clickhouse-backup icon indicating copy to clipboard operation
clickhouse-backup copied to clipboard

Published 20 hours ago verified publisher icon Altinity

Vulnerability in jwt-go

Open bgranvea opened this issue 3 years ago • 1 comments

If I scan the latest version 1.4.3 with trivy, I get a security warning on github.com/dgrijalva/jwt-go:

# trivy image --severity HIGH,CRITICAL alexakulov/clickhouse-backup:1.4.3

bin/clickhouse-backup (gobinary)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────────────────────────┬────────────────┬──────────┬─────────────────────┬───────────────┬─────────────────────────────────────────────────┐
│           Library           │ Vulnerability  │ Severity │  Installed Version  │ Fixed Version │                      Title                      │
├─────────────────────────────┼────────────────┼──────────┼─────────────────────┼───────────────┼─────────────────────────────────────────────────┤
│ github.com/dgrijalva/jwt-go │ CVE-2020-26160 │ HIGH     │ v3.2.0+incompatible │               │ jwt-go: access restriction bypass vulnerability │
│                             │                │          │                     │               │ https://avd.aquasec.com/nvd/cve-2020-26160      │
└─────────────────────────────┴────────────────┴──────────┴─────────────────────┴───────────────┴─────────────────────────────────────────────────┘

I see that it is an indirect dependency, but is it possible to fix this somehow?

bgranvea avatar Jun 21 '22 16:06 bgranvea

look like it require update Azure dependencies, but we don't have enought resources for testing feel free to make pull request

Slach avatar Jun 21 '22 16:06 Slach

latest 1.6.2 version update Auzre dependencies now we use github.com/golang-jwt/jwt/v4

Slach avatar Sep 03 '22 17:09 Slach