xmidt-org/hecate

CVE-2020-13949 (High) detected in github.com/open-telemetry/opentelemetry-go-v0.19.0 - autoclosed

mend-bolt-for-github opened this issue · 1 comments

CVE-2020-13949 - High Severity Vulnerability

Vulnerable Library - github.com/open-telemetry/opentelemetry-go-v0.19.0

OpenTelemetry Go API and SDK

Dependency Hierarchy:

  • github.com/xmidt-org/themis-v0.4.7 (Root Library)
    • github.com/xmidt-org/candlelight-v0.0.5
      • github.com/open-telemetry/opentelemetry-go-v0.19.0 (Vulnerable Library)

Found in HEAD commit: 05870796dac0956e1a32b0e2deb58f2ce2a1c875

Found in base branch: main

Vulnerability Details

In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.

Publish Date: 2021-02-12

URL: CVE-2020-13949

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/r43dc2b2e928e9d845b07ac075634cb759d91bb852421dc282f87a74a%40%3Cdev.thrift.apache.org%3E

Release Date: 2021-02-12

Fix Resolution: v0.14.0


Step up your Open Source Security Game with Mend here

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.