Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/gitpod-io/gitpod: CVE-2024-21583 #2997

Closed
GoVulnBot opened this issue Jul 19, 2024 · 5 comments
Closed

x/vulndb: potential Go vuln in github.com/gitpod-io/gitpod: CVE-2024-21583 #2997

GoVulnBot opened this issue Jul 19, 2024 · 5 comments
Labels
triaged

Comments

@GoVulnBot
Copy link

Advisory CVE-2024-21583 references a vulnerability in the following Go modules:

Module
github.com/gitpod-io/gitpod

Description:
Versions of the package github.com/gitpod-io/gitpod/components/server/go/pkg/lib before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/components/ws-proxy/pkg/proxy before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/auth before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/public-api-server before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/server before main-gha.27122; versions of the package @gitpod/gitpo...

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/gitpod-io/gitpod
      vulnerable_at: 0.10.0
summary: CVE-2024-21583 in github.com/gitpod-io/gitpod
cves:
    - CVE-2024-21583
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-21583
    - fix: https://github.com/gitpod-io/gitpod/commit/da1053e1013f27a56e6d3533aa251dbd241d0155
    - fix: https://github.com/gitpod-io/gitpod/pull/19973
    - web: https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=[…]942e-c768d37e9e0c&tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d
    - web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSSERVERGOPKGLIB-7452074
    - web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSWSPROXYPKGPROXY-7452075
    - web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSAUTH-7452076
    - web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSPUBLICAPISERVER-7452077
    - web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSSERVER-7452078
    - web: https://security.snyk.io/vuln/SNYK-JS-GITPODGITPODPROTOCOL-7452079
source:
    id: CVE-2024-21583
    created: 2024-07-19T06:01:16.172383195Z
review_status: UNREVIEWED
@tatianab
Copy link
Contributor

Fix does appear to affect Go code

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/599636 mentions this issue: data/reports: add 4 unreviewed reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/606360 mentions this issue: data/reports: regenerate 8 reports

gopherbot pushed a commit that referenced this issue Aug 19, 2024
@tatianab @gopherbot
data/reports: regenerate 8 reports
9fd9786 
  - data/reports/GO-2024-2993.yaml
  - data/reports/GO-2024-2997.yaml
  - data/reports/GO-2024-3033.yaml
  - data/reports/GO-2024-3039.yaml
  - data/reports/GO-2024-2921.yaml
  - data/reports/GO-2024-2982.yaml
  - data/reports/GO-2024-3066.yaml
  - data/reports/GO-2024-3070.yaml

Updates #2993
Updates #2997
Updates #3033
Updates #3039
Updates #2921
Updates #2982
Updates #3066
Updates #3070

Change-Id: I5a682ceba4983a42b0d7783535488c5ecf049f25
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606360
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Tatiana Bradley <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/611375 mentions this issue: data/reports: update GO-2024-2997

gopherbot pushed a commit that referenced this issue Sep 6, 2024
@tatianab
data/reports: update GO-2024-2997
38348a7 
Fix bad URI.

  - data/reports/GO-2024-2997.yaml

Updates #2997
Fixes #3120

Change-Id: I08882a769b46b5f95f0a2182eed3ba924a78c11a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/611375
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Tatiana Bradley <[email protected]>
Reviewed-by: Zvonimir Pavlinovic <[email protected]>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/610809 mentions this issue: data/reports: regenerate GO-2024-2997

gopherbot pushed a commit that referenced this issue Sep 6, 2024
@tatianab
data/reports: regenerate GO-2024-2997
fcf3b07 
Regenerate with updated algorithm.

  - data/reports/GO-2024-2997.yaml

Updates #2997

Change-Id: I6c6aec10dfb4e24bae5e2f5313ecda78e7ddabe7
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/610809
Reviewed-by: Damien Neil <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot