New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security vulnerabilities introduced by supercronic #88
Comments
👋 Thanks, Jira [PACT-590] ticket created. |
👋 Thanks, Jira [PACT-599] ticket created. |
jorander
added a commit
to jorander/pact-broker-docker
that referenced
this issue
Jan 31, 2023
… security issues.
bethesque
pushed a commit
that referenced
this issue
Feb 2, 2023
Released in tag 2.106.0.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Pre issue-raising checklist
I have already (please mark the applicable with an
x
):Software versions
Expected behaviour
No security vulnerabilities in the image
Actual behaviour
Two security vulnerabilities found:
(CVE-2021-38297 and CVE-2022-23806)
Steps to reproduce
Version 2.105.0.0 of pact-broker uses supercronic with version v0.1.11 which introduces the above security vulnerabilities caused by using an old version of golang (1.14.4).
These vulnerabilities are fixed in golang version 1.17.7+ and are addressed in supercronic v0.2.0 so an upgrade for supercronic to v0.2.0+ would solve it.
The text was updated successfully, but these errors were encountered: