File: source_vendored_text.ct

package info (click to toggle)
golang-golang-x-vuln 1.0.4-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 4,400 kB
  • sloc: sh: 161; asm: 40; makefile: 7
file content (66 lines) | stat: -rw-r--r-- 2,763 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
 
#####
# Vendored directory w text output
$ govulncheck -C ${moddir}/vendored -show verbose ./... --> FAIL 3
Scanning your code and P packages across M dependent modules for known vulnerabilities...

=== Symbol Results ===

Vulnerability #1: GO-2021-0265
    A maliciously crafted path can cause Get and other query functions to
    consume excessive amounts of CPU and time.
  More info: https://pkg.go.dev/vuln/GO-2021-0265
  Module: github.com/tidwall/gjson
    Found in: github.com/tidwall/gjson@v1.6.5
    Fixed in: github.com/tidwall/gjson@v1.9.3
    Example traces found:
      #1: .../vendored.go:<l>:<c>: vendored.main calls fakemod.Leave, which calls gjson.Result.Get

Vulnerability #2: GO-2021-0113
    Due to improper index calculation, an incorrectly formatted language tag can
    cause Parse to panic via an out of bounds read. If Parse is used to process
    untrusted user inputs, this may be used as a vector for a denial of service
    attack.
  More info: https://pkg.go.dev/vuln/GO-2021-0113
  Module: golang.org/x/text
    Found in: golang.org/x/text@v0.3.0
    Fixed in: golang.org/x/text@v0.3.7
    Example traces found:
      #1: .../vendored.go:<l>:<c>: vendored.main calls language.Parse

=== Package Results ===

Vulnerability #1: GO-2021-0054
    Due to improper bounds checking, maliciously crafted JSON objects can cause
    an out-of-bounds panic. If parsing user input, this may be used as a denial
    of service vector.
  More info: https://pkg.go.dev/vuln/GO-2021-0054
  Module: github.com/tidwall/gjson
    Found in: github.com/tidwall/gjson@v1.6.5
    Fixed in: github.com/tidwall/gjson@v1.6.6

=== Module Results ===

Vulnerability #1: GO-2022-0969
    HTTP/2 server connections can hang forever waiting for a clean shutdown that
    was preempted by a fatal error. This condition can be exploited by a
    malicious client to cause a denial of service.
  More info: https://pkg.go.dev/vuln/GO-2022-0969
  Standard library
    Found in: net/http@go1.18
    Fixed in: net/http@go1.18.6

Vulnerability #2: GO-2020-0015
    An attacker could provide a single byte to a UTF16 decoder instantiated with
    UseBOM or ExpectBOM to trigger an infinite loop if the String function on
    the Decoder is called, or the Decoder is passed to transform.String. If used
    to parse user supplied input, this may be used as a denial of service
    vector.
  More info: https://pkg.go.dev/vuln/GO-2020-0015
  Module: golang.org/x/text
    Found in: golang.org/x/text@v0.3.0
    Fixed in: golang.org/x/text@v0.3.3

Your code is affected by 2 vulnerabilities from 2 modules.
This scan also found 1 vulnerability in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.