kaidisn / drone Goto Github PK

Vulnerable Library - github.com/prometheus/client_golang/prometheus/promhttp-v1.1.0

Prometheus instrumentation library for Go applications

Dependency Hierarchy:

• ❌ github.com/prometheus/client_golang/prometheus/promhttp-v1.1.0 (Vulnerable Library)

Found in base branch: parkside

Vulnerability Details

client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of promhttp.InstrumentHandler* middleware except RequestsInFlight; not filter any specific methods (e.g GET) before middleware; pass metric with method label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown method. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the method label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.

Publish Date: 2022-02-15

URL: CVE-2022-21698

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-cg3q-j54f-5p7p

Release Date: 2022-02-15

Fix Resolution: v1.11.1

Vulnerable Library - github.com/opencontainers/image-spec/specs-go/v1-v1.0.1

OCI Image Format

Dependency Hierarchy:

• github.com/drone/drone/metric-v1.10.1 (Root Library)
  • github.com/drone/drone/core-v1.10.1
    • github.com/drone/drone-yaml/yaml-v1.2.3
      • github.com/drone/drone-runtime/engine-v1.1.0
        • github.com/docker/go-docker/api/types/volume-v1.0.0
          • github.com/docker/go-docker/api/types-v1.0.0
            • github.com/docker/go-docker/api/types/registry-v1.0.0
              • ❌ github.com/opencontainers/image-spec/specs-go/v1-v1.0.1 (Vulnerable Library)

Found in HEAD commit: 082ab9a6bd3059d8bdb64d22fe950319444defb1

Found in base branch: parkside

Vulnerability Details

The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are unable to update to version 1.0.1 of the spec.

Publish Date: 2021-11-17

URL: CVE-2021-41190

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-qq97-vm5h-rrhg

Release Date: 2021-11-17

Fix Resolution: v2.8.0

Vulnerable Library - golang.org/x/text/language-v0.3.5

Package language implements BCP 47 language tags and related functionality.

Library home page: https://proxy.golang.org/golang.org/x/text/@v/v0.3.5.zip

Dependency Hierarchy:

• github.com/drone/drone/store/logs-v1.10.1 (Root Library)
  • github.com/azure/azure-storage-blob-go/azblob-v0.13.0
    • github.com/azure/azure-pipeline-go/pipeline-v0.2.3
      • github.com/mattn/go-ieproxy-v0.0.1
        • github.com/golang/net/http/httpproxy-v0.1.0
          • github.com/golang/net/idna-v0.1.0
            • golang.org/x/text/secure/bidirule-v0.3.5
              • golang.org/x/text/unicode/bidi-v0.3.5
                • golang.org/x/text/unicode/rangetable-v0.3.5
                  • ❌ golang.org/x/text/language-v0.3.5 (Vulnerable Library)

Found in base branch: parkside

Vulnerability Details

golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.

Publish Date: 2022-12-26

URL: CVE-2021-38561

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2021-0113

Release Date: 2021-08-12

Fix Resolution: v0.3.7

Vulnerable Library - github.com/DGRIJALVA/jwt-go-v3.2.0+incompatible

ARCHIVE - Golang implementation of JSON Web Tokens (JWT). This project is now maintained at:

Library home page: https://proxy.golang.org/github.com/dgrijalva/jwt-go/@v/v3.2.0+incompatible.zip

Dependency Hierarchy:

• ❌ github.com/DGRIJALVA/jwt-go-v3.2.0+incompatible (Vulnerable Library)

Found in HEAD commit: 082ab9a6bd3059d8bdb64d22fe950319444defb1

Found in base branch: parkside

Vulnerability Details

jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.

Publish Date: 2020-09-30

URL: CVE-2020-26160

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-26160

Release Date: 2020-09-30

Fix Resolution: v4.0.0-preview1

Vulnerable Libraries - github.com/vinzenz/yaml-35282ab071f92dad183b70e7ed117f1ab244c880, github.com/buildkite/yaml-v2.2.0

Found in HEAD commit: 082ab9a6bd3059d8bdb64d22fe950319444defb1

Found in base branch: parkside

Vulnerability Details

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.

Publish Date: 2020-04-01

URL: CVE-2019-11254

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-10-02

Fix Resolution: v2.2.8

Vulnerable Library - golang.org/x/text/language-v0.3.5

Package language implements BCP 47 language tags and related functionality.

Library home page: https://proxy.golang.org/golang.org/x/text/@v/v0.3.5.zip

Dependency Hierarchy:

• github.com/drone/drone/store/logs-v1.10.1 (Root Library)
  • github.com/azure/azure-storage-blob-go/azblob-v0.13.0
    • github.com/azure/azure-pipeline-go/pipeline-v0.2.3
      • github.com/mattn/go-ieproxy-v0.0.1
        • github.com/golang/net/http/httpproxy-v0.1.0
          • github.com/golang/net/idna-v0.1.0
            • golang.org/x/text/secure/bidirule-v0.3.5
              • golang.org/x/text/unicode/bidi-v0.3.5
                • golang.org/x/text/unicode/rangetable-v0.3.5
                  • ❌ golang.org/x/text/language-v0.3.5 (Vulnerable Library)

Found in base branch: parkside

Vulnerability Details

An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.

Publish Date: 2022-10-14

URL: CVE-2022-32149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-32149

Release Date: 2022-10-14

Fix Resolution: v0.3.8