migrate
migrate copied to clipboard
golang-migrate
Upgrade github.com/snowflakedb/gosnowflake to the newer version
Describe the Bug github.com/snowflakedb/[email protected] has a dependency on github.com/dgrijalva/[email protected]+incompatible this version of jwt-go has a vulnerability of:
- allowing attackers to bypass intended access restrictions in situations with []string{} for m["aud"] And this will cause a security issue, newer version of gosnowflake remove this dependency
Just a follow up on this. I realized that gosnowflakeDB still has a dependency to this vulnerable jwt-go. They remove the direct dependency but later on they added another dependency which brings it back..
github.com/golang-migrate/migrate/[email protected]
github.com/snowflakedb/[email protected]
github.com/snowflakedb/[email protected] github.com/Azure/[email protected]
github.com/Azure/[email protected] github.com/Azure/go-autorest/autorest/[email protected]
github.com/Azure/go-autorest/autorest/[email protected] github.com/dgrijalva/[email protected]+incompatible
Haha! 🤦
Thanks for re-reporting! I've reopened the issue and will keep it open until the upstream dependencies are fixed. Looks like this is still and issue in v1.5.0
just FYI, my team decided to use "replace" to get rid of the vulnerable code in jwt-go. It was too much for us to track the dependencies all the way down to 4 repos. But we can keep the issue open to track this vulnerability.
The issue still exists:
github.com/dhui/[email protected]
- github.com/containerd/[email protected]
-- github.com/Microsoft/[email protected]
--- github.com/containerd/[email protected] (yeah...)
---- k8s.io/[email protected] (also 0.20.1 and 0.20.4)
----- k8s.io/[email protected]
------ github.com/Azure/go-autorest/[email protected]
------- github.com/Azure/go-autorest/autorest/[email protected]
-------- github.com/dgrijalva/[email protected]+incompatible
I know it's only used for testing, but still... CVE details: https://nvd.nist.gov/vuln/detail/CVE-2020-26160
And more issues:
The issue still exists:
github.com/dhui/[email protected] - github.com/containerd/[email protected] -- github.com/Microsoft/[email protected] --- github.com/containerd/[email protected] (yeah...) ---- k8s.io/[email protected] (also 0.20.1 and 0.20.4) ----- k8s.io/[email protected] ------ github.com/Azure/go-autorest/[email protected] ------- github.com/Azure/go-autorest/autorest/[email protected] -------- github.com/dgrijalva/[email protected]+incompatibleI know it's only used for testing, but still... CVE details: https://nvd.nist.gov/vuln/detail/CVE-2020-26160
And more issues:
[CVE-2020-8558] The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, ...
[CVE-2019-11248] The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet ...
[CVE-2019-11247] The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custo...
[CVE-2019-11243] Credentials Management
[CVE-2021-25741] A security issue was discovered in Kubernetes where a user may be able to create...
[CVE-2020-8552] The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, ...
[CVE-2019-11253] Improper input validation in the Kubernetes API server in versions v1.0-1.12 and...
-> github.com/golang-migrate/migrate/[email protected]
--> github.com/dhui/[email protected]
---> github.com/containerd/[email protected]
----> github.com/containerd/[email protected]
-----> github.com/containerd/[email protected]
------> github.com/Microsoft/[email protected]
-------> github.com/containerd/[email protected]
--------> github.com/containerd/[email protected]
----------> github.com/Microsoft/[email protected]
----------->k8s.io/[email protected]
[CVE-2020-15114] In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP prox...
-> github.com/golang-migrate/migrate/[email protected]
--> github.com/dhui/[email protected]
---> github.com/containerd/[email protected]
----> github.com/containerd/[email protected]
-----> github.com/spf13/[email protected]
------> github.com/spf13/[email protected]
-------> github.com/coreos/[email protected]+incompatible
Nancy again found Vulnerabilities: [CVE-2022-24778] CWE-863: Incorrect Authorization
--> github.com/golang-migrate/migrate/[email protected] ----> github.com/dhui/[email protected] ------> github.com/containerd/[email protected] -------- github.com/containerd/[email protected]
sonatype-2021-0853
--> github.com/golang-migrate/migrate/[email protected] ----> github.com/jackc/pgproto3/[email protected]
[CVE-2022-29162] CWE-276: Incorrect Default Permissions
--> github.com/golang-migrate/migrate/[email protected] ----> github.com/dhui/[email protected] ------> github.com/containerd/[email protected] --------> github.com/opencontainers/[email protected]
[CVE-2022-21698] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
--> github.com/golang-migrate/migrate/[email protected] ----> github.com/dhui/[email protected] ------> github.com/containerd/[email protected] ---------> github.com/prometheus/[email protected]
[CVE-2020-8558] CWE-287: Improper Authentication
[CVE-2019-11248] CWE-862: Missing Authorization
[CVE-2019-11243] CWE-212: Improper Cross-boundary Removal of Sensitive Data
[CVE-2019-11247] CWE-863: Incorrect Authorization
[CVE-2021-25741] CWE-552: Files or Directories Accessible to External Parties
[CVE-2019-11253] CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
[CVE-2020-8559] CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
[CVE-2019-1002100] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
[CVE-2019-11249] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
[CVE-2019-11250] CWE-532: Information Exposure Through Log Files
[CVE-2019-11252] CWE-209: Information Exposure Through an Error Message
[CVE-2019-11254] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
[CVE-2020-8551] CWE-770: Allocation of Resources Without Limits or Throttling
[CVE-2021-25735] CWE-863: Incorrect Authorization
[CVE-2019-11251] CWE-59: Improper Link Resolution Before File Access ('Link Following')
[CVE-2020-8566] CWE-532: Information Exposure Through Log Files
[CVE-2020-8557] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
[CVE-2020-8564] CWE-532: Information Exposure Through Log Files
[CVE-2020-8565] CWE-532: Information Exposure Through Log Files
[CVE-2019-1002101] CWE-59: Improper Link Resolution Before File Access ('Link Following')
[CVE-2019-11244] CWE-732: Incorrect Permission Assignment for Critical Resource
[CVE-2020-8554] CWE-863: Incorrect Authorization
[CVE-2021-3636] CWE-287: Improper Authentication
[CVE-2021-25736] CWE-20: Improper Input Validation
[CVE-2020-8552] CWE-770: Allocation of Resources Without Limits or Throttling
[CVE-2020-8561] CWE-610: Externally Controlled Reference to a Resource in Another Sphere
[CVE-2020-8562] CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
[CVE-2021-25740] CWE-610: Externally Controlled Reference to a Resource in Another Sphere
[CVE-2021-25743] CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences
[CVE-2018-1002102] CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
--> github.com/golang-migrate/migrate/[email protected] ----> github.com/dhui/[email protected] ------> github.com/containerd/[email protected] --------> github.com/Microsoft/[email protected] -----------> k8s.io/[email protected]
sonatype-2019-0702
--> github.com/golang-migrate/migrate/[email protected] ----> go.mongodb.org/[email protected] ------> github.com/gobuffalo/packr/[email protected]
