Fix CVE-2024-2660 by TheoBrigitte · Pull Request #1519 · getsops/sops

TheoBrigitte · 2024-06-01T19:57:03Z

Update github.com/hashicorp/vault/api to v1.14.0 to fix following CVE:

$ go list -json -deps ./... | nancy sleuth
pkg:golang/github.com/hashicorp/vault/api@v1.12.0
1 known vulnerabilities affecting installed version
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2024-2660] CWE-703: Improper Check or Handling of Exceptional Conditions                                                                                                                                                 ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ Vault and Vault Enterprise TLS certificates auth method did not correctly                                                                                                                                ┃
┃                    ┃ validate OCSP responses when one or more OCSP sources were configured.                                                                                                                                   ┃
┃                    ┃ Fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.                                                                                                                                  ┃
┃                    ┃                                                                                                                                                                                                          ┃
┃                    ┃ Sonatype's research suggests that this CVE's details differ from those                                                                                                                                   ┃
┃                    ┃ defined at NVD. See                                                                                                                                                                                      ┃
┃                    ┃ https://ossindex.sonatype.org/vulnerability/CVE-2024-2660 for details                                                                                                                                    ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID       ┃ CVE-2024-2660                                                                                                                                                                                            ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score         ┃ 6.4/10 (Medium)                                                                                                                                                                                          ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector        ┃ CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H                                                                                                                                                             ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vulnerability/CVE-2024-2660?component-type=golang&component-name=github.com%2Fhashicorp%2Fvault%2Fapi&utm_source=nancy-client&utm_medium=integration&utm_content=0.0.0-dev ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛

Note: As of today latest version of github.com/hashicorp/vault/api is v1.14.0 and not v1.16.0 as shown in the above report

$ go list -versions -m github.com/hashicorp/vault/api
github.com/hashicorp/vault/api v0.4.0 v1.0.1 v1.0.2 v1.0.3 v1.0.4 v1.1.0 v1.1.1 v1.2.0 v1.3.0 v1.3.1 v1.4.0 v1.4.1 v1.5.0 v1.6.0 v1.7.0 v1.7.1 v1.7.2 v1.8.0 v1.8.1 v1.8.2 v1.8.3 v1.9.0 v1.9.1 v1.9.2 v1.10.0 v1.11.0 v1.12.0 v1.12.1 v1.12.2 v1.13.0 v1.14.0

Update github.com/hashicorp/vault/api to v1.14.0 to fix: [CVE-2024-2660] CWE-703: Improper Check or Handling of Exceptional Conditions https://ossindex.sonatype.org/vulnerability/CVE-2024-2660 Signed-off-by: Theo Brigitte <theo.brigitte@gmail.com>

Upstream fix getsops/sops#1519

felixfontein · 2024-06-01T20:51:48Z

This has similar problems in CI as #1515. @getsops/maintainers can someone with more Go experience take a look at this?

Signed-off-by: Theo Brigitte <theo.brigitte@gmail.com>

TheoBrigitte · 2024-06-02T03:20:07Z

This has similar problems in CI as #1515. @getsops/maintainers can someone with more Go experience take a look at this?

This happens when running go mod tidy with a go version < 1.21, since CI uses go1.21.10

At first I did not felt like updating the go version in this PR.

felixfontein · 2024-06-02T10:49:50Z

My guess is that #1427 should have also bumped the go version in go.mod, even though at that point that version was already outdated (1.19 instead of 1.20).

TheoBrigitte · 2024-06-02T11:41:19Z

Should I move the go version update to a different PR or you're fine having this change here ?

felixfontein · 2024-06-02T12:29:08Z

I guess it's fine here, but for this kind of PRs I prefer input from someone else from the maintainer team since I'm not that familiar with the Golang module mechanism :)

sabre1041 · 2024-06-02T12:31:07Z

I guess it's fine here, but for this kind of PRs I prefer input from someone else from the maintainer team since I'm not that familiar with the Golang module mechanism :)

Will review this pr later today

sabre1041

LGTM

felixfontein · 2024-06-03T04:28:31Z

@TheoBrigitte thanks for fixing this!
@sabre1041 thanks for reviewing!

Fix CVE-2024-2660

5693ed9

Update github.com/hashicorp/vault/api to v1.14.0 to fix: [CVE-2024-2660] CWE-703: Improper Check or Handling of Exceptional Conditions https://ossindex.sonatype.org/vulnerability/CVE-2024-2660 Signed-off-by: Theo Brigitte <theo.brigitte@gmail.com>

TheoBrigitte force-pushed the CVE-2024-2660 branch from 770297f to 5693ed9 Compare June 1, 2024 19:57

TheoBrigitte added a commit to giantswarm/kubectl-gs that referenced this pull request Jun 1, 2024

extend CVE-2024-2660 ignore to 2024-07-31

9c508f8

Upstream fix getsops/sops#1519

felixfontein requested a review from a team June 1, 2024 20:50

use go1.21

4912b54

Signed-off-by: Theo Brigitte <theo.brigitte@gmail.com>

TheoBrigitte force-pushed the CVE-2024-2660 branch from 1090801 to 4912b54 Compare June 2, 2024 03:18

Merge branch 'main' into CVE-2024-2660

c2ce97c

sabre1041 approved these changes Jun 2, 2024

View reviewed changes

felixfontein merged commit 932dc03 into getsops:main Jun 3, 2024

TheoBrigitte deleted the CVE-2024-2660 branch June 3, 2024 08:10

h7x4 mentioned this pull request Jul 1, 2024

sops: 3.8.1 -> 3.9.0 NixOS/nixpkgs#323177

Merged

13 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix CVE-2024-2660#1519

Fix CVE-2024-2660#1519
felixfontein merged 3 commits into
getsops:mainfrom
TheoBrigitte:CVE-2024-2660

TheoBrigitte commented Jun 1, 2024

Uh oh!

felixfontein commented Jun 1, 2024

Uh oh!

TheoBrigitte commented Jun 2, 2024 •

edited

Loading

Uh oh!

felixfontein commented Jun 2, 2024

Uh oh!

TheoBrigitte commented Jun 2, 2024

Uh oh!

felixfontein commented Jun 2, 2024

Uh oh!

sabre1041 commented Jun 2, 2024

Uh oh!

sabre1041 left a comment

Uh oh!

felixfontein commented Jun 3, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

TheoBrigitte commented Jun 1, 2024

Uh oh!

felixfontein commented Jun 1, 2024

Uh oh!

TheoBrigitte commented Jun 2, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

felixfontein commented Jun 2, 2024

Uh oh!

TheoBrigitte commented Jun 2, 2024

Uh oh!

felixfontein commented Jun 2, 2024

Uh oh!

sabre1041 commented Jun 2, 2024

Uh oh!

sabre1041 left a comment

Choose a reason for hiding this comment

Uh oh!

felixfontein commented Jun 3, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

TheoBrigitte commented Jun 2, 2024 •

edited

Loading