golang.org/x/net/http/httpproxy</code> to version 0.36.0 or higher.</p> 898 <h2 id="references">References</h2> 899 <ul> 900 <li><a href="https://go-review.googlesource.com/c/go/+/654717/4/src/vendor/golang.org/x/net/http/httpproxy/proxy.go">Git Commit</a></li> 901 <li><a href="https://github.com/golang/go/commit/3705a6f1f0a66e70916bb09f50f4fcd1c520df53">GitHub Commit</a></li> 902 <li><a href="https://github.com/golang/net/commit/76f9bf3279eff2e596db4960a78a2665d0ff9405">GitHub Commit</a></li> 903 <li><a href="https://github.com/golang/go/issues/71984">GitHub Issue</a></li> 904 </ul> 905 906 <hr/> 907 908 <div class="cta card__cta"> 909 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTPHTTPPROXY-9058601">More about this vulnerability</a></p> 910 </div> 911 912 </div><!-- .card --> 913 <div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high"> 914 <h2 class="card__title">Denial of Service (DoS)</h2> 915 <div class="card__section"> 916 917 <div class="card__labels"> 918 <div class="label label--high"> 919 <span class="label__text">high severity</span> 920 </div> 921 </div> 922 923 <hr/> 924 925 <ul class="card__meta"> 926 <li class="card__meta__item"> 927 Manifest file: ghcr.io/dexidp/dex:v2.41.1/dexidp/dex <span class="list-paths__item__arrow">›</span> /usr/local/bin/dex 928 </li> 929 <li class="card__meta__item"> 930 Package Manager: golang 931 </li> 932 <li class="card__meta__item"> 933 Vulnerable module: 934 935 golang.org/x/net/html 936 </li> 937 938 <li class="card__meta__item">Introduced through: 939 940 github.com/dexidp/dex@* and golang.org/x/net/html@v0.27.0 941 942 </li> 943 </ul> 944 945 <hr/> 946 947 948 <h3 class="card__section__title">Detailed paths</h3> 949 950 <ul class="card__meta__paths"> 951 <li> 952 <span class="list-paths__item__introduced"><em>Introduced through</em>: 953 github.com/dexidp/dex@* 954 <span class="list-paths__item__arrow">›</span> 955 golang.org/x/net/html@v0.27.0 956 957 </span> 958 959 </li> 960 </ul><!-- .list-paths --> 961 962 </div><!-- .card__section --> 963 964 <hr/> 965 <!-- Overview --> 966 <h2 id="overview">Overview</h2> 967 <p><a href="https://pkg.go.dev/golang.org/x/net/html">golang.org/x/net/html</a> is a package that implements an HTML5-compliant tokenizer and parser.</p> 968 <p>Affected versions of this package are vulnerable to Denial of Service (DoS) through the functions <code>parseDoctype</code>, <code>htmlIntegrationPoint</code>, <code>inBodyIM</code> and <code>inTableIM</code> due to inefficient usage of the method <code>strings.ToLower</code> combining with the <code>==</code> operator to convert strings to lowercase and then comparing them.</p> 969 <p>An attacker can cause the application to slow down significantly by crafting inputs that are processed non-linearly.</p> 970 <h2 id="details">Details</h2> 971 <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.</p> 972 <p>Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.</p> 973 <p>One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.</p> 974 <p>When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.</p> 975 <p>Two common types of DoS vulnerabilities:</p> 976 <ul> 977 <li><p>High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, <a href="https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082">commons-fileupload:commons-fileupload</a>.</p> 978 </li> 979 <li><p>Crash - An attacker sending crafted requests that could cause the system to crash. For Example, <a href="https://snyk.io/vuln/npm:ws:20171108">npm <code>ws</code> package</a></p> 980 </li> 981 </ul> 982 <h2 id="remediation">Remediation</h2> 983 <p>Upgrade <code>golang.org/x/net/html</code> to version 0.33.0 or higher.</p> 984 <h2 id="references">References</h2> 985 <ul> 986 <li><a href="https://github.com/golang/net/commit/8e66b04771e35c4e4125e8c60334b34e2423effb">GitHub Commit</a></li> 987 <li><a href="https://github.com/golang/go/issues/70906">GitHub Issue</a></li> 988 <li><a href="https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ">Google Groups Forum</a></li> 989 </ul> 990 991 <hr/> 992 993 <div class="cta card__cta"> 994 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTML-8535262">More about this vulnerability</a></p> 995 </div> 996 997 </div><!-- .card --> 998 <div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high"> 999 <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2> 1000 <div class="card__section"> 1001 1002 <div class="card__labels"> 1003 <div class="label label--high"> 1004 <span class="label__text">high severity</span> 1005 </div> 1006 </div> 1007 1008 <hr/> 1009 1010 <ul class="card__meta"> 1011 <li class="card__meta__item"> 1012 Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1013 </li> 1014 <li class="card__meta__item"> 1015 Package Manager: golang 1016 </li> 1017 <li class="card__meta__item"> 1018 Vulnerable module: 1019 1020 golang.org/x/crypto/ssh 1021 </li> 1022 1023 <li class="card__meta__item">Introduced through: 1024 1025 github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.24.0 1026 1027 </li> 1028 </ul> 1029 1030 <hr/> 1031 1032 1033 <h3 class="card__section__title">Detailed paths</h3> 1034 1035 <ul class="card__meta__paths"> 1036 <li> 1037 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1038 github.com/hairyhenderson/gomplate/v4@* 1039 <span class="list-paths__item__arrow">›</span> 1040 golang.org/x/crypto/ssh@v0.24.0 1041 1042 </span> 1043 1044 </li> 1045 </ul><!-- .list-paths --> 1046 1047 </div><!-- .card__section --> 1048 1049 <hr/> 1050 <!-- Overview --> 1051 <h2 id="overview">Overview</h2> 1052 <p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p> 1053 <p>Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in <code>handshakeTransport</code> in <code>handshake.go</code>. An internal queue gets populated with received packets during the key exchange process, while waiting for the client to send a <code>SSH_MSG_KEXINIT</code>. An attacker can cause the server to become unresponsive to new connections by delaying or withholding this message, or by causing the queue to consume all available memory.</p> 1054 <h2 id="remediation">Remediation</h2> 1055 <p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.35.0 or higher.</p> 1056 <h2 id="references">References</h2> 1057 <ul> 1058 <li><a href="https://go.dev/cl/652135">Git Commit</a></li> 1059 <li><a href="https://go.dev/issue/71931">Go Issue</a></li> 1060 <li><a href="https://pkg.go.dev/vuln/GO-2025-3487">Vulnerability Advisory</a></li> 1061 </ul> 1062 1063 <hr/> 1064 1065 <div class="cta card__cta"> 1066 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8747056">More about this vulnerability</a></p> 1067 </div> 1068 1069 </div><!-- .card --> 1070 <div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high"> 1071 <h2 class="card__title">Asymmetric Resource Consumption (Amplification)</h2> 1072 <div class="card__section"> 1073 1074 <div class="card__labels"> 1075 <div class="label label--high"> 1076 <span class="label__text">high severity</span> 1077 </div> 1078 </div> 1079 1080 <hr/> 1081 1082 <ul class="card__meta"> 1083 <li class="card__meta__item"> 1084 Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1085 </li> 1086 <li class="card__meta__item"> 1087 Package Manager: golang 1088 </li> 1089 <li class="card__meta__item"> 1090 Vulnerable module: 1091 1092 github.com/golang-jwt/jwt/v5 1093 </li> 1094 1095 <li class="card__meta__item">Introduced through: 1096 1097 github.com/hairyhenderson/gomplate/v4@* and github.com/golang-jwt/jwt/v5@v5.2.1 1098 1099 </li> 1100 </ul> 1101 1102 <hr/> 1103 1104 1105 <h3 class="card__section__title">Detailed paths</h3> 1106 1107 <ul class="card__meta__paths"> 1108 <li> 1109 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1110 github.com/hairyhenderson/gomplate/v4@* 1111 <span class="list-paths__item__arrow">›</span> 1112 github.com/golang-jwt/jwt/v5@v5.2.1 1113 1114 </span> 1115 1116 </li> 1117 </ul><!-- .list-paths --> 1118 1119 </div><!-- .card__section --> 1120 1121 <hr/> 1122 <!-- Overview --> 1123 <h2 id="overview">Overview</h2> 1124 <p>Affected versions of this package are vulnerable to Asymmetric Resource Consumption (Amplification) through the <code>parse.ParseUnverified</code> function. An attacker can cause excessive memory allocation by sending a crafted request with many period characters in the <code>Authorization</code> header.</p> 1125 <h2 id="remediation">Remediation</h2> 1126 <p>Upgrade <code>github.com/golang-jwt/jwt/v5</code> to version 5.2.2 or higher.</p> 1127 <h2 id="references">References</h2> 1128 <ul> 1129 <li><a href="https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3">GitHub Commit</a></li> 1130 <li><a href="https://github.com/golang-jwt/jwt/releases/tag/v4.5.2">GitHub Release 4.5.2</a></li> 1131 <li><a href="https://github.com/golang-jwt/jwt/releases/tag/v5.2.2">GitHub Release 5.2.2</a></li> 1132 </ul> 1133 1134 <hr/> 1135 1136 <div class="cta card__cta"> 1137 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOLANGJWTJWTV5-9510922">More about this vulnerability</a></p> 1138 </div> 1139 1140 </div><!-- .card --> 1141 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1142 <h2 class="card__title">Insertion of Sensitive Information into Log File</h2> 1143 <div class="card__section"> 1144 1145 <div class="card__labels"> 1146 <div class="label label--medium"> 1147 <span class="label__text">medium severity</span> 1148 </div> 1149 </div> 1150 1151 <hr/> 1152 1153 <ul class="card__meta"> 1154 <li class="card__meta__item"> 1155 Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1156 </li> 1157 <li class="card__meta__item"> 1158 Package Manager: golang 1159 </li> 1160 <li class="card__meta__item"> 1161 Vulnerable module: 1162 1163 google.golang.org/grpc/metadata 1164 </li> 1165 1166 <li class="card__meta__item">Introduced through: 1167 1168 github.com/hairyhenderson/gomplate/v4@* and google.golang.org/grpc/metadata@v1.64.0 1169 1170 </li> 1171 </ul> 1172 1173 <hr/> 1174 1175 1176 <h3 class="card__section__title">Detailed paths</h3> 1177 1178 <ul class="card__meta__paths"> 1179 <li> 1180 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1181 github.com/hairyhenderson/gomplate/v4@* 1182 <span class="list-paths__item__arrow">›</span> 1183 google.golang.org/grpc/metadata@v1.64.0 1184 1185 </span> 1186 1187 </li> 1188 </ul><!-- .list-paths --> 1189 1190 </div><!-- .card__section --> 1191 1192 <hr/> 1193 <!-- Overview --> 1194 <h2 id="overview">Overview</h2> 1195 <p><a href="https://pkg.go.dev/github.com/grpc/grpc-go/metadata">google.golang.org/grpc/metadata</a> is a package that defines the structure of the metadata supported by the gRPC library</p> 1196 <p>Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the form of gRPC metadata. If the metadata contains sensitive information an attacker can expose it.</p> 1197 <h2 id="remediation">Remediation</h2> 1198 <p>Upgrade <code>google.golang.org/grpc/metadata</code> to version 1.64.1 or higher.</p> 1199 <h2 id="references">References</h2> 1200 <ul> 1201 <li><a href="https://github.com/grpc/grpc-go/commit/ab292411ddc0f3b7a7786754d1fe05264c3021eb">GitHub Commit</a></li> 1202 </ul> 1203 1204 <hr/> 1205 1206 <div class="cta card__cta"> 1207 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPCMETADATA-7430177">More about this vulnerability</a></p> 1208 </div> 1209 1210 </div><!-- .card --> 1211 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1212 <h2 class="card__title">Improper Validation of Syntactic Correctness of Input</h2> 1213 <div class="card__section"> 1214 1215 <div class="card__labels"> 1216 <div class="label label--medium"> 1217 <span class="label__text">medium severity</span> 1218 </div> 1219 </div> 1220 1221 <hr/> 1222 1223 <ul class="card__meta"> 1224 <li class="card__meta__item"> 1225 Manifest file: ghcr.io/dexidp/dex:v2.41.1/dexidp/dex <span class="list-paths__item__arrow">›</span> /usr/local/bin/dex 1226 </li> 1227 <li class="card__meta__item"> 1228 Package Manager: golang 1229 </li> 1230 <li class="card__meta__item"> 1231 Vulnerable module: 1232 1233 golang.org/x/net/html 1234 </li> 1235 1236 <li class="card__meta__item">Introduced through: 1237 1238 github.com/dexidp/dex@* and golang.org/x/net/html@v0.27.0 1239 1240 </li> 1241 </ul> 1242 1243 <hr/> 1244 1245 1246 <h3 class="card__section__title">Detailed paths</h3> 1247 1248 <ul class="card__meta__paths"> 1249 <li> 1250 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1251 github.com/dexidp/dex@* 1252 <span class="list-paths__item__arrow">›</span> 1253 golang.org/x/net/html@v0.27.0 1254 1255 </span> 1256 1257 </li> 1258 </ul><!-- .list-paths --> 1259 1260 </div><!-- .card__section --> 1261 1262 <hr/> 1263 <!-- Overview --> 1264 <h2 id="overview">Overview</h2> 1265 <p><a href="https://pkg.go.dev/golang.org/x/net/html">golang.org/x/net/html</a> is a package that implements an HTML5-compliant tokenizer and parser.</p> 1266 <p>Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in the tokenizer in <code>token.go</code>, which incorrectly interprets tags as closing tags, allowing malicious input to be incorrectly processed and the DOM to be corrupted.</p> 1267 <h2 id="details">Details</h2> 1268 <p>Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.</p> 1269 <p>This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.</p> 1270 <p>Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.</p> 1271 <p>Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, <code><</code> can be coded as <code>&lt</code>; and <code>></code> can be coded as <code>&gt</code>; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses <code><</code> and <code>></code> as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.</p> 1272 <p>The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. </p> 1273 <h3 id="types-of-attacks">Types of attacks</h3> 1274 <p>There are a few methods by which XSS can be manipulated:</p> 1275 <table> 1276 <thead> 1277 <tr> 1278 <th>Type</th> 1279 <th>Origin</th> 1280 <th>Description</th> 1281 </tr> 1282 </thead> 1283 <tbody><tr> 1284 <td><strong>Stored</strong></td> 1285 <td>Server</td> 1286 <td>The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.</td> 1287 </tr> 1288 <tr> 1289 <td><strong>Reflected</strong></td> 1290 <td>Server</td> 1291 <td>The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.</td> 1292 </tr> 1293 <tr> 1294 <td><strong>DOM-based</strong></td> 1295 <td>Client</td> 1296 <td>The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.</td> 1297 </tr> 1298 <tr> 1299 <td><strong>Mutated</strong></td> 1300 <td></td> 1301 <td>The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.</td> 1302 </tr> 1303 </tbody></table> 1304 <h3 id="affected-environments">Affected environments</h3> 1305 <p>The following environments are susceptible to an XSS attack:</p> 1306 <ul> 1307 <li>Web servers</li> 1308 <li>Application servers</li> 1309 <li>Web application environments</li> 1310 </ul> 1311 <h3 id="how-to-prevent">How to prevent</h3> 1312 <p>This section describes the top best practices designed to specifically protect your code: </p> 1313 <ul> 1314 <li>Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. </li> 1315 <li>Convert special characters such as <code>?</code>, <code>&</code>, <code>/</code>, <code><</code>, <code>></code> and spaces to their respective HTML or URL encoded equivalents. </li> 1316 <li>Give users the option to disable client-side scripts.</li> 1317 <li>Redirect invalid requests.</li> 1318 <li>Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.</li> 1319 <li>Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.</li> 1320 <li>Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.</li> 1321 </ul> 1322 <h2 id="remediation">Remediation</h2> 1323 <p>Upgrade <code>golang.org/x/net/html</code> to version 0.38.0 or higher.</p> 1324 <h2 id="references">References</h2> 1325 <ul> 1326 <li><a href="https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9">GitHub Commit</a></li> 1327 <li><a href="https://github.com/golang/go/issues/73070">GitHub Issue</a></li> 1328 <li><a href="https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA">Google Groups Announcement</a></li> 1329 </ul> 1330 1331 <hr/> 1332 1333 <div class="cta card__cta"> 1334 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTML-9572088">More about this vulnerability</a></p> 1335 </div> 1336 1337 </div><!-- .card --> 1338 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1339 <h2 class="card__title">MPL-2.0 license</h2> 1340 <div class="card__section"> 1341 1342 <div class="card__labels"> 1343 <div class="label label--medium"> 1344 <span class="label__text">medium severity</span> 1345 </div> 1346 </div> 1347 1348 <hr/> 1349 1350 <ul class="card__meta"> 1351 <li class="card__meta__item"> 1352 Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1353 </li> 1354 <li class="card__meta__item"> 1355 Package Manager: golang 1356 </li> 1357 <li class="card__meta__item"> 1358 Module: 1359 1360 github.com/hashicorp/vault/api 1361 </li> 1362 1363 <li class="card__meta__item">Introduced through: 1364 1365 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/vault/api@v1.14.0 1366 1367 </li> 1368 </ul> 1369 1370 <hr/> 1371 1372 1373 <h3 class="card__section__title">Detailed paths</h3> 1374 1375 <ul class="card__meta__paths"> 1376 <li> 1377 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1378 github.com/hairyhenderson/gomplate/v4@* 1379 <span class="list-paths__item__arrow">›</span> 1380 github.com/hashicorp/vault/api@v1.14.0 1381 1382 </span> 1383 1384 </li> 1385 </ul><!-- .list-paths --> 1386 1387 </div><!-- .card__section --> 1388 1389 <hr/> 1390 <!-- Overview --> 1391 <p>MPL-2.0 license</p> 1392 1393 <hr/> 1394 1395 <div class="cta card__cta"> 1396 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:vault:api:MPL-2.0">More about this vulnerability</a></p> 1397 </div> 1398 1399 </div><!-- .card --> 1400 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1401 <h2 class="card__title">MPL-2.0 license</h2> 1402 <div class="card__section"> 1403 1404 <div class="card__labels"> 1405 <div class="label label--medium"> 1406 <span class="label__text">medium severity</span> 1407 </div> 1408 </div> 1409 1410 <hr/> 1411 1412 <ul class="card__meta"> 1413 <li class="card__meta__item"> 1414 Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1415 </li> 1416 <li class="card__meta__item"> 1417 Package Manager: golang 1418 </li> 1419 <li class="card__meta__item"> 1420 Module: 1421 1422 github.com/hashicorp/serf/coordinate 1423 </li> 1424 1425 <li class="card__meta__item">Introduced through: 1426 1427 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/serf/coordinate@v0.10.1 1428 1429 </li> 1430 </ul> 1431 1432 <hr/> 1433 1434 1435 <h3 class="card__section__title">Detailed paths</h3> 1436 1437 <ul class="card__meta__paths"> 1438 <li> 1439 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1440 github.com/hairyhenderson/gomplate/v4@* 1441 <span class="list-paths__item__arrow">›</span> 1442 github.com/hashicorp/serf/coordinate@v0.10.1 1443 1444 </span> 1445 1446 </li> 1447 </ul><!-- .list-paths --> 1448 1449 </div><!-- .card__section --> 1450 1451 <hr/> 1452 <!