High rated vulnerability in `golang.org/x/text` (CVE-2022-32149)
mix4242 opened this issue ยท 0 comments
mix4242 commented
Hi there ๐๐ป
There exists a high rated vulnerability in golang.org/x/text at v0.3.7 which is fixed in v0.3.8. The CVE is CVE-2022-32149.
To reproduce scan the latest 6.7.11 docker image with trivy as follows:
Trivy vulnerability scan
/Users/max > trivy image --scanners vuln --ignore-unfixed --severity high rwynn/monstache:6.7.11
2023-04-28T08:08:45.886+0100 INFO Vulnerability scanning is enabled
2023-04-28T08:08:45.908+0100 INFO Detected OS: alpine
2023-04-28T08:08:45.908+0100 INFO Detecting Alpine vulnerabilities...
2023-04-28T08:08:45.909+0100 INFO Number of language-specific files: 1
2023-04-28T08:08:45.909+0100 INFO Detecting gobinary vulnerabilities...
rwynn/monstache:6.7.11 (alpine 3.15.0)
Total: 34 (HIGH: 34)
(...OMITTED...)
bin/monstache (gobinary)
Total: 1 (HIGH: 1)
โโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Library โ Vulnerability โ Severity โ Installed Version โ Fixed Version โ Title โ
โโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ golang.org/x/text โ CVE-2022-32149 โ HIGH โ v0.3.7 โ 0.3.8 โ golang: golang.org/x/text/language: ParseAcceptLanguage โ
โ โ โ โ โ โ takes a long time to parse complex tags โ
โ โ โ โ โ โ https://avd.aquasec.com/nvd/cve-2022-32149 โ
โโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Please could version v0.3.8 be used to fix this vulnerability :)
Thank you
P.S. Never used golang but if someone could confirm it's just a case of adding
golang.org/x/text v0.3.8 // indirect
in go.mod I'd be happy to open a PR :)