supercronic icon indicating copy to clipboard operation
supercronic copied to clipboard
verified publisher icon aptible

Security issue CVE-2024-45336 CVE-2024-45341 CVE-2025-22866

Open cyi4200 opened this issue 9 months ago • 3 comments

Supercronic v0.2.33 is affected by CVE-2024-45336 CVE-2024-45341 CVE-2025-22866

CVE-2024-45336 golang: net/http: net/http: sensitive headers incorrectly sent after cross-domain redirect https://avd.aquasec.com/nvd/cve-2024-45336

CVE-2024-45341 golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can bypass URI name...
https://avd.aquasec.com/nvd/cve-2024-45341

CVE-2025-22866 crypto/internal/nistec: golang: Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec https://avd.aquasec.com/nvd/cve-2025-22866

cyi4200 avatar Feb 26 '25 05:02 cyi4200

net/http dependency is also vulnerable of CVE-2025-22871 - https://github.com/advisories/GHSA-g9pc-8g42-g6vq go should be updated to 1.23.8+ or 1.24.2+

jarekchr avatar Apr 28 '25 09:04 jarekchr

I'm observing those same vulnerabilities in my projects

carloszimm avatar Apr 29 '25 23:04 carloszimm

@aptible are you aware of this issue?

hartwork avatar May 23 '25 17:05 hartwork

These are addressed as part of https://github.com/aptible/supercronic/pull/192

almathew avatar Jun 09 '25 19:06 almathew

@almathew I think the release of those changes is still pending

carloszimm avatar Jun 16 '25 17:06 carloszimm

Hi. Ashley (@almathew) - are you going also to update "go 1.23.0" to "go 1.24.4" in go.mod?

jarekchr avatar Jun 17 '25 07:06 jarekchr

My pr fix a lot. @almathew https://github.com/aptible/supercronic/pull/178/

qianlongzt avatar Jun 17 '25 07:06 qianlongzt