-- Overview --> 1453 <p>MPL-2.0 license</p> 1454 1455 <hr/> 1456 1457 <div class="cta card__cta"> 1458 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:serf:MPL-2.0">More about this vulnerability</a></p> 1459 </div> 1460 1461 </div><!-- .card --> 1462 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1463 <h2 class="card__title">MPL-2.0 license</h2> 1464 <div class="card__section"> 1465 1466 <div class="card__labels"> 1467 <div class="label label--medium"> 1468 <span class="label__text">medium severity</span> 1469 </div> 1470 </div> 1471 1472 <hr/> 1473 1474 <ul class="card__meta"> 1475 <li class="card__meta__item"> 1476 Manifest file: ghcr.io/dexidp/dex:v2.41.1/dexidp/dex <span class="list-paths__item__arrow">›</span> /usr/local/bin/dex 1477 </li> 1478 <li class="card__meta__item"> 1479 Package Manager: golang 1480 </li> 1481 <li class="card__meta__item"> 1482 Module: 1483 1484 github.com/hashicorp/hcl/v2 1485 </li> 1486 1487 <li class="card__meta__item">Introduced through: 1488 1489 github.com/dexidp/dex@* and github.com/hashicorp/hcl/v2@v2.13.0 1490 1491 </li> 1492 </ul> 1493 1494 <hr/> 1495 1496 1497 <h3 class="card__section__title">Detailed paths</h3> 1498 1499 <ul class="card__meta__paths"> 1500 <li> 1501 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1502 github.com/dexidp/dex@* 1503 <span class="list-paths__item__arrow">›</span> 1504 github.com/hashicorp/hcl/v2@v2.13.0 1505 1506 </span> 1507 1508 </li> 1509 <li> 1510 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1511 github.com/dexidp/dex@* 1512 <span class="list-paths__item__arrow">›</span> 1513 github.com/hashicorp/hcl/v2/ext/customdecode@v2.13.0 1514 1515 </span> 1516 1517 </li> 1518 <li> 1519 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1520 github.com/dexidp/dex@* 1521 <span class="list-paths__item__arrow">›</span> 1522 github.com/hashicorp/hcl/v2/ext/tryfunc@v2.13.0 1523 1524 </span> 1525 1526 </li> 1527 <li> 1528 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1529 github.com/dexidp/dex@* 1530 <span class="list-paths__item__arrow">›</span> 1531 github.com/hashicorp/hcl/v2/gohcl@v2.13.0 1532 1533 </span> 1534 1535 </li> 1536 <li> 1537 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1538 github.com/dexidp/dex@* 1539 <span class="list-paths__item__arrow">›</span> 1540 github.com/hashicorp/hcl/v2/hclparse@v2.13.0 1541 1542 </span> 1543 1544 </li> 1545 <li> 1546 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1547 github.com/dexidp/dex@* 1548 <span class="list-paths__item__arrow">›</span> 1549 github.com/hashicorp/hcl/v2/hclsyntax@v2.13.0 1550 1551 </span> 1552 1553 </li> 1554 <li> 1555 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1556 github.com/dexidp/dex@* 1557 <span class="list-paths__item__arrow">›</span> 1558 github.com/hashicorp/hcl/v2/hclwrite@v2.13.0 1559 1560 </span> 1561 1562 </li> 1563 <li> 1564 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1565 github.com/dexidp/dex@* 1566 <span class="list-paths__item__arrow">›</span> 1567 github.com/hashicorp/hcl/v2/json@v2.13.0 1568 1569 </span> 1570 1571 </li> 1572 </ul><!-- .list-paths --> 1573 1574 </div><!-- .card__section --> 1575 1576 <hr/> 1577 <!-- Overview --> 1578 <p>MPL-2.0 license</p> 1579 1580 <hr/> 1581 1582 <div class="cta card__cta"> 1583 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:hcl:v2:MPL-2.0">More about this vulnerability</a></p> 1584 </div> 1585 1586 </div><!-- .card --> 1587 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1588 <h2 class="card__title">MPL-2.0 license</h2> 1589 <div class="card__section"> 1590 1591 <div class="card__labels"> 1592 <div class="label label--medium"> 1593 <span class="label__text">medium severity</span> 1594 </div> 1595 </div> 1596 1597 <hr/> 1598 1599 <ul class="card__meta"> 1600 <li class="card__meta__item"> 1601 Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1602 </li> 1603 <li class="card__meta__item"> 1604 Package Manager: golang 1605 </li> 1606 <li class="card__meta__item"> 1607 Module: 1608 1609 github.com/hashicorp/hcl 1610 </li> 1611 1612 <li class="card__meta__item">Introduced through: 1613 1614 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/hcl@v1.0.0 1615 1616 </li> 1617 </ul> 1618 1619 <hr/> 1620 1621 1622 <h3 class="card__section__title">Detailed paths</h3> 1623 1624 <ul class="card__meta__paths"> 1625 <li> 1626 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1627 github.com/hairyhenderson/gomplate/v4@* 1628 <span class="list-paths__item__arrow">›</span> 1629 github.com/hashicorp/hcl@v1.0.0 1630 1631 </span> 1632 1633 </li> 1634 <li> 1635 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1636 github.com/hairyhenderson/gomplate/v4@* 1637 <span class="list-paths__item__arrow">›</span> 1638 github.com/hashicorp/hcl/hcl/token@v1.0.0 1639 1640 </span> 1641 1642 </li> 1643 </ul><!-- .list-paths --> 1644 1645 </div><!-- .card__section --> 1646 1647 <hr/> 1648 <!-- Overview --> 1649 <p>MPL-2.0 license</p> 1650 1651 <hr/> 1652 1653 <div class="cta card__cta"> 1654 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0">More about this vulnerability</a></p> 1655 </div> 1656 1657 </div><!-- .card --> 1658 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1659 <h2 class="card__title">MPL-2.0 license</h2> 1660 <div class="card__section"> 1661 1662 <div class="card__labels"> 1663 <div class="label label--medium"> 1664 <span class="label__text">medium severity</span> 1665 </div> 1666 </div> 1667 1668 <hr/> 1669 1670 <ul class="card__meta"> 1671 <li class="card__meta__item"> 1672 Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1673 </li> 1674 <li class="card__meta__item"> 1675 Package Manager: golang 1676 </li> 1677 <li class="card__meta__item"> 1678 Module: 1679 1680 github.com/hashicorp/golang-lru/simplelru 1681 </li> 1682 1683 <li class="card__meta__item">Introduced through: 1684 1685 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/golang-lru/simplelru@v1.0.2 1686 1687 </li> 1688 </ul> 1689 1690 <hr/> 1691 1692 1693 <h3 class="card__section__title">Detailed paths</h3> 1694 1695 <ul class="card__meta__paths"> 1696 <li> 1697 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1698 github.com/hairyhenderson/gomplate/v4@* 1699 <span class="list-paths__item__arrow">›</span> 1700 github.com/hashicorp/golang-lru/simplelru@v1.0.2 1701 1702 </span> 1703 1704 </li> 1705 </ul><!-- .list-paths --> 1706 1707 </div><!-- .card__section --> 1708 1709 <hr/> 1710 <!-- Overview --> 1711 <p>MPL-2.0 license</p> 1712 1713 <hr/> 1714 1715 <div class="cta card__cta"> 1716 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:golang-lru:MPL-2.0">More about this vulnerability</a></p> 1717 </div> 1718 1719 </div><!-- .card --> 1720 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1721 <h2 class="card__title">MPL-2.0 license</h2> 1722 <div class="card__section"> 1723 1724 <div class="card__labels"> 1725 <div class="label label--medium"> 1726 <span class="label__text">medium severity</span> 1727 </div> 1728 </div> 1729 1730 <hr/> 1731 1732 <ul class="card__meta"> 1733 <li class="card__meta__item"> 1734 Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1735 </li> 1736 <li class="card__meta__item"> 1737 Package Manager: golang 1738 </li> 1739 <li class="card__meta__item"> 1740 Module: 1741 1742 github.com/hashicorp/go-uuid 1743 </li> 1744 1745 <li class="card__meta__item">Introduced through: 1746 1747 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-uuid@v1.0.3 1748 1749 </li> 1750 </ul> 1751 1752 <hr/> 1753 1754 1755 <h3 class="card__section__title">Detailed paths</h3> 1756 1757 <ul class="card__meta__paths"> 1758 <li> 1759 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1760 github.com/hairyhenderson/gomplate/v4@* 1761 <span class="list-paths__item__arrow">›</span> 1762 github.com/hashicorp/go-uuid@v1.0.3 1763 1764 </span> 1765 1766 </li> 1767 </ul><!-- .list-paths --> 1768 1769 </div><!-- .card__section --> 1770 1771 <hr/> 1772 <!-- Overview --> 1773 <p>MPL-2.0 license</p> 1774 1775 <hr/> 1776 1777 <div class="cta card__cta"> 1778 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-uuid:MPL-2.0">More about this vulnerability</a></p> 1779 </div> 1780 1781 </div><!-- .card --> 1782 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1783 <h2 class="card__title">MPL-2.0 license</h2> 1784 <div class="card__section"> 1785 1786 <div class="card__labels"> 1787 <div class="label label--medium"> 1788 <span class="label__text">medium severity</span> 1789 </div> 1790 </div> 1791 1792 <hr/> 1793 1794 <ul class="card__meta"> 1795 <li class="card__meta__item"> 1796 Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1797 </li> 1798 <li class="card__meta__item"> 1799 Package Manager: golang 1800 </li> 1801 <li class="card__meta__item"> 1802 Module: 1803 1804 github.com/hashicorp/go-sockaddr 1805 </li> 1806 1807 <li class="card__meta__item">Introduced through: 1808 1809 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-sockaddr@v1.0.6 1810 1811 </li> 1812 </ul> 1813 1814 <hr/> 1815 1816 1817 <h3 class="card__section__title">Detailed paths</h3> 1818 1819 <ul class="card__meta__paths"> 1820 <li> 1821 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1822 github.com/hairyhenderson/gomplate/v4@* 1823 <span class="list-paths__item__arrow">›</span> 1824 github.com/hashicorp/go-sockaddr@v1.0.6 1825 1826 </span> 1827 1828 </li> 1829 <li> 1830 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1831 github.com/hairyhenderson/gomplate/v4@* 1832 <span class="list-paths__item__arrow">›</span> 1833 github.com/hashicorp/go-sockaddr/template@v1.0.6 1834 1835 </span> 1836 1837 </li> 1838 </ul><!