CVE-2023-29403

Question

CVE-2023-29403

Sravani-K opened this issue 7 months ago · 3 comments

I am trying to provision mongo:7.0.4 image in our corporate repository where security scanner has shown vulnerabilities with go binaries. As these are from gosu, I have used govulncheck tool with GOSU_VERSION 1.16.

It has reported a CVE, CVE-2023-29403. Can you please fix or provide justification if it is not an issue?

Answer 1 · 2023-12-18T15:06:32.000Z

@Sravani-K this is a false positive: https://github.com/tianon/gosu/blob/master/SECURITY.md#reporting-vulnerabilities

Answer 2 · 2023-12-18T17:33:47.000Z

indeed: https://github.com/tianon/gosu/blob/2dada3bb5dfbc1e7162a29907691b6f45995d54e/govulncheck-with-excludes.sh#L9-L12 -> tianon/gosu#128 (comment)

Answer 3 · 2023-12-19T06:14:22.000Z

@yosifkit missed the wrapper script. Thank you for the response.