Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Critical vulnerability detected in a dependency #1211

Open
jakub-m-sobczak opened this issue Dec 16, 2024 · 2 comments
Open

Critical vulnerability detected in a dependency #1211

jakub-m-sobczak opened this issue Dec 16, 2024 · 2 comments

Comments

@jakub-m-sobczak
Copy link

Describe the Bug
A critical vuln in golang.org/x/crypto detected by Grype:

NAME                          INSTALLED  FIXED-IN  TYPE       VULNERABILITY        SEVERITY
github.com/golang-jwt/jwt/v4  v4.4.2     4.5.1     go-module  GHSA-29wx-vh33-7x7r  Low
golang.org/x/crypto           v0.27.0    0.31.0    go-module  GHSA-v778-237x-gjrc  Critical
libcrypto3                    3.1.7-r0   3.1.7-r1  apk        CVE-2024-9143        Medium
libssl3                       3.1.7-r0   3.1.7-r1  apk        CVE-2024-9143        Medium

Vuln:
CVE-2024-45337

Migrate Version
v4.18.1

Go Version
1.22

Additional context
This can be fixed with a PR by bumping golang.org/x/crypto from 0.27.0 to 0.31.0: #1210

@joschi
Copy link
Contributor

joschi commented Dec 16, 2024

The respective functionality (SSH server in golang.org/x/crypto/ssh) affected by CVE-2024-45337 is not used by migrate at all, I think this is not really critical in context of this project.

Updating the dependency would be nice, but it's not a game changer.

@jakub-m-sobczak
Copy link
Author

Thanks @joschi. You're right. However, for some, not updating the dependency may be a little uncomfortable, bc Criticals have this annoying tendency to stop builds 😃

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants