apisix-dashboard
apisix-dashboard copied to clipboard
Several go modules depencies vulnerabilities observed in apisix-dashboard
Issue description
When running a trivy scan on apisix-dashboard
v3.0.1
, it reported several CVEs on the depedencies.
Is it possible to update those dependencies ?
apisix-dashboard-3.0.1$ trivy filesystem --vuln-type library .
2024-01-18T16:02:31.827Z INFO Vulnerability scanning is enabled
2024-01-18T16:02:31.827Z INFO Secret scanning is enabled
2024-01-18T16:02:31.827Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-01-18T16:02:31.827Z INFO Please see also https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation for faster secret detection
2024-01-18T16:02:32.606Z INFO Number of language-specific files: 3
2024-01-18T16:02:32.606Z INFO Detecting gomod vulnerabilities...
2024-01-18T16:02:32.608Z INFO Detecting yarn vulnerabilities...
api/go.mod (gomod)
Total: 7 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 2, CRITICAL: 0)
┌──────────────────────────┬─────────────────────┬──────────┬───────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/gin-gonic/gin │ CVE-2023-29401 │ MEDIUM │ 1.9.0 │ 1.9.1 │ golang-github-gin-gonic-gin: Gin Web Framework does not │
│ │ │ │ │ │ properly sanitize filename parameter of │
│ │ │ │ │ │ Context.FileAttachment... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29401 │
├──────────────────────────┼─────────────────────┤ ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2023-48795 │ │ 0.5.0 │ 0.17.0 │ ssh: Prefix truncation attack on Binary Packet Protocol │
│ │ │ │ │ │ (BPP) │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-48795 │
├──────────────────────────┼─────────────────────┼──────────┼───────────────────┤ ├──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-39325 │ HIGH │ 0.7.0 │ │ golang: net/http, x/net/http2: rapid stream resets can cause │
│ │ │ │ │ │ excessive work (CVE-2023-44487) │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-39325 │
│ ├─────────────────────┼──────────┤ ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-3978 │ MEDIUM │ │ 0.13.0 │ golang.org/x/net/html: Cross site scripting │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3978 │
│ ├─────────────────────┤ │ ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-44487 │ │ │ 0.17.0 │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable │
│ │ │ │ │ │ to a DDoS attack... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-44487 │
├──────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc │ GHSA-m425-mq94-257g │ HIGH │ 1.47.0 │ 1.56.3, 1.57.1, 1.58.3 │ gRPC-Go HTTP/2 Rapid Reset vulnerability │
│ │ │ │ │ │ https://github.com/advisories/GHSA-m425-mq94-257g │
│ ├─────────────────────┼──────────┤ ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-44487 │ MEDIUM │ │ 1.58.3, 1.57.1, 1.56.3 │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable │
│ │ │ │ │ │ to a DDoS attack... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-44487 │
└──────────────────────────┴─────────────────────┴──────────┴───────────────────┴────────────────────────┴──────────────────────────────────────────────────────────────┘
Expected behavior
Depdencies up to date
How to Reproduce
Run trivy scan on source code