github.com/temporalio/sdk-go-v1.14.0: 3 vulnerabilities (highest severity is: 7.5) - autoclosed

[mend-for-github-com]

Vulnerable Library - github.com/temporalio/sdk-go-v1.14.0

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2022-30633	High	7.5	github.com/golang/net-cd36cc0744dd695657988f15f08446dc81e16efc	Transitive	N/A	❌
CVE-2022-28131	High	7.5	github.com/golang/net-cd36cc0744dd695657988f15f08446dc81e16efc	Transitive	N/A	❌
CVE-2022-29526	Medium	5.3	github.com/golang/sys-f2425489ef4cc6bb036c8db9d487e11590636104	Transitive	N/A	❌

Details

CVE-2022-30633

Vulnerable Library - github.com/golang/net-cd36cc0744dd695657988f15f08446dc81e16efc

[mirror] Go supplementary network libraries

Dependency Hierarchy:

• github.com/temporalio/sdk-go-v1.14.0 (Root Library)
  • github.com/grpc/grpc-go-v1.44.0
    • ❌ github.com/golang/net-cd36cc0744dd695657988f15f08446dc81e16efc (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.

Publish Date: 2022-08-10

URL: CVE-2022-30633

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-30633

Release Date: 2022-05-13

Fix Resolution: go1.17.12,go1.18.4

CVE-2022-28131

Vulnerable Library - github.com/golang/net-cd36cc0744dd695657988f15f08446dc81e16efc

[mirror] Go supplementary network libraries

Dependency Hierarchy:

• github.com/temporalio/sdk-go-v1.14.0 (Root Library)
  • github.com/grpc/grpc-go-v1.44.0
    • ❌ github.com/golang/net-cd36cc0744dd695657988f15f08446dc81e16efc (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.

Publish Date: 2022-08-10

URL: CVE-2022-28131

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-28131

Release Date: 2022-03-29

Fix Resolution: go1.17.12,go1.18.4

CVE-2022-29526

Vulnerable Library - github.com/golang/sys-f2425489ef4cc6bb036c8db9d487e11590636104

[mirror] Go packages for low-level interaction with the operating system

Dependency Hierarchy:

• github.com/temporalio/sdk-go-v1.14.0 (Root Library)
  • github.com/grpc/grpc-go-v1.44.0
    • ❌ github.com/golang/sys-f2425489ef4cc6bb036c8db9d487e11590636104 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.

Publish Date: 2022-06-23

URL: CVE-2022-29526

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-29526

Release Date: 2022-06-23

Fix Resolution: go1.17.10,go1.18.2,go1.19

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-for-github-com]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.