warrensbox/terraform-switcher

Update golang.org/x/text` and gopkg.in/yaml` version pinning to address CVEs

Closed this issue · 1 comments

mamccorm commented

There are a number of vulnerabilities in the following go libraries:

usr/local/bin/tfswitch (gobinary)

Total: 4 (UNKNOWN: 2, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌───────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│      Library      │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                             │
├───────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/text │ CVE-2021-38561 │ HIGH     │ v0.3.5            │ 0.3.7         │ golang: out-of-bounds read in golang.org/x/text/language     │
│                   │                │          │                   │               │ leads to DoS                                                 │
│                   │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-38561                   │
├───────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ gopkg.in/yaml.v2  │ CVE-2019-11254 │ MEDIUM   │ v2.2.2            │ 2.2.8         │ kubernetes: Denial of service in API server via crafted YAML │
│                   │                │          │                   │               │ payloads by...                                               │
│                   │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-11254                   │
├───────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ gopkg.in/yaml.v2  │ GMS-2019-2     │ UNKNOWN  │ v2.2.2            │ v2.2.3        │ XML Entity Expansion                                         │
├───────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ gopkg.in/yaml.v2  │ GO-2021-0061   │ UNKNOWN  │ v2.2.2            │ 2.2.3         │ Due to unbounded alias chasing, a maliciously crafted YAML   │
│                   │                │          │                   │               │ file                                                         │
│                   │                │          │                   │               │ can cause the...                                             │
└───────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────

Can we update the versioning pinning and look to pull in the latest versions of the above mentioned?

jukie commented

Thanks for bringing this up, I'll get them updated.