github.com/SnowflakeDB/gosnowflake-v1.6.19: 3 vulnerabilities (highest severity is: 5.5) #10
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
ibm-mend-app
bot
added
the
Mend: dependency security vulnerability
ibm-mend-app
bot
changed the title
ibm-mend-app
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to dependency file: /go.mod
Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/net/@v/v0.30.0.mod
Found in HEAD commit: a38d6324242b44e86f4799b7caed176ba9620b92
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - golang.org/x/net-v0.30.0
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.30.0.zip
Path to dependency file: /go.mod
Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/net/@v/v0.30.0.mod
Dependency Hierarchy:
Found in HEAD commit: a38d6324242b44e86f4799b7caed176ba9620b92
Found in base branch: master
Vulnerability Details
In Go net/http, x/net/proxy, x/net/http/httpproxy there is a proxy bypass vulnerability using IPv6 zone IDs. Matching of hosts against proxy patterns could improperly treat an IPv6 zone ID
as a hostname component. For example, when the NO_PROXY environment variable was
set to "*.example.com", a request to "[::1%25.example.com]:80` would incorrectly
match and not be proxied. This affects versions before 1.23.7 and 1.24.x before 1.24.1.
Publish Date: 2025-03-08
URL: CVE-2025-22870
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: golang/go@334de79
Release Date: 2025-03-08
Fix Resolution: go1.24.1
Vulnerable Library - golang.org/x/net-v0.30.0
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.30.0.zip
Path to dependency file: /go.mod
Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/net/@v/v0.30.0.mod
Dependency Hierarchy:
Found in HEAD commit: a38d6324242b44e86f4799b7caed176ba9620b92
Found in base branch: master
Vulnerability Details
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
Publish Date: 2024-12-18
URL: CVE-2024-45338
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: golang/go#70906
Release Date: 2024-12-18
Fix Resolution: github.com/golang/net-v0.33.0
Vulnerable Library - github.com/form3tech-oss/jwt-go-v3.2.5+incompatible
Library home page: https://proxy.golang.org/github.com/form3tech-oss/jwt-go/@v/v3.2.5+incompatible.zip
Path to dependency file: /go.mod
Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/github.com/form3tech-oss/jwt-go/@v/v3.2.5+incompatible.mod
Dependency Hierarchy:
Found in HEAD commit: a38d6324242b44e86f4799b7caed176ba9620b92
Found in base branch: master
Vulnerability Details
golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in
ParseWithClaimscan lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned byParseWithClaimsreturn both error codes. If users only check for thejwt.ErrTokenExpiredusingerror.Is, they will ignore the embeddedjwt.ErrTokenSignatureInvalidand thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from thev5branch to thev4branch. In this logic, theParseWithClaimsfunction will immediately return in "dangerous" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors ("dangerous" ones first), so that you are not running in the case detailed above.Publish Date: 2024-11-04
URL: CVE-2024-51744
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-29wx-vh33-7x7r
Release Date: 2024-11-04
Fix Resolution: github.com/golang-jwt/jwt-v4.5.1
The text was updated successfully, but these errors were encountered: