sops
sops copied to clipboard
Published
20 hours ago •
getsops
getsops
revved gopkg.in/yaml.v3 to v3.0.1 to fix CVE-2022-28948
Hello,
submitting this PR to fix a vulnerability found by a container scan.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28948
{
"hash": "",
"created_by": "dpkg -i sops_3.7.3_amd64.deb",
"packages": [
{
"name": "gopkg.in/yaml.v3",
"namespace": "go",
"version": "v3.0.0-20210107192922-496545a6307b",
"src": "usr/local/bin/sops",
"vulnerabilities": [
{
"name": "CVE-2022-28948",
"description": "An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.",
"severity": "High",
"link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28948",
"fix_version": "3.0.0",
"metadata": {
"NVD": {
"CVSSv2": {
"PublishedDateTime": "2022-05-19T20:15Z",
"Score": 5,
"Vectors": "AV:N/AC:L/Au:N/C:N/I:N/A:P"
},
"CVSSv3": {
"ExploitabilityScore": 3.9,
"ImpactScore": 3.6,
"Score": 7.5,
"Vectors": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
}
},
"status": "VULNERABLE"
}
]
}
]
},
@ajvb updated the dependency in question using the package manager. I think that's what we needed... first time contributing to a go project so thanks for bearing with me.
As https://github.com/getsops/sops/pull/1147 will deal with this as well (and a literal update of all other outdated things). I am going to favor that PR over this one. However, I do want to thank you for your contribution! :tulip:
