[BUG] CVE-2020-13949 #577
Comments
|
Ho @pickleMan2 Could you please elaborate what should be upgraded exactly? I don't remember that we're using thrift here at all |
|
Looks like it's an indirect import from the module https://github.com/go-graphite/go-carbon/blob/master/go.sum#L55-L56 Code vuln scanners generally find these deep things and flag them even when you're not using it. |
|
Well, that's not easy to upgrade then. Otel package is severely outdated and not upgradable and remove tracing is not easy either. |
|
Based on the first line of the Apache issue tied to the CVE, using this version of the library isn't the problem as it's on the server side not handling short messages.
I'm not the original reporter but have to deal with this quite often. I would note this as "not upgradeable per vendor" and "no impact or risk with use of the go-carbon service" in whatever system reported it and ignore it for 12 months. |
Describe the bug
The Thrift Package appears to be affected by CVE-2020-13949, would the team be able to upgrade this package on this project so that it is no longer picked up on our scan reports?
https://nvd.nist.gov/vuln/detail/CVE-2020-13949
Go-carbon Configuration:
https://github.com/go-graphite/go-carbon/blob/master/go.sum
The text was updated successfully, but these errors were encountered: