-
Notifications
You must be signed in to change notification settings - Fork 126
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] CVE-2020-13949 #577
Comments
Ho @pickleMan2 Could you please elaborate what should be upgraded exactly? I don't remember that we're using thrift here at all |
Looks like it's an indirect import from the module https://github.com/go-graphite/go-carbon/blob/master/go.sum#L55-L56 Code vuln scanners generally find these deep things and flag them even when you're not using it. |
Well, that's not easy to upgrade then. Otel package is severely outdated and not upgradable and remove tracing is not easy either. |
Based on the first line of the Apache issue tied to the CVE, using this version of the library isn't the problem as it's on the server side not handling short messages.
I'm not the original reporter but have to deal with this quite often. I would note this as "not upgradeable per vendor" and "no impact or risk with use of the go-carbon service" in whatever system reported it and ignore it for 12 months. |
Describe the bug
The Thrift Package appears to be affected by CVE-2020-13949, would the team be able to upgrade this package on this project so that it is no longer picked up on our scan reports?
https://nvd.nist.gov/vuln/detail/CVE-2020-13949
Go-carbon Configuration:
https://github.com/go-graphite/go-carbon/blob/master/go.sum
The text was updated successfully, but these errors were encountered: