Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

同学,您这个项目引入了77个开源组件,存在2个漏洞,辛苦升级一下 #345

Open
ghost opened this issue Mar 11, 2022 · 4 comments
Open

同学,您这个项目引入了77个开源组件,存在2个漏洞,辛苦升级一下 #345

ghost opened this issue Mar 11, 2022 · 4 comments

Comments

@ghost
Copy link

ghost commented Mar 11, 2022

检测到 spf13/afero 一共引入了77个开源组件,存在2个漏洞

漏洞标题:Google Kubernetes API Server 资源管理错误漏洞
缺陷组件:gopkg.in/yaml.v2@v2.2.2
漏洞编号:CVE-2019-11254
漏洞描述:Google Kubernetes是美国谷歌(Google)公司的一套开源的Docker容器集群管理系统。该系统为容器化的应用提供资源调度、部署运行、服务发现和扩容缩容等功能。API server是其中的一个API(应用编程接口)服务器。
Google Kubernetes 1.15.10之前版本、1.16.7之前版本和1.17.3之前版本中的API Server组件存在资源管理错误漏洞。远程攻击者可借助特制请求利用该漏洞造成拒绝服务。
国家漏洞库信息:https://www.cnvd.org.cn/flaw/show/CNVD-2020-35519
影响范围:(∞, 2.2.8)
最小修复版本:2.2.8
缺陷组件引入路径:github.com/spf13/afero@->gopkg.in/yaml.v2@v2.2.2

另外还有2个漏洞,详细报告:https://mofeisec.com/jr?p=a0bfd4
@kwaicssec
Copy link

@spf13,同学,您好,上面的漏洞报告是我IDE运行时,安全插件提示您这个项目存在的几个漏洞的报告,辛苦您修复一下哈,担心其他人也会用到你这个项目,从而引入这些漏洞。:)

@jxsl13
Copy link

jxsl13 commented Apr 29, 2022

English pls. Also this library should not have anything to do with Kubernetes.

@AndrusGerman
Copy link

@jxsl13 Doing some research seems to be a vulnerability reported by kubernetes, is related to the library
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= which is in the go.sum.

kubernetes/issues/89535

@cloudwindy
Copy link

Translation: (no guarantee on correctness)

Package spf13/afero imported 77 open-source packages and 2 vulnerabilities is detected.
Title: Google Kubernetes API Server Resource Management Error
Package: gopkg.in/yaml.v2@v2.2.2
CVE: CVE-2019-11254
CNVD: CNVD-2020-35519
Affected: (∞, 2.2.8)
Fixed: 2.2.8
Import path: github.com/spf13/afero@->gopkg.in/yaml.v2@v2.2.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jxsl13 @AndrusGerman @cloudwindy @kwaicssec and others