Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVEs in Portainer Agent #223

Open
velzend opened this issue Dec 30, 2021 · 2 comments
Open

CVEs in Portainer Agent #223

velzend opened this issue Dec 30, 2021 · 2 comments
Labels
internal/jira

Comments

@velzend
Copy link

velzend commented Dec 30, 2021

Bug description
Please fix the vulnerabilities and one compliance finding:

vulnerabilities:
  CVE-2021-38297: go
  CVE-2021-41772: go
  CVE-2021-41771: go
  CVE-2021-39293: go
  CVE-2021-33198: go
  CVE-2021-33196: go
  CVE-2021-33194: go
  CVE-2021-29923: go
  CVE-2021-27918: go
  CVE-2020-28367: go
  CVE-2020-28366: go
  CVE-2020-28362: go
  CVE-2020-16845: go
  CVE-2021-33195: go
compliance:
  - "(CIS_Docker_v1.2.0 - 4.1) Image should be created with a non-root user"

Expected behavior
All the CVEs are addressed and fixed in future release(s).

Portainer Logs
N/A

Steps to reproduce the issue:
N/A

Technical details:

  • Portainer version: 2.11.0
  • Docker version (managed by Portainer): N/A
  • Kubernetes version (managed by Portainer): N/A
  • Platform (windows/linux): linux
  • Command used to start Portainer Agent: N/A
  • Browser: N/A
  • Have you reviewed our technical documentation and knowledge base? No

