Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependencies, Go version and address CVEs #1474

Merged
merged 5 commits into from
Jan 9, 2025
Merged

Update dependencies, Go version and address CVEs #1474

merged 5 commits into from
Jan 9, 2025

Conversation

antontroshin
Copy link
Contributor

Description

This PR addresses multiple CVEs found by running trivy locally.
Updated Component validation usage with newly exposed wrapper (dapr/dapr#8363), due to runtime changes loading components and it being in internal.
The scan results before updating dependencies

┌───────────────────────────────────────┬─────────────────────┬──────────┬──────────┬────────────────────────────────────────────────────────────┬────────────────────┬──────────────────────────────────────────────────────────────┐
│                Library                │    Vulnerability    │ Severity │  Status  │                     Installed Version                      │   Fixed Version    │                            Title                             │
├───────────────────────────────────────┼─────────────────────┼──────────┼──────────┼────────────────────────────────────────────────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/cloudevents/sdk-go/v2      │ CVE-2024-28110      │ MEDIUM   │ fixed    │ v2.14.0                                                    │ 2.15.2             │ cloudevents/sdk-go: usage of WithRoundTripper to create a    │
│                                       │                     │          │          │                                                            │                    │ Client leaks credentials                                     │
│                                       │                     │          │          │                                                            │                    │ https://avd.aquasec.com/nvd/cve-2024-28110                   │
├───────────────────────────────────────┼─────────────────────┤          │          ├────────────────────────────────────────────────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/containerd/containerd      │ GHSA-7ww5-4wqc-m92c │          │          │ v1.6.18                                                    │ 1.6.26, 1.7.11     │ containerd allows RAPL to be accessible to a container       │
│                                       │                     │          │          │                                                            │                    │ https://github.com/advisories/GHSA-7ww5-4wqc-m92c            │
├───────────────────────────────────────┼─────────────────────┼──────────┤          ├────────────────────────────────────────────────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/docker/distribution V      │ CVE-2023-2253       │ HIGH     │          │ v2.8.1+incompatible                                        │ 2.8.2-beta.1       │ distribution/distribution: DoS from malicious API request    │
│                                       │                     │          │          │                                                            │                    │ https://avd.aquasec.com/nvd/cve-2023-2253                    │
├───────────────────────────────────────┼─────────────────────┼──────────┤          ├────────────────────────────────────────────────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/golang-jwt/jwt/v4          │ CVE-2024-51744      │ LOW      │          │ v4.5.0                                                     │ 4.5.1              │ golang-jwt: Bad documentation of error handling in           │
│                                       │                     │          │          │                                                            │                    │ ParseWithClaims can lead to potentially...                   │
│                                       │                     │          │          │                                                            │                    │ https://avd.aquasec.com/nvd/cve-2024-51744                   │
├───────────────────────────────────────┼─────────────────────┼──────────┤          ├────────────────────────────────────────────────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-retryablehttp │ CVE-2024-6104       │ MEDIUM   │          │ v0.7.1                                                     │ 0.7.7              │ go-retryablehttp: url might write sensitive information to   │
│                                       │                     │          │          │                                                            │                    │ log file                                                     │
│                                       │                     │          │          │                                                            │                    │ https://avd.aquasec.com/nvd/cve-2024-6104                    │
├───────────────────────────────────────┼─────────────────────┤          │          ├────────────────────────────────────────────────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/lestrrat-go/jwx/v2         │ CVE-2024-28122      │          │          │ v2.0.19                                                    │ 2.0.21             │ jwx: denial of service attack using compressed JWE message   │
│                                       │                     │          │          │                                                            │                    │ https://avd.aquasec.com/nvd/cve-2024-28122                   │
├───────────────────────────────────────┼─────────────────────┼──────────┤          ├────────────────────────────────────────────────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/moby/moby                  │ CVE-2024-36621      │ HIGH     │          │ v17.12.0-ce-rc1.0.20200618181300-9dc6525e6118+incompatible │ 26.0.0             │ moby: Race Condition in Moby's Snapshot Layer Handling       │
│                                       │                     │          │          │                                                            │                    │ https://avd.aquasec.com/nvd/cve-2024-36621                   │
│                                       ├─────────────────────┤          │          │                                                            │                    ├──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2024-36623      │          │          │                                                            │                    │ moby: Race Condition in Moby's streamformatter Package       │
│                                       │                     │          │          │                                                            │                    │ https://avd.aquasec.com/nvd/cve-2024-36623                   │
│                                       ├─────────────────────┼──────────┤          │                                                            ├────────────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2020-27534      │ MEDIUM   │          │                                                            │ 19.03.9            │ moby/buildkit: calls os.OpenFile with a potentially unsafe   │
│                                       │                     │          │          │                                                            │                    │ qemu-check temporary pathname                                │
│                                       │                     │          │          │                                                            │                    │ https://avd.aquasec.com/nvd/cve-2020-27534                   │
│                                       ├─────────────────────┤          │          │                                                            ├────────────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2021-21284      │          │          │                                                            │ 19.3.15, 20.10.3   │ docker: access to remapped root allows privilege escalation  │
│                                       │                     │          │          │                                                            │                    │ to real root                                                 │
│                                       │                     │          │          │                                                            │                    │ https://avd.aquasec.com/nvd/cve-2021-21284                   │
│                                       ├─────────────────────┤          │          │                                                            │                    ├──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2021-21285      │          │          │                                                            │                    │ docker: daemon crash during image pull of malicious image    │
│                                       │                     │          │          │                                                            │                    │ https://avd.aquasec.com/nvd/cve-2021-21285                   │
│                                       ├─────────────────────┤          │          │                                                            ├────────────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2021-41091      │          │          │                                                            │ 20.10.9            │ moby: data directory contains subdirectories with            │
│                                       │                     │          │          │                                                            │                    │ insufficiently restricted permissions, which could lead...   │
│                                       │                     │          │          │                                                            │                    │ https://avd.aquasec.com/nvd/cve-2021-41091                   │
│                                       ├─────────────────────┤          │          │                                                            ├────────────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2022-24769      │          │          │                                                            │ 20.10.14           │ moby: Default inheritable capabilities for linux container   │
│                                       │                     │          │          │                                                            │                    │ should be empty                                              │
│                                       │                     │          │          │                                                            │                    │ https://avd.aquasec.com/nvd/cve-2022-24769                   │
│                                       ├─────────────────────┤          │          │                                                            ├────────────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2024-24557      │          │          │                                                            │ 24.0.9, 25.0.2     │ moby: classic builder cache poisoning                        │
│                                       │                     │          │          │                                                            │                    │ https://avd.aquasec.com/nvd/cve-2024-24557                   │
│                                       ├─────────────────────┤          │          │                                                            ├────────────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ GHSA-xmmx-7jpf-fx42 │          │          │                                                            │ 20.10.11           │ Moby (Docker Engine) is vulnerable to Ambiguous OCI manifest │
│                                       │                     │          │          │                                                            │                    │ parsing                                                      │
│                                       │                     │          │          │                                                            │                    │ https://github.com/advisories/GHSA-xmmx-7jpf-fx42            │
├───────────────────────────────────────┼─────────────────────┤          │          ├────────────────────────────────────────────────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/opencontainers/runc        │ CVE-2024-45310      │          │          │ v1.1.12                                                    │ 1.1.14, 1.2.0-rc.3 │ runc: runc can be tricked into creating empty                │
│                                       │                     │          │          │                                                            │                    │ files/directories on host                                    │
│                                       │                     │          │          │                                                            │                    │ https://avd.aquasec.com/nvd/cve-2024-45310                   │
├───────────────────────────────────────┼─────────────────────┼──────────┤          ├────────────────────────────────────────────────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto                   │ CVE-2024-45337      │ CRITICAL │          │ v0.21.0                                                    │ 0.31.0             │ golang.org/x/crypto/ssh: Misuse of                           │
│                                       │                     │          │          │                                                            │                    │ ServerConfig.PublicKeyCallback may cause authorization       │
│                                       │                     │          │          │                                                            │                    │ bypass in golang.org/x/crypto                                │
│                                       │                     │          │          │                                                            │                    │ https://avd.aquasec.com/nvd/cve-2024-45337                   │
├───────────────────────────────────────┼─────────────────────┼──────────┤          ├────────────────────────────────────────────────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net                      │ CVE-2024-45338      │ HIGH     │          │ v0.23.0                                                    │ 0.33.0             │ Non-linear parsing of case-insensitive content in            │
│                                       │                     │          │          │                                                            │                    │ golang.org/x/net/html                                        │
│                                       │                     │          │          │                                                            │                    │ https://avd.aquasec.com/nvd/cve-2024-45338                   │
├───────────────────────────────────────┼─────────────────────┼──────────┤          ├────────────────────────────────────────────────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/protobuf            │ CVE-2024-24786      │ MEDIUM   │          │ v1.32.0                                                    │ 1.33.0             │ golang-protobuf: encoding/protojson, internal/encoding/json: │
│                                       │                     │          │          │                                                            │                    │ infinite loop in protojson.Unmarshal when unmarshaling       │
│                                       │                     │          │          │                                                            │                    │ certain forms of...                                          │
│                                       │                     │          │          │                                                            │                    │ https://avd.aquasec.com/nvd/cve-2024-24786                   │
├───────────────────────────────────────┼─────────────────────┼──────────┤          ├────────────────────────────────────────────────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤
│ helm.sh/helm/v3                       │ CVE-2024-26147      │ HIGH     │          │ v3.11.1                                                    │ 3.14.2             │ helm: Missing YAML Content Leads To Panic                    │
│                                       │                     │          │          │                                                            │                    │ https://avd.aquasec.com/nvd/cve-2024-26147                   │
│                                       ├─────────────────────┼──────────┼──────────┤                                                            ├────────────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2019-25210      │ MEDIUM   │ affected │                                                            │                    │ helm: shows secrets with --dry-run option in clear text      │
│                                       │                     │          │          │                                                            │                    │ https://avd.aquasec.com/nvd/cve-2019-25210                   │
│                                       ├─────────────────────┤          ├──────────┤                                                            ├────────────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2024-25620      │          │ fixed    │                                                            │ 3.14.1             │ helm: Dependency management path traversal                   │
│                                       │                     │          │          │                                                            │                    │ https://avd.aquasec.com/nvd/cve-2024-25620                   │
└───────────────────────────────────────┴─────────────────────┴──────────┴──────────┴────────────────────────────────────────────────────────────┴────────────────────┴──────────────────────────────────────────────────────────────┘

Issue reference

We strive to have all PR being opened based on an issue, where the problem or feature have been discussed prior to implementation.

Please reference the issue this PR will close: #[issue number]

Checklist

Please make sure you've completed the relevant tasks for this PR, out of the following list:

  • Code compiles correctly
  • Created/updated tests
  • Extended the documentation

@antontroshin antontroshin requested review from a team as code owners January 7, 2025 23:43
@yaron2 yaron2 merged commit 17f4785 into dapr:master Jan 9, 2025
26 of 27 checks passed
@antontroshin antontroshin deleted the update-dependencies-and-go-version branch January 9, 2025 23:11
@antontroshin antontroshin mentioned this pull request Jan 10, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mikeee mikeee mikeee approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@antontroshin @mikeee @yaron2