Skip to content

The current release 0.2.1 has known critical trivy vulnerabilities #51

Open
Open
The current release 0.2.1 has known critical trivy vulnerabilities#51
@dannystaple

Description

@dannystaple
dannystaple
opened on Jun 19, 2024

The current release available (0.2.1) has the following CVE's detected:

usr/local/bin/jp (gobinary)
===========================
Total: 1 (CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.17.1            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘

Also:

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2022-23806 │ CRITICAL │ fixed  │ 1.17.1            │ 1.16.14, 1.17.7 │ golang: crypto/elliptic: IsOnCurve returns true for invalid │
│         │                │          │        │                   │                 │ field elements                                              │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2022-23806                  │
│         ├────────────────┤          │        │                   ├─────────────────┼─────────────────────────────────────────────────────────────┤
│         │ CVE-2023-24538 │          │        │                   │ 1.19.8, 1.20.3  │ golang: html/template: backticks not treated as string      │
│         │                │          │        │                   │                 │ delimiters                                                  │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-24538                  │
│         ├────────────────┤          │        │                   ├─────────────────┼─────────────────────────────────────────────────────────────┤
│         │ CVE-2023-24540 │          │        │                   │ 1.19.9, 1.20.4  │ golang: html/template: improper handling of JavaScript      │
│         │                │          │        │                   │                 │ whitespace                                                  │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-24540                  │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴─────────────────────────────────────────────────────────────┘

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions