CVE in github.com/pkg/sftp@v1.10.1 indirectly included by spf13/afero

[cboitel]

Preflight Checklist

• I have searched the issue tracker for an issue that matches the one I want to file, without success.
• I am not looking for support or already pursued the available support channels without success.

Viper Version

1.9.0

Go Version

1.17

Config Source

Flags, Environment variables

Format

No response

Repl.it link

No response

Code reproducing the issue

No response

Expected Behavior

go mod graph | fgrep github.com/pkg/sftp should list latest version v1.13.4 once afero has been updated/versioned to use it.

Otherwise, afero dependency should be replaced.

Actual Behavior

github.com/pkg/sftp@v1.10.1 is included.

Steps To Reproduce

No response

Additional Information

Filed an issue on afero side: spf13/afero#330 referencing the sftp issue fixed for CVE

[github-actions]

👋 Thanks for reporting!

A maintainer will take a look at your issue shortly. 👀

In the meantime: We are working on Viper v2 and we would love to hear your thoughts about what you like or don't like about Viper, so we can improve or fix those issues.

⏰ If you have a couple minutes, please take some time and share your thoughts: https://forms.gle/R6faU74qPRPAzchZ9

📣 If you've already given us your feedback, you can still help by spreading the news,
either by sharing the above link or telling people about this on Twitter:

https://twitter.com/sagikazarmark/status/1306904078967074816

Thank you! ❤️

[sagikazarmark]

Note that:

• SFTP is not a common filesystem used for Viper, as such the vulnerable code is unlikely to be executed
• You can always update SFTP in you application, so that the vulnerable version is never compiled into the final binary

Afero should be updated once a new version is out, but this is not considered a high severity issue in Viper.

[cboitel]

In the meanwhile, it could be worth publishing some security note (link to this issue) with instructions that users responsible to use replace instructions in their go.mod file to workaround the issue until a new release is out hopefully including the updated dependency.

[cboitel]

afero dependency released a version 1.70 (1.7.1since then) which includes updated sftp version. You may now bump the newer version to fix this issue

[akshaybabloo]

I think this can be closed. See #1271

[cboitel]

Looks like there still remains a dependency with v1.10.1 since it appears in go.sum. Looks like v1.10.1 is still referenced by some others dependency.

I will look at the go mod graph once I have access to laptop early next year. Maybe a go mod tidy is simply required.

[sagikazarmark]

The fact that 1.10.1 is in the go.sum file doesn't mean Go ever resolves the dependency to it. It only means it's a dependency of something, but Go will always choose the newer version.

[sagikazarmark]

Should be fixed in v1.11.0