1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
|
#####
# Test of basic govulncheck in source mode
$ govulncheck -C ${moddir}/vuln ./... --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0265
A maliciously crafted path can cause Get and other query functions to
consume excessive amounts of CPU and time.
More info: https://pkg.go.dev/vuln/GO-2021-0265
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Example traces found:
#1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: .../vuln.go:<l>:<c>: vuln.main calls language.Parse
Vulnerability #3: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
an out-of-bounds panic. If parsing user input, this may be used as a denial
of service vector.
More info: https://pkg.go.dev/vuln/GO-2021-0054
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.6.6
Example traces found:
#1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get, which eventually calls gjson.Result.ForEach
Your code is affected by 3 vulnerabilities from 2 modules.
This scan also found 0 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
#####
# Test of basic govulncheck in source mode with expanded traces
$ govulncheck -C ${moddir}/vuln -show=traces ./... --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0265
A maliciously crafted path can cause Get and other query functions to
consume excessive amounts of CPU and time.
More info: https://pkg.go.dev/vuln/GO-2021-0265
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Example traces found:
#1: for function github.com/tidwall/gjson.Result.Get
.../vuln.go:<l>:<c>: golang.org/vuln.main
.../gjson.go:<l>:<c>: github.com/tidwall/gjson.Result.Get
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: for function golang.org/x/text/language.Parse
.../vuln.go:<l>:<c>: golang.org/vuln.main
.../parse.go:<l>:<c>: golang.org/x/text/language.Parse
Vulnerability #3: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
an out-of-bounds panic. If parsing user input, this may be used as a denial
of service vector.
More info: https://pkg.go.dev/vuln/GO-2021-0054
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.6.6
Example traces found:
#1: for function github.com/tidwall/gjson.Result.ForEach
.../vuln.go:<l>:<c>: golang.org/vuln.main
.../gjson.go:<l>:<c>: github.com/tidwall/gjson.Result.Get
.../gjson.go:<l>:<c>: github.com/tidwall/gjson.Get
.../gjson.go:<l>:<c>: github.com/tidwall/gjson.execModifier
.../gjson.go:<l>:<c>: github.com/tidwall/gjson.modPretty
.../gjson.go:<l>:<c>: github.com/tidwall/gjson.Result.ForEach
Your code is affected by 3 vulnerabilities from 2 modules.
This scan also found 0 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
#####
# Test of basic govulncheck in source mode with the -show verbose flag
$ govulncheck -C ${moddir}/vuln -show verbose ./... --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...
=== Symbol Results ===
Vulnerability #1: GO-2021-0265
A maliciously crafted path can cause Get and other query functions to
consume excessive amounts of CPU and time.
More info: https://pkg.go.dev/vuln/GO-2021-0265
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.9.3
Example traces found:
#1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get
Vulnerability #2: GO-2021-0113
Due to improper index calculation, an incorrectly formatted language tag can
cause Parse to panic via an out of bounds read. If Parse is used to process
untrusted user inputs, this may be used as a vector for a denial of service
attack.
More info: https://pkg.go.dev/vuln/GO-2021-0113
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.7
Example traces found:
#1: .../vuln.go:<l>:<c>: vuln.main calls language.Parse
Vulnerability #3: GO-2021-0054
Due to improper bounds checking, maliciously crafted JSON objects can cause
an out-of-bounds panic. If parsing user input, this may be used as a denial
of service vector.
More info: https://pkg.go.dev/vuln/GO-2021-0054
Module: github.com/tidwall/gjson
Found in: github.com/tidwall/gjson@v1.6.5
Fixed in: github.com/tidwall/gjson@v1.6.6
Example traces found:
#1: .../vuln.go:<l>:<c>: vuln.main calls gjson.Result.Get, which eventually calls gjson.Result.ForEach
=== Package Results ===
No other vulnerabilities found.
=== Module Results ===
Vulnerability #1: GO-2022-0969
HTTP/2 server connections can hang forever waiting for a clean shutdown that
was preempted by a fatal error. This condition can be exploited by a
malicious client to cause a denial of service.
More info: https://pkg.go.dev/vuln/GO-2022-0969
Standard library
Found in: net/http@go1.18
Fixed in: net/http@go1.18.6
Vulnerability #2: GO-2020-0015
An attacker could provide a single byte to a UTF16 decoder instantiated with
UseBOM or ExpectBOM to trigger an infinite loop if the String function on
the Decoder is called, or the Decoder is passed to transform.String. If used
to parse user supplied input, this may be used as a denial of service
vector.
More info: https://pkg.go.dev/vuln/GO-2020-0015
Module: golang.org/x/text
Found in: golang.org/x/text@v0.3.0
Fixed in: golang.org/x/text@v0.3.3
Your code is affected by 3 vulnerabilities from 2 modules.
This scan also found 0 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
|