-- .list-paths --> 1839 1840 </div><!-- .card__section --> 1841 1842 <hr/> 1843 <!-- Overview --> 1844 <p>MPL-2.0 license</p> 1845 1846 <hr/> 1847 1848 <div class="cta card__cta"> 1849 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-sockaddr:MPL-2.0">More about this vulnerability</a></p> 1850 </div> 1851 1852 </div><!-- .card --> 1853 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1854 <h2 class="card__title">MPL-2.0 license</h2> 1855 <div class="card__section"> 1856 1857 <div class="card__labels"> 1858 <div class="label label--medium"> 1859 <span class="label__text">medium severity</span> 1860 </div> 1861 </div> 1862 1863 <hr/> 1864 1865 <ul class="card__meta"> 1866 <li class="card__meta__item"> 1867 Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1868 </li> 1869 <li class="card__meta__item"> 1870 Package Manager: golang 1871 </li> 1872 <li class="card__meta__item"> 1873 Module: 1874 1875 github.com/hashicorp/go-secure-stdlib/strutil 1876 </li> 1877 1878 <li class="card__meta__item">Introduced through: 1879 1880 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-secure-stdlib/strutil@v0.1.2 1881 1882 </li> 1883 </ul> 1884 1885 <hr/> 1886 1887 1888 <h3 class="card__section__title">Detailed paths</h3> 1889 1890 <ul class="card__meta__paths"> 1891 <li> 1892 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1893 github.com/hairyhenderson/gomplate/v4@* 1894 <span class="list-paths__item__arrow">›</span> 1895 github.com/hashicorp/go-secure-stdlib/strutil@v0.1.2 1896 1897 </span> 1898 1899 </li> 1900 </ul><!-- .list-paths --> 1901 1902 </div><!-- .card__section --> 1903 1904 <hr/> 1905 <!-- Overview --> 1906 <p>MPL-2.0 license</p> 1907 1908 <hr/> 1909 1910 <div class="cta card__cta"> 1911 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-secure-stdlib:strutil:MPL-2.0">More about this vulnerability</a></p> 1912 </div> 1913 1914 </div><!-- .card --> 1915 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1916 <h2 class="card__title">MPL-2.0 license</h2> 1917 <div class="card__section"> 1918 1919 <div class="card__labels"> 1920 <div class="label label--medium"> 1921 <span class="label__text">medium severity</span> 1922 </div> 1923 </div> 1924 1925 <hr/> 1926 1927 <ul class="card__meta"> 1928 <li class="card__meta__item"> 1929 Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1930 </li> 1931 <li class="card__meta__item"> 1932 Package Manager: golang 1933 </li> 1934 <li class="card__meta__item"> 1935 Module: 1936 1937 github.com/hashicorp/go-secure-stdlib/parseutil 1938 </li> 1939 1940 <li class="card__meta__item">Introduced through: 1941 1942 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-secure-stdlib/parseutil@v0.1.8 1943 1944 </li> 1945 </ul> 1946 1947 <hr/> 1948 1949 1950 <h3 class="card__section__title">Detailed paths</h3> 1951 1952 <ul class="card__meta__paths"> 1953 <li> 1954 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1955 github.com/hairyhenderson/gomplate/v4@* 1956 <span class="list-paths__item__arrow">›</span> 1957 github.com/hashicorp/go-secure-stdlib/parseutil@v0.1.8 1958 1959 </span> 1960 1961 </li> 1962 </ul><!-- .list-paths --> 1963 1964 </div><!-- .card__section --> 1965 1966 <hr/> 1967 <!-- Overview --> 1968 <p>MPL-2.0 license</p> 1969 1970 <hr/> 1971 1972 <div class="cta card__cta"> 1973 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-secure-stdlib:parseutil:MPL-2.0">More about this vulnerability</a></p> 1974 </div> 1975 1976 </div><!-- .card --> 1977 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1978 <h2 class="card__title">MPL-2.0 license</h2> 1979 <div class="card__section"> 1980 1981 <div class="card__labels"> 1982 <div class="label label--medium"> 1983 <span class="label__text">medium severity</span> 1984 </div> 1985 </div> 1986 1987 <hr/> 1988 1989 <ul class="card__meta"> 1990 <li class="card__meta__item"> 1991 Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 1992 </li> 1993 <li class="card__meta__item"> 1994 Package Manager: golang 1995 </li> 1996 <li class="card__meta__item"> 1997 Module: 1998 1999 github.com/hashicorp/go-secure-stdlib/awsutil 2000 </li> 2001 2002 <li class="card__meta__item">Introduced through: 2003 2004 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-secure-stdlib/awsutil@v0.3.0 2005 2006 </li> 2007 </ul> 2008 2009 <hr/> 2010 2011 2012 <h3 class="card__section__title">Detailed paths</h3> 2013 2014 <ul class="card__meta__paths"> 2015 <li> 2016 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2017 github.com/hairyhenderson/gomplate/v4@* 2018 <span class="list-paths__item__arrow">›</span> 2019 github.com/hashicorp/go-secure-stdlib/awsutil@v0.3.0 2020 2021 </span> 2022 2023 </li> 2024 </ul><!-- .list-paths --> 2025 2026 </div><!-- .card__section --> 2027 2028 <hr/> 2029 <!-- Overview --> 2030 <p>MPL-2.0 license</p> 2031 2032 <hr/> 2033 2034 <div class="cta card__cta"> 2035 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-secure-stdlib:awsutil:MPL-2.0">More about this vulnerability</a></p> 2036 </div> 2037 2038 </div><!-- .card --> 2039 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2040 <h2 class="card__title">MPL-2.0 license</h2> 2041 <div class="card__section"> 2042 2043 <div class="card__labels"> 2044 <div class="label label--medium"> 2045 <span class="label__text">medium severity</span> 2046 </div> 2047 </div> 2048 2049 <hr/> 2050 2051 <ul class="card__meta"> 2052 <li class="card__meta__item"> 2053 Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 2054 </li> 2055 <li class="card__meta__item"> 2056 Package Manager: golang 2057 </li> 2058 <li class="card__meta__item"> 2059 Module: 2060 2061 github.com/hashicorp/go-rootcerts 2062 </li> 2063 2064 <li class="card__meta__item">Introduced through: 2065 2066 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-rootcerts@v1.0.2 2067 2068 </li> 2069 </ul> 2070 2071 <hr/> 2072 2073 2074 <h3 class="card__section__title">Detailed paths</h3> 2075 2076 <ul class="card__meta__paths"> 2077 <li> 2078 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2079 github.com/hairyhenderson/gomplate/v4@* 2080 <span class="list-paths__item__arrow">›</span> 2081 github.com/hashicorp/go-rootcerts@v1.0.2 2082 2083 </span> 2084 2085 </li> 2086 </ul><!-- .list-paths --> 2087 2088 </div><!-- .card__section --> 2089 2090 <hr/> 2091 <!-- Overview --> 2092 <p>MPL-2.0 license</p> 2093 2094 <hr/> 2095 2096 <div class="cta card__cta"> 2097 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-rootcerts:MPL-2.0">More about this vulnerability</a></p> 2098 </div> 2099 2100 </div><!-- .card --> 2101 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2102 <h2 class="card__title">MPL-2.0 license</h2> 2103 <div class="card__section"> 2104 2105 <div class="card__labels"> 2106 <div class="label label--medium"> 2107 <span class="label__text">medium severity</span> 2108 </div> 2109 </div> 2110 2111 <hr/> 2112 2113 <ul class="card__meta"> 2114 <li class="card__meta__item"> 2115 Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 2116 </li> 2117 <li class="card__meta__item"> 2118 Package Manager: golang 2119 </li> 2120 <li class="card__meta__item"> 2121 Module: 2122 2123 github.com/hashicorp/go-retryablehttp 2124 </li> 2125 2126 <li class="card__meta__item">Introduced through: 2127 2128 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-retryablehttp@v0.7.7 2129 2130 </li> 2131 </ul> 2132 2133 <hr/> 2134 2135 2136 <h3 class="card__section__title">Detailed paths</h3> 2137 2138 <ul class="card__meta__paths"> 2139 <li> 2140 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2141 github.com/hairyhenderson/gomplate/v4@* 2142 <span class="list-paths__item__arrow">›</span> 2143 github.com/hashicorp/go-retryablehttp@v0.7.7 2144 2145 </span> 2146 2147 </li> 2148 </ul><!-- .list-paths --> 2149 2150 </div><!-- .card__section --> 2151 2152 <hr/> 2153 <!-- Overview --> 2154 <p>MPL-2.0 license</p> 2155 2156 <hr/> 2157 2158 <div class="cta card__cta"> 2159 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-retryablehttp:MPL-2.0">More about this vulnerability</a></p> 2160 </div> 2161 2162 </div><!-- .card --> 2163 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2164 <h2 class="card__title">MPL-2.0 license</h2> 2165 <div class="card__section"> 2166 2167 <div class="card__labels"> 2168 <div class="label label--medium"> 2169 <span class="label__text">medium severity</span> 2170 </div> 2171 </div> 2172 2173 <hr/> 2174 2175 <ul class="card__meta"> 2176 <li class="card__meta__item"> 2177 Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 2178 </li> 2179 <li class="card__meta__item"> 2180 Package Manager: golang 2181 </li> 2182 <li class="card__meta__item"> 2183 Module: 2184 2185 github.com/hashicorp/go-multierror 2186 </li> 2187 2188 <li class="card__meta__item">Introduced through: 2189 2190 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-multierror@v1.1.1 2191 2192 </li> 2193 </ul> 2194 2195 <hr/> 2196 2197 2198 <h3 class="card__section__title">Detailed paths</h3> 2199 2200 <ul class="card__meta__paths"> 2201 <li> 2202 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2203 github.com/hairyhenderson/gomplate/v4@* 2204 <span class="list-paths__item__arrow">›</span> 2205 github.com/hashicorp/go-multierror@v1.1.1 2206 2207 </span> 2208 2209 </li> 2210 </ul><!-- .list-paths --> 2211 2212 </div><!-- .card__section --> 2213 2214 <hr/> 2215 <!-- Overview --> 2216 <p>MPL-2.0 license</p> 2217 2218 <hr/> 2219 2220 <div class="cta card__cta"> 2221 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-multierror:MPL-2.0">More about this vulnerability</a></p> 2222 </div> 2223 2224 </div><!-- .card --> 2225 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2226 <h2 class="card__title">MPL-2.0 license</h2> 2227 <div class="card__section"> 2228 2229 <div class="card__labels"> 2230 <div class="label label--medium"> 2231 <span class="label__text">medium severity</span> 2232 </div> 2233 </div> 2234 2235 <hr/> 2236 2237 <ul class="card__meta"> 2238 <li class="card__meta__item"> 2239 Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 2240 </li> 2241 <li class="card__meta__item"> 2242 Package Manager: golang 2243 </li> 2244 <li class="card__meta__item"> 2245 Module: 2246 2247 github.com/hashicorp/go-immutable-radix 2248 </li> 2249 2250 <li class="card__meta__item">Introduced through: 2251 2252 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-immutable-radix@v1.3.1 2253 2254 </li> 2255 </ul> 2256 2257 <hr/> 2258 2259 2260 <h3 class="card__section__title">Detailed paths</h3> 2261 2262 <ul class="card__meta__paths"> 2263 <li> 2264 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2265 github.com/hairyhenderson/gomplate/v4@* 2266 <span class="list-paths__item__arrow">›</span> 2267 github.com/hashicorp/go-immutable-radix@v1.3.1 2268 2269 </span> 2270 2271 </li> 2272 </ul><!-- .list-paths --> 2273 2274 </div><!-- .card__section --> 2275 2276 <hr/> 2277 <!-- Overview --> 2278 <p>MPL-2.0 license</p> 2279 2280 <hr/> 2281 2282 <div class="cta card__cta"> 2283 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-immutable-radix:MPL-2.0">More about this vulnerability</a></p> 2284 </div> 2285 2286 </div><!-- .card --> 2287 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2288 <h2 class="card__title">MPL-2.0 license</h2> 2289 <div class="card__section"> 2290 2291 <div class="card__labels"> 2292 <div class="label label--medium"> 2293 <span class="label__text">medium severity</span> 2294 </div> 2295 </div> 2296 2297 <hr/> 2298 2299 <ul class="card__meta"> 2300 <li class="card__meta__item"> 2301 Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 2302 </li> 2303 <li class="card__meta__item"> 2304 Package Manager: golang 2305 </li> 2306 <li class="card__meta__item"> 2307 Module: 2308 2309 github.com/hashicorp/go-cleanhttp 2310 </li> 2311 2312 <li class="card__meta__item">Introduced through: 2313 2314 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-cleanhttp@v0.5.2 2315 2316 </li> 2317 </ul> 2318 2319 <hr/> 2320 2321 2322 <h3 class="card__section__title">Detailed paths</h3> 2323 2324 <ul class="card__meta__paths"> 2325 <li> 2326 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2327 github.com/hairyhenderson/gomplate/v4@* 2328 <span class="list-paths__item__arrow">›</span> 2329 github.com/hashicorp/go-cleanhttp@v0.5.2 2330 2331 </span> 2332 2333 </li> 2334 </ul><!-- .list-paths --> 2335 2336 </div><!-- .card__section --> 2337 2338 <hr/> 2339 <!-- Overview --> 2340 <p>MPL-2.0 license</p> 2341 2342 <hr/> 2343 2344 <div class="cta card__cta"> 2345 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-cleanhttp:MPL-2.0">More about this vulnerability</a></p> 2346 </div> 2347 2348 </div><!-- .card --> 2349 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2350 <h2 class="card__title">MPL-2.0 license</h2> 2351 <div class="card__section"> 2352 2353 <div class="card__labels"> 2354 <div class="label label--medium"> 2355 <span class="label__text">medium severity</span> 2356 </div> 2357 </div> 2358 2359 <hr/> 2360 2361 <ul class="card__meta"> 2362 <li class="card__meta__item"> 2363 Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 2364 </li> 2365 <li class="card__meta__item"> 2366 Package Manager: golang 2367 </li> 2368 <li class="card__meta__item"> 2369 Module: 2370 2371 github.com/hashicorp/errwrap 2372 </li> 2373 2374 <li class="card__meta__item">Introduced through: 2375 2376 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/errwrap@v1.1.0 2377 2378 </li> 2379 </ul> 2380 2381 <hr/> 2382 2383 2384 <h3 class="card__section__title">Detailed paths</h3> 2385 2386 <ul class="card__meta__paths"> 2387 <li> 2388 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2389 github.com/hairyhenderson/gomplate/v4@* 2390 <span class="list-paths__item__arrow">›</span> 2391 github.com/hashicorp/errwrap@v1.1.0 2392 2393 </span> 2394 2395 </li> 2396 </ul><!-- .list-paths --> 2397 2398 </div><!-- .card__section --> 2399 2400 <hr/> 2401 <!-- Overview --> 2402 <p>MPL-2.0 license</p> 2403 2404 <hr/> 2405 2406 <div class="cta card__cta"> 2407 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:errwrap:MPL-2.0">More about this vulnerability</a></p> 2408 </div> 2409 2410 </div><!-- .card --> 2411 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2412 <h2 class="card__title">MPL-2.0 license</h2> 2413 <div class="card__section"> 2414 2415 <div class="card__labels"> 2416 <div class="label label--medium"> 2417 <span class="label__text">medium severity</span> 2418 </div> 2419 </div> 2420 2421 <hr/> 2422 2423 <ul class="card__meta"> 2424 <li class="card__meta__item"> 2425 Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 2426 </li> 2427 <li class="card__meta__item"> 2428 Package Manager: golang 2429 </li> 2430 <li class="card__meta__item"> 2431 Module: 2432 2433 github.com/hashicorp/consul/api 2434 </li> 2435 2436 <li class="card__meta__item">Introduced through: 2437 2438 github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/consul/api@v1.29.1 2439 2440 </li> 2441 </ul> 2442 2443 <hr/> 2444 2445 2446 <h3 class="card__section__title">Detailed paths</h3> 2447 2448 <ul class="card__meta__paths"> 2449 <li> 2450 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2451 github.com/hairyhenderson/gomplate/v4@* 2452 <span class="list-paths__item__arrow">›</span> 2453 github.com/hashicorp/consul/api@v1.29.1 2454 2455 </span> 2456 2457 </li> 2458 </ul><!-- .list-paths --> 2459 2460 </div><!-- .card__section --> 2461 2462 <hr/> 2463 <!-- Overview --> 2464 <p>MPL-2.0 license</p> 2465 2466 <hr/> 2467 2468 <div class="cta card__cta"> 2469 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:consul:api:MPL-2.0">More about this vulnerability</a></p> 2470 </div> 2471 2472 </div><!-- .card --> 2473 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2474 <h2 class="card__title">MPL-2.0 license</h2> 2475 <div class="card__section"> 2476 2477 <div class="card__labels"> 2478 <div class="label label--medium"> 2479 <span class="label__text">medium severity</span> 2480 </div> 2481 </div> 2482 2483 <hr/> 2484 2485 <ul class="card__meta"> 2486 <li class="card__meta__item"> 2487 Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 2488 </li> 2489 <li class="card__meta__item"> 2490 Package Manager: golang 2491 </li> 2492 <li class="card__meta__item"> 2493 Module: 2494 2495 github.com/gosimple/slug 2496 </li> 2497 2498 <li class="card__meta__item">Introduced through: 2499 2500 github.com/hairyhenderson/gomplate/v4@* and github.com/gosimple/slug@v1.14.0 2501 2502 </li> 2503 </ul> 2504 2505 <hr/> 2506 2507 2508 <h3 class="card__section__title">Detailed paths</h3> 2509 2510 <ul class="card__meta__paths"> 2511 <li> 2512 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2513 github.com/hairyhenderson/gomplate/v4@* 2514 <span class="list-paths__item__arrow">›</span> 2515 github.com/gosimple/slug@v1.14.0 2516 2517 </span> 2518 2519 </li> 2520 </ul><!-- .list-paths --> 2521 2522 </div><!-- .card__section --> 2523 2524 <hr/> 2525 <!-- Overview --> 2526 <p>MPL-2.0 license</p> 2527 2528 <hr/> 2529 2530 <div class="cta card__cta"> 2531 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:gosimple:slug:MPL-2.0">More about this vulnerability</a></p> 2532 </div> 2533 2534 </div><!-- .card --> 2535 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2536 <h2 class="card__title">MPL-2.0 license</h2> 2537 <div class="card__section"> 2538 2539 <div class="card__labels"> 2540 <div class="label label--medium"> 2541 <span class="label__text">medium severity</span> 2542 </div> 2543 </div> 2544 2545 <hr/> 2546 2547 <ul class="card__meta"> 2548 <li class="card__meta__item"> 2549 Manifest file: ghcr.io/dexidp/dex:v2.41.1/dexidp/dex <span class="list-paths__item__arrow">›</span> /usr/local/bin/dex 2550 </li> 2551 <li class="card__meta__item"> 2552 Package Manager: golang 2553 </li> 2554 <li class="card__meta__item"> 2555 Module: 2556 2557 github.com/go-sql-driver/mysql 2558 </li> 2559 2560 <li class="card__meta__item">Introduced through: 2561 2562 github.com/dexidp/dex@* and github.com/go-sql-driver/mysql@v1.8.1 2563 2564 </li> 2565 </ul> 2566 2567 <hr/> 2568 2569 2570 <h3 class="card__section__title">Detailed paths</h3> 2571 2572 <ul class="card__meta__paths"> 2573 <li> 2574 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2575 github.com/dexidp/dex@* 2576 <span class="list-paths__item__arrow">›</span> 2577 github.com/go-sql-driver/mysql@v1.8.1 2578 2579 </span> 2580 2581 </li> 2582 </ul><!-- .list-paths --> 2583 2584 </div><!-- .card__section --> 2585 2586 <hr/> 2587 <!-- Overview --> 2588 <p>MPL-2.0 license</p> 2589 2590 <hr/> 2591 2592 <div class="cta card__cta"> 2593 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:go-sql-driver:mysql:MPL-2.0">More about this vulnerability</a></p> 2594 </div> 2595 2596 </div><!-- .card --> 2597 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2598 <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2> 2599 <div class="card__section"> 2600 2601 <div class="card__labels"> 2602 <div class="label label--medium"> 2603 <span class="label__text">medium severity</span> 2604 </div> 2605 </div> 2606 2607 <hr/> 2608 2609 <ul class="card__meta"> 2610 <li class="card__meta__item"> 2611 Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate 2612 </li> 2613 <li class="card__meta__item"> 2614 Package Manager: golang 2615 </li> 2616 <li class="card__meta__item"> 2617 Vulnerable module: 2618 2619 github.com/go-jose/go-jose/v4 2620 </li> 2621 2622 <li class="card__meta__item">Introduced through: 2623 2624 github.com/hairyhenderson/gomplate/v4@* and github.com/go-jose/go-jose/v4@v4.0.2 2625 2626 </li> 2627 </ul> 2628 2629 <hr/> 2630 2631 2632 <h3 class="card__section__title">Detailed paths</h3> 2633 2634 <ul class="card__meta__paths"> 2635 <li> 2636 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2637 github.com/hairyhenderson/gomplate/v4@* 2638 <span class="list-paths__item__arrow">›</span> 2639 github.com/go-jose/go-jose/v4@v4.0.2 2640 2641 </span> 2642 2643 </li> 2644 <li> 2645 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2646 github.com/dexidp/dex@* 2647 <span class="list-paths__item__arrow">›</span> 2648 github.com/go-jose/go-jose/v4@v4.0.4 2649 2650 </span> 2651 2652 </li> 2653 </ul><!-- .list-paths --> 2654 2655 </div><!-- .card__section --> 2656 2657 <hr/> 2658 <!-- Overview --> 2659 <h2 id="overview">Overview</h2> 2660 <p>Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the use of <code>strings.Split</code> to split JWT tokens. An attacker can cause memory exhaustion and service disruption by sending numerous malformed tokens with a large number of <code>.</code> characters. </p> 2661 <h2 id="workaround">Workaround</h2> 2662 <p>This vulnerability can be mitigated by pre-validating that payloads passed to Go JOSE do not contain an excessive number of <code>.</code> characters.</p> 2663 <h2 id="remediation">Remediation</h2> 2664 <p>Upgrade <code>github.com/go-jose/go-jose/v4</code> to version 4.0.5 or higher.</p> 2665 <h2 id="references">References</h2> 2666 <ul> 2667 <li><a href="https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22">GitHub Commit</a></li> 2668 <li><a href="https://github.com/go-jose/go-jose/releases/tag/v4.0.5">GitHub Release</a></li> 2669 </ul> 2670 2671 <hr/> 2672 2673 <div class="cta card__cta"> 2674 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV4-8745975">More about this vulnerability</a></p> 2675 </div> 2676 2677 </div><!-- .card --> 2678 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2679 <h2 class="card__title">CVE-2024-9143</h2> 2680 <div class="card__section"> 2681 2682 <div class="card__labels"> 2683 <div class="label label--low"> 2684 <span class="label__text">low severity</span> 2685 </div> 2686 </div> 2687 2688 <hr/> 2689 2690 <ul class="card__meta"> 2691 <li class="card__meta__item"> 2692 Package Manager: alpine:3.20 2693 </li> 2694 <li class="card__meta__item"> 2695 Vulnerable module: 2696 2697 openssl/libcrypto3 2698 </li> 2699 2700 <li class="card__meta__item">Introduced through: 2701 2702 docker-image|ghcr.io/dexidp/dex@v2.41.1 and openssl/libcrypto3@3.3.1-r3 2703 2704 </li> 2705 </ul> 2706 2707 <hr/> 2708 2709 2710 <h3 class="card__section__title">Detailed paths</h3> 2711 2712 <ul class="card__meta__paths"> 2713 <li> 2714 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2715 docker-image|ghcr.io/dexidp/dex@v2.41.1 2716 <span class="list-paths__item__arrow">›</span> 2717 openssl/libcrypto3@3.3.1-r3 2718 2719 </span> 2720 2721 </li> 2722 <li> 2723 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2724 docker-image|ghcr.io/dexidp/dex@v2.41.1 2725 <span class="list-paths__item__arrow">›</span> 2726 apk-tools/apk-tools@2.14.4-r0 2727 <span class="list-paths__item__arrow">›</span> 2728 openssl/libcrypto3@3.3.1-r3 2729 2730 </span> 2731 2732 </li> 2733 <li> 2734 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2735 docker-image|ghcr.io/dexidp/dex@v2.41.1 2736 <span class="list-paths__item__arrow">›</span> 2737 busybox/ssl_client@1.36.1-r29 2738 <span class="list-paths__item__arrow">›</span> 2739 openssl/libcrypto3@3.3.1-r3 2740 2741 </span> 2742 2743 </li> 2744 <li> 2745 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2746 docker-image|ghcr.io/dexidp/dex@v2.41.1 2747 <span class="list-paths__item__arrow">›</span> 2748 apk-tools/apk-tools@2.14.4-r0 2749 <span class="list-paths__item__arrow">›</span> 2750 openssl/libssl3@3.3.1-r3 2751 <span class="list-paths__item__arrow">›</span> 2752 openssl/libcrypto3@3.3.1-r3 2753 2754 </span> 2755 2756 </li> 2757 <li> 2758 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2759 docker-image|ghcr.io/dexidp/dex@v2.41.1 2760 <span class="list-paths__item__arrow">›</span> 2761 openssl/libssl3@3.3.1-r3 2762 2763 </span> 2764 2765 </li> 2766 <li> 2767 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2768 docker-image|ghcr.io/dexidp/dex@v2.41.1 2769 <span class="list-paths__item__arrow">›</span> 2770 apk-tools/apk-tools@2.14.4-r0 2771 <span class="list-paths__item__arrow">›</span> 2772 openssl/libssl3@3.3.1-r3 2773 2774 </span> 2775 2776 </li> 2777 <li> 2778 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2779 docker-image|ghcr.io/dexidp/dex@v2.41.1 2780 <span class="list-paths__item__arrow">›</span> 2781 busybox/ssl_client@1.36.1-r29 2782 <span class="list-paths__item__arrow">›</span> 2783 openssl/libssl3@3.3.1-r3 2784 2785 </span> 2786 2787 </li> 2788 </ul><!-- .list-paths --> 2789 2790 </div><!-- .card__section --> 2791 2792 <hr/> 2793 <!-- Overview --> 2794 <h2 id="nvd-description">NVD Description</h2> 2795 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Alpine</code>.</em> 2796 <em>See <code>How to fix?</code> for <code>Alpine:3.20</code> relevant fixed versions and status.</em></p> 2797 <p>Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted 2798 explicit values for the field polynomial can lead to out-of-bounds memory reads 2799 or writes.</p> 2800 <p>Impact summary: Out of bound memory writes can lead to an application crash or 2801 even a possibility of a remote code execution, however, in all the protocols 2802 involving Elliptic Curve Cryptography that we're aware of, either only "named 2803 curves" are supported, or, if explicit curve parameters are supported, they 2804 specify an X9.62 encoding of binary (GF(2^m)) curves that can't represent 2805 problematic input values. Thus the likelihood of existence of a vulnerable 2806 application is low.</p> 2807 <p>In particular, the X9.62 encoding is used for ECC keys in X.509 certificates, 2808 so problematic inputs cannot occur in the context of processing X.509 2809 certificates. Any problematic use-cases would have to be using an "exotic" 2810 curve encoding.</p> 2811 <p>The affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(), 2812 and various supporting BN_GF2m_*() functions.</p> 2813 <p>Applications working with "exotic" explicit binary (GF(2^m)) curve parameters, 2814 that make it possible to represent invalid field polynomials with a zero 2815 constant term, via the above or similar APIs, may terminate abruptly as a 2816 result of reading or writing outside of array bounds. Remote code execution 2817 cannot easily be ruled out.</p> 2818 <p>The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.</p> 2819 <h2 id="remediation">Remediation</h2> 2820 <p>Upgrade <code>Alpine:3.20</code> <code>openssl</code> to version 3.3.2-r3 or higher.</p> 2821 <h2 id="references">References</h2> 2822 <ul> 2823 <li><a href="https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712">https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712</a></li> 2824 <li><a href="https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700">https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700</a></li> 2825 <li><a href="https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4">https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4</a></li> 2826 <li><a href="https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154">https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154</a></li> 2827 <li><a href="https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a">https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a</a></li> 2828 <li><a href="https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41">https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41</a></li> 2829 <li><a href="https://openssl-library.org/news/secadv/20241016.txt">https://openssl-library.org/news/secadv/20241016.txt</a></li> 2830 <li><a href="http://www.openwall.com/lists/oss-security/2024/10/16/1">http://www.openwall.com/lists/oss-security/2024/10/16/1</a></li> 2831 <li><a href="http://www.openwall.com/lists/oss-security/2024/10/23/1">http://www.openwall.com/lists/oss-security/2024/10/23/1</a></li> 2832 <li><a href="http://www.openwall.com/lists/oss-security/2024/10/24/1">http://www.openwall.com/lists/oss-security/2024/10/24/1</a></li> 2833 <li><a href="https://security.netapp.com/advisory/ntap-20241101-0001/">https://security.netapp.com/advisory/ntap-20241101-0001/</a></li> 2834 </ul> 2835 2836 <hr/> 2837 2838 <div class="cta card__cta"> 2839 <p><a href="https://snyk.io/vuln/SNYK-ALPINE320-OPENSSL-8235201">More about this vulnerability</a></p> 2840 </div> 2841 2842 </div><!-- .card --> 2843 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2844 <h2 class="card__title">CVE-2024-13176</h2> 2845 <div class="card__section"> 2846 2847 <div class="card__labels"> 2848 <div class="label label--low"> 2849 <span class="label__text">low severity</span> 2850 </div> 2851 </div> 2852 2853 <hr/> 2854 2855 <ul class="card__meta"> 2856 <li class="card__meta__item"> 2857 Package Manager: alpine:3.20 2858 </li> 2859 <li class="card__meta__item"> 2860 Vulnerable module: 2861 2862 openssl/libcrypto3 2863 </li> 2864 2865 <li class="card__meta__item">Introduced through: 2866 2867 docker-image|ghcr.io/dexidp/dex@v2.41.1 and openssl/libcrypto3@3.3.1-r3 2868 2869 </li> 2870 </ul> 2871 2872 <hr/> 2873 2874 2875 <h3 class="card__section__title">Detailed paths</h3> 2876 2877 <ul class="card__meta__paths"> 2878 <li> 2879 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2880 docker-image|ghcr.io/dexidp/dex@v2.41.1 2881 <span class="list-paths__item__arrow">›</span> 2882 openssl/libcrypto3@3.3.1-r3 2883 2884 </span> 2885 2886 </li> 2887 <li> 2888 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2889 docker-image|ghcr.io/dexidp/dex@v2.41.1 2890 <span class="list-paths__item__arrow">›</span> 2891 apk-tools/apk-tools@2.14.4-r0 2892 <span class="list-paths__item__arrow">›</span> 2893 openssl/libcrypto3@3.3.1-r3 2894 2895 </span> 2896 2897 </li> 2898 <li> 2899 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2900 docker-image|ghcr.io/dexidp/dex@v2.41.1 2901 <span class="list-paths__item__arrow">›</span> 2902 busybox/ssl_client@1.36.1-r29 2903 <span class="list-paths__item__arrow">›</span> 2904 openssl/libcrypto3@3.3.1-r3 2905 2906 </span> 2907 2908 </li> 2909 <li> 2910 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2911 docker-image|ghcr.io/dexidp/dex@v2.41.1 2912 <span class="list-paths__item__arrow">›</span> 2913 apk-tools/apk-tools@2.14.4-r0 2914 <span class="list-paths__item__arrow">›</span> 2915 openssl/libssl3@3.3.1-r3 2916 <span class="list-paths__item__arrow">›</span> 2917 openssl/libcrypto3@3.3.1-r3 2918 2919 </span> 2920 2921 </li> 2922 <li> 2923 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2924 docker-image|ghcr.io/dexidp/dex@v2.41.1 2925 <span class="list-paths__item__arrow">›</span> 2926 openssl/libssl3@3.3.1-r3 2927 2928 </span> 2929 2930 </li> 2931 <li> 2932 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2933 docker-image|ghcr.io/dexidp/dex@v2.41.1 2934 <span class="list-paths__item__arrow">›</span> 2935 apk-tools/apk-tools@2.14.4-r0 2936 <span class="list-paths__item__arrow">›</span> 2937 openssl/libssl3@3.3.1-r3 2938 2939 </span> 2940 2941 </li> 2942 <li> 2943 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2944 docker-image|ghcr.io/dexidp/dex@v2.41.1 2945 <span class="list-paths__item__arrow">›</span> 2946 busybox/ssl_client@1.36.1-r29 2947 <span class="list-paths__item__arrow">›</span> 2948 openssl/libssl3@3.3.1-r3 2949 2950 </span> 2951 2952 </li> 2953 </ul><!-- .list-paths --> 2954 2955 </div><!-- .card__section --> 2956 2957 <hr/> 2958 <!-- Overview --> 2959 <h2 id="nvd-description">NVD Description</h2> 2960 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Alpine</code>.</em> 2961 <em>See <code>How to fix?</code> for <code>Alpine:3.20</code> relevant fixed versions and status.</em></p> 2962 <p>Issue summary: A timing side-channel which could potentially allow recovering 2963 the private key exists in the ECDSA signature computation.</p> 2964 <p>Impact summary: A timing side-channel in ECDSA signature computations 2965 could allow recovering the private key by an attacker. However, measuring 2966 the timing would require either local access to the signing application or 2967 a very fast network connection with low latency.</p> 2968 <p>There is a timing signal of around 300 nanoseconds when the top word of 2969 the inverted ECDSA nonce value is zero. This can happen with significant 2970 probability only for some of the supported elliptic curves. In particular 2971 the NIST P-521 curve is affected. To be able to measure this leak, the attacker 2972 process must either be located in the same physical computer or must 2973 have a very fast network connection with low latency. For that reason 2974 the severity of this vulnerability is Low.</p> 2975 <p>The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.</p> 2976 <h2 id="remediation">Remediation</h2> 2977 <p>Upgrade <code>Alpine:3.20</code> <code>openssl</code> to version 3.3.2-r2 or higher.</p> 2978 <h2 id="references">References</h2> 2979 <ul> 2980 <li><a href="https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844">https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844</a></li> 2981 <li><a href="https://github.com/openssl/openssl/commit/2af62e74fb59bc469506bc37eb2990ea408d9467">https://github.com/openssl/openssl/commit/2af62e74fb59bc469506bc37eb2990ea408d9467</a></li> 2982 <li><a href="https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902">https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902</a></li> 2983 <li><a href="https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65">https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65</a></li> 2984 <li><a href="https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f">https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f</a></li> 2985 <li><a href="https://github.openssl.org/openssl/extended-releases/commit/0d5fd1ab987f7571e2c955d8d8b638fc0fb54ded">https://github.openssl.org/openssl/extended-releases/commit/0d5fd1ab987f7571e2c955d8d8b638fc0fb54ded</a></li> 2986 <li><a href="https://github.openssl.org/openssl/extended-releases/commit/a2639000db19878d5d89586ae7b725080592ae86">https://github.openssl.org/openssl/extended-releases/commit/a2639000db19878d5d89586ae7b725080592ae86</a></li> 2987 <li><a href="https://openssl-library.org/news/secadv/20250120.txt">https://openssl-library.org/news/secadv/20250120.txt</a></li> 2988 <li><a href="http://www.openwall.com/lists/oss-security/2025/01/20/2">http://www.openwall.com/lists/oss-security/2025/01/20/2</a></li> 2989 <li><a href="https://security.netapp.com/advisory/ntap-20250124-0005/">https://security.netapp.com/advisory/ntap-20250124-0005/</a></li> 2990 <li><a href="https://security.netapp.com/advisory/ntap-20250418-0010/">https://security.netapp.com/advisory/ntap-20250418-0010/</a></li> 2991 <li><a href="https://lists.debian.org/debian-lts-announce/2025/05/msg00028.html">https://lists.debian.org/debian-lts-announce/2025/05/msg00028.html</a></li> 2992 </ul> 2993 2994 <hr/> 2995 2996 <div class="cta card__cta"> 2997 <p><a href="https://snyk.io/vuln/SNYK-ALPINE320-OPENSSL-8690013">More about this vulnerability</a></p> 2998 </div> 2999 3000 </div><!-- .card --> 3001 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 3002 <h2 class="card__title">CVE-2024-12797</h2> 3003 <div class="card__section"> 3004 3005 <div class="card__labels"> 3006 <div class="label label--low"> 3007 <span class="label__text">low severity</span> 3008 </div> 3009 </div> 3010 3011 <hr/> 3012 3013 <ul class="card__meta"> 3014 <li class="card__meta__item"> 3015 Package Manager: alpine:3.20 3016 </li> 3017 <li class="card__meta__item"> 3018 Vulnerable module: 3019 3020 openssl/libcrypto3 3021 </li> 3022 3023 <li class="card__meta__item">Introduced through: 3024 3025 docker-image|ghcr.io/dexidp/dex@v2.41.1 and openssl/libcrypto3@3.3.1-r3 3026 3027 </li> 3028 </ul> 3029 3030 <hr/> 3031 3032 3033 <h3 class="card__section__title">Detailed paths</h3> 3034 3035 <ul class="card__meta__paths"> 3036 <li> 3037 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3038 docker-image|ghcr.io/dexidp/dex@v2.41.1 3039 <span class="list-paths__item__arrow">›</span> 3040 openssl/libcrypto3@3.3.1-r3 3041 3042 </span> 3043 3044 </li> 3045 <li> 3046 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3047 docker-image|ghcr.io/dexidp/dex@v2.41.1 3048 <span class="list-paths__item__arrow">›</span> 3049 apk-tools/apk-tools@2.14.4-r0 3050 <span class="list-paths__item__arrow">›</span> 3051 openssl/libcrypto3@3.3.1-r3 3052 3053 </span> 3054 3055 </li> 3056 <li> 3057 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3058 docker-image|ghcr.io/dexidp/dex@v2.41.1 3059 <span class="list-paths__item__arrow">›</span> 3060 busybox/ssl_client@1.36.1-r29 3061 <span class="list-paths__item__arrow">›</span> 3062 openssl/libcrypto3@3.3.1-r3 3063 3064 </span> 3065 3066 </li> 3067 <li> 3068 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3069 docker-image|ghcr.io/dexidp/dex@v2.41.1 3070 <span class="list-paths__item__arrow">›</span> 3071 apk-tools/apk-tools@2.14.4-r0 3072 <span class="list-paths__item__arrow">›</span> 3073 openssl/libssl3@3.3.1-r3 3074 <span class="list-paths__item__arrow">›</span> 3075 openssl/libcrypto3@3.3.1-r3 3076 3077 </span> 3078 3079 </li> 3080 <li> 3081 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3082 docker-image|ghcr.io/dexidp/dex@v2.41.1 3083 <span class="list-paths__item__arrow">›</span> 3084 openssl/libssl3@3.3.1-r3 3085 3086 </span> 3087 3088 </li> 3089 <li> 3090 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3091 docker-image|ghcr.io/dexidp/dex@v2.41.1 3092 <span class="list-paths__item__arrow">›</span> 3093 apk-tools/apk-tools@2.14.4-r0 3094 <span class="list-paths__item__arrow">›</span> 3095 openssl/libssl3@3.3.1-r3 3096 3097 </span> 3098 3099 </li> 3100 <li> 3101 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3102 docker-image|ghcr.io/dexidp/dex@v2.41.1 3103 <span class="list-paths__item__arrow">›</span> 3104 busybox/ssl_client@1.36.1-r29 3105 <span class="list-paths__item__arrow">›</span> 3106 openssl/libssl3@3.3.1-r3 3107 3108 </span> 3109 3110 </li> 3111 </ul><!-- .list-paths --> 3112 3113 </div><!-- .card__section --> 3114 3115 <hr/> 3116 <!-- Overview --> 3117 <h2 id="nvd-description">NVD Description</h2> 3118 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Alpine</code>.</em> 3119 <em>See <code>How to fix?</code> for <code>Alpine:3.20</code> relevant fixed versions and status.