Additional context

      "vulnerabilities": [
        {
          "id": "CVE-2021-38297",
          "status": "fixed in 1.17.2, 1.16.9",
          "cvss": 9.8,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "description": "Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.",
          "severity": "critical",
          "packageName": "go",
          "packageVersion": "1.13.8",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38297",
          "riskFactors": [
            "Attack vector: network",
            "Critical severity",
            "Has fix",
            "Recent vulnerability",
            "Attack complexity: low"
          ],
          "impactedVersions": [
            "<1.16.9"
          ],
          "publishedDate": "2021-10-18T06:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2021-10-18T06:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-38297",
          "status": "fixed in 1.17.2, 1.16.9",
          "cvss": 9.8,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "description": "Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.",
          "severity": "critical",
          "packageName": "go",
          "packageVersion": "1.16.6",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38297",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Critical severity",
            "Has fix",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.16.9"
          ],
          "publishedDate": "2021-10-18T06:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2021-10-18T06:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-38297",
          "status": "fixed in 1.17.2, 1.16.9",
          "cvss": 9.8,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "description": "Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.",
          "severity": "critical",
          "packageName": "go",
          "packageVersion": "1.13.15",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38297",
          "riskFactors": [
            "Critical severity",
            "Has fix",
            "Recent vulnerability",
            "Attack complexity: low",
            "Attack vector: network"
          ],
          "impactedVersions": [
            "<1.16.9"
          ],
          "publishedDate": "2021-10-18T06:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2021-10-18T06:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-41772",
          "status": "fixed in 1.17.3, 1.16.10",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.16.6",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41772",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.16.10"
          ],
          "publishedDate": "2021-11-08T06:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2021-11-08T06:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-41772",
          "status": "fixed in 1.17.3, 1.16.10",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.8",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41772",
          "riskFactors": [
            "Has fix",
            "High severity",
            "Recent vulnerability",
            "Attack complexity: low",
            "Attack vector: network"
          ],
          "impactedVersions": [
            "<1.16.10"
          ],
          "publishedDate": "2021-11-08T06:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2021-11-08T06:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-41772",
          "status": "fixed in 1.17.3, 1.16.10",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.15",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41772",
          "riskFactors": [
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability",
            "Attack complexity: low"
          ],
          "impactedVersions": [
            "<1.16.10"
          ],
          "publishedDate": "2021-11-08T06:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2021-11-08T06:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-41771",
          "status": "fixed in 1.17.3, 1.16.10",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.8",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41771",
          "riskFactors": [
            "Recent vulnerability",
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity"
          ],
          "impactedVersions": [
            "<1.16.10"
          ],
          "publishedDate": "2021-11-08T06:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2021-11-08T06:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-41771",
          "status": "fixed in 1.17.3, 1.16.10",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.16.6",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41771",
          "riskFactors": [
            "Recent vulnerability",
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity"
          ],
          "impactedVersions": [
            "<1.16.10"
          ],
          "publishedDate": "2021-11-08T06:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2021-11-08T06:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-41771",
          "status": "fixed in 1.17.3, 1.16.10",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.15",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41771",
          "riskFactors": [
            "High severity",
            "Recent vulnerability",
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix"
          ],
          "impactedVersions": [
            "<1.16.10"
          ],
          "publishedDate": "2021-11-08T06:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2021-11-08T06:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-39293",
          "status": "fixed in 1.17.1, 1.16.8",
          "cvss": 7.5,
          "description": "DOCUMENTATION: A vulnerability was found in archive/zip of the Go standard library. Applications written in Go can panic or potentially exhaust system memory when parsing malformed ZIP files. An attacker capable of submitting a crafted ZIP file to a Go application using archive/zip to process that file could cause a denial of service via memory exhaustion or panic. This particular flaw is an incomplete fix for a previous flaw.             STATEMENT: * In OpenShift Container Platform, multiple components are written in Go and use archive/zip from the standard library. However, all such components are short lived client side tools, not long lived server side executables. As the maximum impact of this vulnerability is a denial of service in client utilities, this vulnerability is rated Low for OpenShift Container Platform.  * This flaw is out of support scope for Red Hat Enterprise Linux 7. For more information about Red Hat Enterprise Linux support scope, please see https://access.redhat.com/support/policy/updates/errata  * Because Service Telemetry Framework1.2 will be retiring soon and the flaw\\'s impact is lower, no update will be provided at this time for STF1.2\\'s smart-gateway-container and sg-core-container.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.16.6",
          "link": "https://github.com/golang/go/issues/47801",
          "riskFactors": [
            "High severity",
            "Recent vulnerability",
            "DoS",
            "Has fix"
          ],
          "impactedVersions": [
            "<1.16.8,1.16"
          ],
          "publishedDate": "2021-08-18T00:00:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-33198",
          "status": "fixed in 1.16.5, 1.15.13",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.8",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33198",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.15.13"
          ],
          "publishedDate": "2021-08-02T19:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2021-08-02T19:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-33198",
          "status": "fixed in 1.16.5, 1.15.13",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.15",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33198",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.15.13"
          ],
          "publishedDate": "2021-08-02T19:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2021-08-02T19:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-33196",
          "status": "fixed in 1.16.5, 1.15.13",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive\\'s header) can cause a NewReader or OpenReader panic.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.15",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33196",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.15.13"
          ],
          "publishedDate": "2021-08-02T19:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2021-08-02T19:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-33196",
          "status": "fixed in 1.16.5, 1.15.13",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive\\'s header) can cause a NewReader or OpenReader panic.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.8",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33196",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.15.13"
          ],
          "publishedDate": "2021-08-02T19:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2021-08-02T19:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-33194",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.15",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33194",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "DoS",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<=1.15.12"
          ],
          "publishedDate": "2021-05-26T15:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-33194",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.8",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33194",
          "riskFactors": [
            "Recent vulnerability",
            "Attack complexity: low",
            "Attack vector: network",
            "DoS",
            "High severity"
          ],
          "impactedVersions": [
            "<=1.15.12"
          ],
          "publishedDate": "2021-05-26T15:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-29923",
          "status": "fixed in 1.17",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "description": "Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.16.6",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.17"
          ],
          "publishedDate": "2021-08-07T17:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2021-08-07T17:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-29923",
          "status": "fixed in 1.17",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "description": "Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.8",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923",
          "riskFactors": [
            "Has fix",
            "High severity",
            "Recent vulnerability",
            "Attack complexity: low",
            "Attack vector: network"
          ],
          "impactedVersions": [
            "<1.17"
          ],
          "publishedDate": "2021-08-07T17:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2021-08-07T17:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-29923",
          "status": "fixed in 1.17",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "description": "Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.15",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.17"
          ],
          "publishedDate": "2021-08-07T17:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2021-08-07T17:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-27918",
          "status": "fixed in 1.16.1, 1.15.9",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.15",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-27918",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.15.9"
          ],
          "publishedDate": "2021-03-11T00:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2021-03-11T00:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-27918",
          "status": "fixed in 1.16.1, 1.15.9",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.8",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-27918",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.15.9"
          ],
          "publishedDate": "2021-03-11T00:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2021-03-11T00:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2020-28367",
          "status": "fixed in 1.15.5, 1.14.12",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "description": "Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injection.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.15",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28367",
          "riskFactors": [
            "High severity",
            "Recent vulnerability",
            "Attack vector: network",
            "Has fix"
          ],
          "impactedVersions": [
            "<1.14.12"
          ],
          "publishedDate": "2020-11-18T17:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2020-11-18T17:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2020-28367",
          "status": "fixed in 1.15.5, 1.14.12",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "description": "Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injection.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.8",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28367",
          "riskFactors": [
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.14.12"
          ],
          "publishedDate": "2020-11-18T17:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2020-11-18T17:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2020-28366",
          "status": "fixed in 1.15.5, 1.14.12",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "description": "Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.15",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28366",
          "riskFactors": [
            "Has fix",
            "High severity",
            "Recent vulnerability",
            "Attack vector: network"
          ],
          "impactedVersions": [
            "<1.14.12"
          ],
          "publishedDate": "2020-11-18T17:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2020-11-18T17:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2020-28366",
          "status": "fixed in 1.15.5, 1.14.12",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "description": "Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.8",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28366",
          "riskFactors": [
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.14.12"
          ],
          "publishedDate": "2020-11-18T17:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2020-11-18T17:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2020-28362",
          "status": "fixed in 1.15.4, 1.14.12",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.15",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28362",
          "riskFactors": [
            "Recent vulnerability",
            "Attack complexity: low",
            "Attack vector: network",
            "DoS",
            "Has fix",
            "High severity"
          ],
          "impactedVersions": [
            "<1.14.12"
          ],
          "publishedDate": "2020-11-18T17:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2020-11-18T17:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2020-28362",
          "status": "fixed in 1.15.4, 1.14.12",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.8",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28362",
          "riskFactors": [
            "DoS",
            "Has fix",
            "High severity",
            "Recent vulnerability",
            "Attack complexity: low",
            "Attack vector: network"
          ],
          "impactedVersions": [
            "<1.14.12"
          ],
          "publishedDate": "2020-11-18T17:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2020-11-18T17:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2020-16845",
          "status": "fixed in 1.14.7, 1.13.15",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.8",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16845",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.13.15"
          ],
          "publishedDate": "2020-08-06T18:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2020-08-06T18:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-33195",
          "status": "fixed in 1.16.5, 1.15.13",
          "cvss": 7.3,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
          "description": "Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.15",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33195",
          "riskFactors": [
            "Recent vulnerability",
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity"
          ],
          "impactedVersions": [
            "<1.15.13"
          ],
          "publishedDate": "2021-08-02T19:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2021-08-02T19:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-33195",
          "status": "fixed in 1.16.5, 1.15.13",
          "cvss": 7.3,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
          "description": "Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.8",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33195",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.15.13"
          ],
          "publishedDate": "2021-08-02T19:15:00Z",
          "discoveredDate": "2021-12-30T11:30:09Z",
          "fixDate": "2021-08-02T19:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        }
@marazmarci
Copy link

Bump. Did anyone have the chance to take a look at this? Or have all of these been addressed in releases since then?

@joriskt
Copy link

joriskt commented Aug 23, 2023

Hi @velzend @marazmarci, I'm not affiliated with Portainer but I saw issue #352 . You might want to post it over there instead! Kind regards.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
internal/jira
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@marazmarci @velzend @huib-portainer @joriskt