github.com/prometheus/client_golang-v1.11.0: 2 vulnerabilities (highest severity is: 7.5) #294
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
1 task
mend-for-github-com
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Prometheus instrumentation library for Go applications
Library home page: https://proxy.golang.org/github.com/prometheus/client_golang/@v/v1.11.0.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Found in HEAD commit: fd9fc1baf3cd86beecdfe1d4b962b3e768b4ff92
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - github.com/prometheus/client_golang-v1.11.0
Prometheus instrumentation library for Go applications
Library home page: https://proxy.golang.org/github.com/prometheus/client_golang/@v/v1.11.0.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy:
Found in HEAD commit: fd9fc1baf3cd86beecdfe1d4b962b3e768b4ff92
Found in base branch: master
Vulnerability Details
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of
promhttp.InstrumentHandler*middleware exceptRequestsInFlight; not filter any specific methods (e.g GET) before middleware; pass metric withmethodlabel name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknownmethod. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing themethodlabel name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.Publish Date: 2022-02-15
URL: CVE-2022-21698
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-cg3q-j54f-5p7p
Release Date: 2022-02-15
Fix Resolution: v1.11.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - google.golang.org/protobuf-v1.27.1
Go support for Google's protocol buffers
Library home page: https://proxy.golang.org/google.golang.org/protobuf/@v/v1.27.1.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy:
Found in HEAD commit: fd9fc1baf3cd86beecdfe1d4b962b3e768b4ff92
Found in base branch: master
Vulnerability Details
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
Publish Date: 2024-03-05
URL: CVE-2024-24786
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://pkg.go.dev/vuln/GO-2024-2611
Release Date: 2024-03-05
Fix Resolution: v1.33.0
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: