Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

同学,您这个项目引入了47个开源组件,存在2个漏洞,辛苦升级一下 #29

Closed
ghost opened this issue Mar 7, 2022 · 2 comments

Comments

@ghost
Copy link

ghost commented Mar 7, 2022

检测到 pluveto/upgit 一共引入了47个开源组件,存在2个漏洞

漏洞标题:Go SSH拒绝服务漏洞
缺陷组件:golang.org/x/crypto@v0.0.0-20191011191535-87dc89f01550
漏洞编号:CVE-2020-9283
漏洞描述:Go SSH是一个使用go语言开发的极度简洁的ssh工具,用于远程管理linux、unix等机器。
Go SSH存在拒绝服务漏洞,该漏洞源于网络系统或产品未对输入的数据进行正确的验证,攻击者可利用该漏洞导致拒绝服务条件,拒绝向合法用户提供服务。
国家漏洞库信息:https://www.cnvd.org.cn/flaw/show/CNVD-2020-14300
影响范围:(∞, 0.0.0-20200220183623-bac4c82f6975)
最小修复版本:0.0.0-20200220183623-bac4c82f6975
缺陷组件引入路径:github.com/pluveto/upgit@->golang.org/x/mobile@v0.0.0-20210716004757-34ab1303b554->golang.org/x/mod@v0.4.2->golang.org/x/crypto@v0.0.0-20191011191535-87dc89f01550

另外还有2个漏洞,详细报告:https://mofeisec.com/jr?p=ae53d1

@pluveto
Copy link
Owner

pluveto commented Mar 7, 2022

Our project will never use golang.org/x/crypto/ssh so this is not a problem.
BTW, all deps will be upgraded in the next release.

@pluveto pluveto closed this as completed Mar 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants
@pluveto and others