CVE-2020-29652 in golang.org/x/crypto
bkmzio opened this issue · 8 comments
bkmzio commented
Building a Docker image with the latest version of render 0.2.0 installed. Scanning with Trivy provides the following:
usr/bin/render (gobinary)
=========================
Total: 5 (UNKNOWN: 2, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0)
+-----------------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-----------------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+
| github.com/dgrijalva/jwt-go | CVE-2020-26160 | HIGH | v3.2.0+incompatible | | jwt-go: access restriction |
| | | | | | bypass vulnerability |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-26160 |
+-----------------------------+------------------+ +------------------------------------+------------------------------------+---------------------------------------+
| golang.org/x/crypto | CVE-2020-29652 | | v0.0.0-20200622213623-75b288015ac9 | v0.0.0-20201216223049-8b5274cf687f | golang: crypto/ssh: crafted |
| | | | | | authentication request can |
| | | | | | lead to nil pointer dereference |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-29652 |
+-----------------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+
| gopkg.in/yaml.v2 | CVE-2019-11254 | MEDIUM | v2.2.2 | v2.2.8 | kubernetes: Denial of |
| | | | | | service in API server via |
| | | | | | crafted YAML payloads by... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-11254 |
+ +------------------+----------+ +------------------------------------+---------------------------------------+
| | GMS-2019-2 | UNKNOWN | | v2.2.3 | XML Entity Expansion |
+ +------------------+ + + +---------------------------------------+
| | GO-2021-0061 | | | | |
+-----------------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+
github-actions commented
Welcome to the render project!
danielzhanghl commented
any plan to upgrade to solve this?
thanks.
danielzhanghl commented
seems it's not a active project, and I choose to remove the Sprig and crypto related code, as I only need a simple render, like in danielzhanghl@27f0fd8
bkmzio commented
+CVE-2020-14040 also
github-actions commented
Marked as stale due to inactivity. Will be closed in 30 days.
bkmzio commented
/remove-lifecycle stale
github-actions commented
Marked as stale due to inactivity. Will be closed in 30 days.
github-actions commented
Closed due to inactivity for 90 days.