</em></p> 3120 <p>Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a 3121 server may fail to notice that the server was not authenticated, because 3122 handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode 3123 is set.</p> 3124 <p>Impact summary: TLS and DTLS connections using raw public keys may be 3125 vulnerable to man-in-middle attacks when server authentication failure is not 3126 detected by clients.</p> 3127 <p>RPKs are disabled by default in both TLS clients and TLS servers. The issue 3128 only arises when TLS clients explicitly enable RPK use by the server, and the 3129 server, likewise, enables sending of an RPK instead of an X.509 certificate 3130 chain. The affected clients are those that then rely on the handshake to 3131 fail when the server's RPK fails to match one of the expected public keys, 3132 by setting the verification mode to SSL_VERIFY_PEER.</p> 3133 <p>Clients that enable server-side raw public keys can still find out that raw 3134 public key verification failed by calling SSL_get_verify_result(), and those 3135 that do, and take appropriate action, are not affected. This issue was 3136 introduced in the initial implementation of RPK support in OpenSSL 3.2.</p> 3137 <p>The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.</p> 3138 <h2 id="remediation">Remediation</h2> 3139 <p>Upgrade <code>Alpine:3.20</code> <code>openssl</code> to version 3.3.3-r0 or higher.</p> 3140 <h2 id="references">References</h2> 3141 <ul> 3142 <li><a href="https://github.com/openssl/openssl/commit/738d4f9fdeaad57660dcba50a619fafced3fd5e9">https://github.com/openssl/openssl/commit/738d4f9fdeaad57660dcba50a619fafced3fd5e9</a></li> 3143 <li><a href="https://github.com/openssl/openssl/commit/798779d43494549b611233f92652f0da5328fbe7">https://github.com/openssl/openssl/commit/798779d43494549b611233f92652f0da5328fbe7</a></li> 3144 <li><a href="https://github.com/openssl/openssl/commit/87ebd203feffcf92ad5889df92f90bb0ee10a699">https://github.com/openssl/openssl/commit/87ebd203feffcf92ad5889df92f90bb0ee10a699</a></li> 3145 <li><a href="https://openssl-library.org/news/secadv/20250211.txt">https://openssl-library.org/news/secadv/20250211.txt</a></li> 3146 <li><a href="http://www.openwall.com/lists/oss-security/2025/02/11/3">http://www.openwall.com/lists/oss-security/2025/02/11/3</a></li> 3147 <li><a href="http://www.openwall.com/lists/oss-security/2025/02/11/4">http://www.openwall.com/lists/oss-security/2025/02/11/4</a></li> 3148 <li><a href="https://security.netapp.com/advisory/ntap-20250214-0001/">https://security.netapp.com/advisory/ntap-20250214-0001/</a></li> 3149 </ul> 3150 3151 <hr/> 3152 3153 <div class="cta card__cta"> 3154 <p><a href="https://snyk.io/vuln/SNYK-ALPINE320-OPENSSL-8710359">More about this vulnerability</a></p> 3155 </div> 3156 3157 </div><!-- .card --> 3158 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 3159 <h2 class="card__title">CVE-2025-26519</h2> 3160 <div class="card__section"> 3161 3162 <div class="card__labels"> 3163 <div class="label label--low"> 3164 <span class="label__text">low severity</span> 3165 </div> 3166 </div> 3167 3168 <hr/> 3169 3170 <ul class="card__meta"> 3171 <li class="card__meta__item"> 3172 Package Manager: alpine:3.20 3173 </li> 3174 <li class="card__meta__item"> 3175 Vulnerable module: 3176 3177 musl/musl 3178 </li> 3179 3180 <li class="card__meta__item">Introduced through: 3181 3182 docker-image|ghcr.io/dexidp/dex@v2.41.1 and musl/musl@1.2.5-r0 3183 3184 </li> 3185 </ul> 3186 3187 <hr/> 3188 3189 3190 <h3 class="card__section__title">Detailed paths</h3> 3191 3192 <ul class="card__meta__paths"> 3193 <li> 3194 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3195 docker-image|ghcr.io/dexidp/dex@v2.41.1 3196 <span class="list-paths__item__arrow">›</span> 3197 musl/musl@1.2.5-r0 3198 3199 </span> 3200 3201 </li> 3202 <li> 3203 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3204 docker-image|ghcr.io/dexidp/dex@v2.41.1 3205 <span class="list-paths__item__arrow">›</span> 3206 apk-tools/apk-tools@2.14.4-r0 3207 <span class="list-paths__item__arrow">›</span> 3208 musl/musl@1.2.5-r0 3209 3210 </span> 3211 3212 </li> 3213 <li> 3214 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3215 docker-image|ghcr.io/dexidp/dex@v2.41.1 3216 <span class="list-paths__item__arrow">›</span> 3217 busybox/ssl_client@1.36.1-r29 3218 <span class="list-paths__item__arrow">›</span> 3219 musl/musl@1.2.5-r0 3220 3221 </span> 3222 3223 </li> 3224 <li> 3225 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3226 docker-image|ghcr.io/dexidp/dex@v2.41.1 3227 <span class="list-paths__item__arrow">›</span> 3228 musl/musl-utils@1.2.5-r0 3229 <span class="list-paths__item__arrow">›</span> 3230 musl/musl@1.2.5-r0 3231 3232 </span> 3233 3234 </li> 3235 <li> 3236 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3237 docker-image|ghcr.io/dexidp/dex@v2.41.1 3238 <span class="list-paths__item__arrow">›</span> 3239 apk-tools/apk-tools@2.14.4-r0 3240 <span class="list-paths__item__arrow">›</span> 3241 openssl/libcrypto3@3.3.1-r3 3242 <span class="list-paths__item__arrow">›</span> 3243 musl/musl@1.2.5-r0 3244 3245 </span> 3246 3247 </li> 3248 <li> 3249 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3250 docker-image|ghcr.io/dexidp/dex@v2.41.1 3251 <span class="list-paths__item__arrow">›</span> 3252 apk-tools/apk-tools@2.14.4-r0 3253 <span class="list-paths__item__arrow">›</span> 3254 openssl/libssl3@3.3.1-r3 3255 <span class="list-paths__item__arrow">›</span> 3256 musl/musl@1.2.5-r0 3257 3258 </span> 3259 3260 </li> 3261 <li> 3262 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3263 docker-image|ghcr.io/dexidp/dex@v2.41.1 3264 <span class="list-paths__item__arrow">›</span> 3265 apk-tools/apk-tools@2.14.4-r0 3266 <span class="list-paths__item__arrow">›</span> 3267 zlib/zlib@1.3.1-r1 3268 <span class="list-paths__item__arrow">›</span> 3269 musl/musl@1.2.5-r0 3270 3271 </span> 3272 3273 </li> 3274 <li> 3275 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3276 docker-image|ghcr.io/dexidp/dex@v2.41.1 3277 <span class="list-paths__item__arrow">›</span> 3278 musl/musl-utils@1.2.5-r0 3279 <span class="list-paths__item__arrow">›</span> 3280 pax-utils/scanelf@1.3.7-r2 3281 <span class="list-paths__item__arrow">›</span> 3282 musl/musl@1.2.5-r0 3283 3284 </span> 3285 3286 </li> 3287 <li> 3288 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3289 docker-image|ghcr.io/dexidp/dex@v2.41.1 3290 <span class="list-paths__item__arrow">›</span> 3291 alpine-baselayout/alpine-baselayout@3.6.5-r0 3292 <span class="list-paths__item__arrow">›</span> 3293 busybox/busybox-binsh@1.36.1-r29 3294 <span class="list-paths__item__arrow">›</span> 3295 busybox/busybox@1.36.1-r29 3296 <span class="list-paths__item__arrow">›</span> 3297 musl/musl@1.2.5-r0 3298 3299 </span> 3300 3301 </li> 3302 <li> 3303 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3304 docker-image|ghcr.io/dexidp/dex@v2.41.1 3305 <span class="list-paths__item__arrow">›</span> 3306 musl/musl-utils@1.2.5-r0 3307 3308 </span> 3309 3310 </li> 3311 </ul><!-- .list-paths --> 3312 3313 </div><!-- .card__section --> 3314 3315 <hr/> 3316 <!-- Overview --> 3317 <h2 id="nvd-description">NVD Description</h2> 3318 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>musl</code> package and not the <code>musl</code> package as distributed by <code>Alpine</code>.</em> 3319 <em>See <code>How to fix?</code> for <code>Alpine:3.20</code> relevant fixed versions and status.</em></p> 3320 <p>musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write vulnerability when an attacker can trigger iconv conversion of untrusted EUC-KR text to UTF-8.</p> 3321 <h2 id="remediation">Remediation</h2> 3322 <p>Upgrade <code>Alpine:3.20</code> <code>musl</code> to version 1.2.5-r1 or higher.</p> 3323 <h2 id="references">References</h2> 3324 <ul> 3325 <li><a href="https://git.musl-libc.org/cgit/musl/commit/?id=c47ad25ea3b484e10326f933e927c0bc8cded3da">https://git.musl-libc.org/cgit/musl/commit/?id=c47ad25ea3b484e10326f933e927c0bc8cded3da</a></li> 3326 <li><a href="https://git.musl-libc.org/cgit/musl/commit/?id=e5adcd97b5196e29991b524237381a0202a60659">https://git.musl-libc.org/cgit/musl/commit/?id=e5adcd97b5196e29991b524237381a0202a60659</a></li> 3327 <li><a href="https://www.openwall.com/lists/oss-security/2025/02/13/2">https://www.openwall.com/lists/oss-security/2025/02/13/2</a></li> 3328 <li><a href="http://www.openwall.com/lists/oss-security/2025/02/13/2">http://www.openwall.com/lists/oss-security/2025/02/13/2</a></li> 3329 <li><a href="http://www.openwall.com/lists/oss-security/2025/02/13/3">http://www.openwall.com/lists/oss-security/2025/02/13/3</a></li> 3330 <li><a href="http://www.openwall.com/lists/oss-security/2025/02/13/4">http://www.openwall.com/lists/oss-security/2025/02/13/4</a></li> 3331 <li><a href="http://www.openwall.com/lists/oss-security/2025/02/13/5">http://www.openwall.com/lists/oss-security/2025/02/13/5</a></li> 3332 <li><a href="http://www.openwall.com/lists/oss-security/2025/02/14/5">http://www.openwall.com/lists/oss-security/2025/02/14/5</a></li> 3333 <li><a href="http://www.openwall.com/lists/oss-security/2025/02/14/6">http://www.openwall.com/lists/oss-security/2025/02/14/6</a></li> 3334 </ul> 3335 3336 <hr/> 3337 3338 <div class="cta card__cta"> 3339 <p><a href="https://snyk.io/vuln/SNYK-ALPINE320-MUSL-8720638">More about this vulnerability</a></p> 3340 </div> 3341 3342 </div><!-- .card --> 3343 </div><!-- cards --> 3344 </div> 3345 </main><!-- .layout-stacked__content --> 3346 </body> 3347 3348 </html>