grpcurl icon indicating copy to clipboard operation
grpcurl copied to clipboard

Published 20 hours ago verified publisher icon fullstorydev

Upgrade to go 1.21.2+

Open vinsonxing opened this issue 1 year ago • 7 comments

Hi,

Do you have plan to upgrade the golang version to 1.21.2+ (currently the grpcurl 1.8.9 is built on top of golang 1.21.1)? In our security scanning, we get a Critical issue in 1.21.1 (CVE-2023-39323)

Thanks

vinsonxing avatar Oct 25 '23 12:10 vinsonxing

Our scanner also complained https://nvd.nist.gov/vuln/detail/CVE-2023-44487 due to go 1.21.1

Apart from go, there is also grpc version that needs to be upgraded: https://github.com/advisories/GHSA-m425-mq94-257g

gfrankliu avatar Oct 30 '23 20:10 gfrankliu

Same, Critical issue with: https://github.com/advisories/GHSA-m425-mq94-257g

lokeshmavale avatar Nov 03 '23 17:11 lokeshmavale

will this be fixed in a new version? what's the timeline?

vinsonxing avatar Nov 17 '23 02:11 vinsonxing

There's no threat model for either of these vulns for gRPCurl. So we have no urgency to address them.

dragonsinth avatar Nov 17 '23 14:11 dragonsinth

I am not raising another issue because I found this open one. Even in our case we are getting security vuln due the below CVE-ids which require upgrade to golang version 1.21.2+

CVE-2023-39323 CVE-2023-45285 CVE-2023-45283 CVE-2023-39325 CVE-2023-45284 CVE-2023-39326

enakshipriya avatar Feb 07 '24 08:02 enakshipriya