Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

github.com/google/go-containerregistry-v0.1.0: 7 vulnerabilities (highest severity is: 7.5) #16

Open
mend-for-github-com bot opened this issue May 9, 2022 · 0 comments
Labels
security vulnerability Security vulnerability detected by WhiteSource

Comments

@mend-for-github-com
Copy link

mend-for-github-com bot commented May 9, 2022

Vulnerable Library - github.com/google/go-containerregistry-v0.1.0

Go library and CLIs for working with container registries

Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2020-26160 High 7.5 github.com/google/go-containerregistry-v0.1.0 Direct v4.0.0-preview1
CVE-2021-44716 High 7.5 github.com/google/go-containerregistry-v0.1.0 Direct github.com/golang/net - 491a49abca63de5e07ef554052d180a1b5fe2d70
CVE-2020-14040 High 7.5 github.com/google/go-containerregistry-v0.1.0 Direct v0.3.3
CVE-2021-31525 Medium 5.9 github.com/google/go-containerregistry-v0.1.0 Direct golang - v1.15.12,v1.16.4,v1.17.0
CVE-2020-8565 Medium 5.5 github.com/google/go-containerregistry-v0.1.0 Direct v1.20.0-alpha.2
CVE-2020-8564 Medium 5.5 github.com/google/go-containerregistry-v0.1.0 Direct v1.17.13,v1.18.10,v1.19.3
CVE-2021-41190 Medium 5.0 github.com/google/go-containerregistry-v0.1.0 Direct v2.8.0

Details

CVE-2020-26160

Vulnerable Library - github.com/google/go-containerregistry-v0.1.0

Go library and CLIs for working with container registries

Dependency Hierarchy:

  • github.com/google/go-containerregistry-v0.1.0 (Vulnerable Library)

Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3

Found in base branch: main

Vulnerability Details

jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.

Publish Date: 2020-09-30

URL: CVE-2020-26160

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-26160

Release Date: 2020-09-30

Fix Resolution: v4.0.0-preview1

CVE-2021-44716

Vulnerable Library - github.com/google/go-containerregistry-v0.1.0

Go library and CLIs for working with container registries

Dependency Hierarchy:

  • github.com/google/go-containerregistry-v0.1.0 (Vulnerable Library)

Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3

Found in base branch: main

Vulnerability Details

net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.

Publish Date: 2022-01-01

URL: CVE-2021-44716

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vc3p-29h2-gpcp

Release Date: 2022-01-01

Fix Resolution: github.com/golang/net - 491a49abca63de5e07ef554052d180a1b5fe2d70

CVE-2020-14040

Vulnerable Library - github.com/google/go-containerregistry-v0.1.0

Go library and CLIs for working with container registries

Dependency Hierarchy:

  • github.com/google/go-containerregistry-v0.1.0 (Vulnerable Library)

Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3

Found in base branch: main

Vulnerability Details

The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

Publish Date: 2020-06-17

URL: CVE-2020-14040

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2020-0015

Release Date: 2020-06-17

Fix Resolution: v0.3.3

CVE-2021-31525

Vulnerable Library - github.com/google/go-containerregistry-v0.1.0

Go library and CLIs for working with container registries

Dependency Hierarchy:

  • github.com/google/go-containerregistry-v0.1.0 (Vulnerable Library)

Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3

Found in base branch: main

Vulnerability Details

net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.

Publish Date: 2021-05-27

URL: CVE-2021-31525

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1958341

Release Date: 2021-05-27

Fix Resolution: golang - v1.15.12,v1.16.4,v1.17.0

CVE-2020-8565

Vulnerable Library - github.com/google/go-containerregistry-v0.1.0

Go library and CLIs for working with container registries

Dependency Hierarchy:

  • github.com/google/go-containerregistry-v0.1.0 (Vulnerable Library)

Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3

Found in base branch: main

Vulnerability Details

In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.

Publish Date: 2020-12-07

URL: CVE-2020-8565

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2020-0064

Release Date: 2020-12-07

Fix Resolution: v1.20.0-alpha.2

CVE-2020-8564

Vulnerable Library - github.com/google/go-containerregistry-v0.1.0

Go library and CLIs for working with container registries

Dependency Hierarchy:

  • github.com/google/go-containerregistry-v0.1.0 (Vulnerable Library)

Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3

Found in base branch: main

Vulnerability Details

In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials. This affects < v1.19.3, < v1.18.10, < v1.17.13.

Publish Date: 2020-12-07

URL: CVE-2020-8564

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: kubernetes/kubernetes#95622

Release Date: 2020-12-07

Fix Resolution: v1.17.13,v1.18.10,v1.19.3

CVE-2021-41190

Vulnerable Library - github.com/google/go-containerregistry-v0.1.0

Go library and CLIs for working with container registries

Dependency Hierarchy:

  • github.com/google/go-containerregistry-v0.1.0 (Vulnerable Library)

Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3

Found in base branch: main

Vulnerability Details

The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are unable to update to version 1.0.1 of the spec.

Publish Date: 2021-11-17

URL: CVE-2021-41190

CVSS 3 Score Details (5.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qq97-vm5h-rrhg

Release Date: 2021-11-17

Fix Resolution: v2.8.0

@mend-for-github-com mend-for-github-com bot added the security vulnerability Security vulnerability detected by WhiteSource label May 9, 2022
@mend-for-github-com mend-for-github-com bot changed the title github.com/google/go-containerregistry-v0.1.0: 3 vulnerabilities (highest severity is: 7.5) github.com/google/go-containerregistry-v0.1.0: 7 vulnerabilities (highest severity is: 7.5) May 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security vulnerability Security vulnerability detected by WhiteSource
Projects
None yet
Development

No branches or pull requests

0 participants