这是indexloc提供的服务,不要输入任何密码
Skip to content

Security issue in latest nats-streaming image #1306

New issue
New issue
Open
Open
Security issue in latest nats-streaming image#1306
@vr2388

Description

@vr2388
vr2388
opened on Jul 29, 2024

When we scan the nats-streaming latest image we following CRITICAL and HIGH severity issues

nats-streaming-server (gobinary)
================================
Total: 11 (UNKNOWN: 0, LOW: 0, MEDIUM: 9, HIGH: 1, CRITICAL: 1)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2023-48795 │ MEDIUM   │ fixed  │ v0.15.0           │ 0.17.0          │ ssh: Prefix truncation attack on Binary Packet Protocol      │
│                     │                │          │        │                   │                 │ (BPP)                                                        │
│                     │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-48795                   │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib              │ CVE-2024-24790 │ CRITICAL │        │ 1.20.11           │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for   │
│                     │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                   │
│                     │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                   │
│                     ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-45288 │ HIGH     │        │                   │ 1.21.9, 1.22.2  │ golang: net/http, x/net/http2: unlimited number of           │
│                     │                │          │        │                   │                 │ CONTINUATION frames causes DoS                               │
│                     │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
│                     ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤

NAME                 INSTALLED  FIXED-IN  TYPE       VULNERABILITY        SEVERITY 
golang.org/x/crypto  v0.15.0    0.17.0    go-module  GHSA-45x7-px36-x8w8  Medium    
stdlib               go1.20.11            go-module  CVE-2024-24790       Critical  
stdlib               go1.20.11            go-module  CVE-2024-24791       High      
stdlib               go1.20.11            go-module  CVE-2023-45285       High

Please provide fix for these security issues.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions