Skip to content

Vulnerabilities to patch in master #14

New issue
New issue
Open
Open
Vulnerabilities to patch in master#14
Assignees
DanielRenne
@davidrenne

Description

@davidrenne
davidrenne
opened on Sep 9, 2022

Ran govulncheck ./...

Scanning for dependencies with known vulnerabilities...
Found 1 known vulnerability.

Vulnerability #1: GO-2021-0052
Due to improper HTTP header santization, a malicious user can
spoof their source IP address by setting the X-Forwarded-For
header. This may allow a user to bypass IP based restrictions,
or obfuscate their true source.

Call stacks in your code:
core/app/app.go:374:47: github.com/DanielRenne/GoCore/core/app.RunServer calls net/http.Server.ListenAndServe, which eventually calls github.com/gin-gonic/gin.Engine.ServeHTTP

Found in: github.com/gin-gonic/gin@v1.5.0
Fixed in: github.com/gin-gonic/gin@v1.7.7
More info: https://pkg.go.dev/vuln/GO-2021-0052

=== Informational ===

The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2022-0956
Parsing malicious or large YAML documents can consume excessive amounts of
CPU or memory.

Found in: gopkg.in/yaml.v2@v2.2.2
Fixed in: gopkg.in/yaml.v2@v2.2.4
More info: https://pkg.go.dev/vuln/GO-2022-0956

Vulnerability #2: GO-2021-0061
Due to unbounded alias chasing, a maliciously crafted YAML file
can cause the system to consume significant system resources. If
parsing user input, this may be used as a denial of service vector.

Found in: gopkg.in/yaml.v2@v2.2.2
Fixed in: gopkg.in/yaml.v2@v2.2.3
More info: https://pkg.go.dev/vuln/GO-2021-0061

Vulnerability #3: GO-2020-0036
Due to unbounded aliasing, a crafted YAML file can cause consumption
of significant system resources. If parsing user supplied input, this
may be used as a denial of service vector.

Found in: gopkg.in/yaml.v2@v2.2.2
Fixed in: gopkg.in/yaml.v2@v2.2.8
More info: https://pkg.go.dev/vuln/GO-2020-0036

Vulnerability #4: GO-2020-0001
The default Formatter for the Logger middleware (LoggerConfig.Formatter),
which is included in the Default engine, allows attackers to inject arbitrary
log entries by manipulating the request path.

Found in: github.com/gin-gonic/gin@v1.5.0
Fixed in: github.com/gin-gonic/gin@v1.6.0
More info: https://pkg.go.dev/vuln/GO-2020-0001

Metadata

Metadata

Assignees

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions