CVEs in Portainer CE #6342

velzend · 2021-12-30T11:44:18Z

Bug description
Please fix the vulnerabilities and one compliance finding:

vulnerabilities:
  CVE-2021-38297: go
  CVE-2020-26160: "github.com/dgrijalva/jwt-go"
  CVE-2021-41771: go
  CVE-2021-41772: go
  CVE-2021-39293: go
  CVE-2021-33198: go
  CVE-2021-33196: go
  CVE-2021-33194: go
  CVE-2021-29923: go
  CVE-2021-27918: go
  CVE-2020-7919: go
  CVE-2020-28367: go
  CVE-2020-28366: go
  CVE-2020-28362: go
  CVE-2020-16845: go
  CVE-2019-17596: go
  CVE-2019-16276: go
  CVE-2021-33195: go
compliance:
  - "(CIS_Docker_v1.2.0 - 4.1) Image should be created with a non-root user"

Expected behavior
All the CVEs are addressed and fixed in future release(s).

Portainer Logs
N/A

Steps to reproduce the issue:
N/A

Technical details:

Portainer version: 2.11.0
Docker version (managed by Portainer): N/A
Kubernetes version (managed by Portainer): N/A
Platform (windows/linux): linux
Command used to start Portainer (docker run -p 9443:9443 portainer/portainer): N/A
Browser: N/A
Have you reviewed our technical documentation and knowledge base? No

Additional context

      "vulnerabilities": [
        {
          "id": "CVE-2021-38297",
          "status": "fixed in 1.17.2, 1.16.9",
          "cvss": 9.8,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "description": "Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.",
          "severity": "critical",
          "packageName": "go",
          "packageVersion": "1.16.5",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38297",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Critical severity",
            "Has fix",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.16.9"
          ],
          "publishedDate": "2021-10-18T06:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-10-18T06:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-38297",
          "status": "fixed in 1.17.2, 1.16.9",
          "cvss": 9.8,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "description": "Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.",
          "severity": "critical",
          "packageName": "go",
          "packageVersion": "1.16.6",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38297",
          "riskFactors": [
            "Attack vector: network",
            "Critical severity",
            "Has fix",
            "Recent vulnerability",
            "Attack complexity: low"
          ],
          "impactedVersions": [
            "<1.16.9"
          ],
          "publishedDate": "2021-10-18T06:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-10-18T06:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-38297",
          "status": "fixed in 1.17.2, 1.16.9",
          "cvss": 9.8,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "description": "Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.",
          "severity": "critical",
          "packageName": "go",
          "packageVersion": "1.13",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38297",
          "riskFactors": [
            "Has fix",
            "Recent vulnerability",
            "Attack complexity: low",
            "Attack vector: network",
            "Critical severity"
          ],
          "impactedVersions": [
            "<1.16.9"
          ],
          "publishedDate": "2021-10-18T06:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-10-18T06:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-38297",
          "status": "fixed in 1.17.2, 1.16.9",
          "cvss": 9.8,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "description": "Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.",
          "severity": "critical",
          "packageName": "go",
          "packageVersion": "1.13.15",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38297",
          "riskFactors": [
            "Critical severity",
            "Has fix",
            "Recent vulnerability",
            "Attack complexity: low",
            "Attack vector: network"
          ],
          "impactedVersions": [
            "<1.16.9"
          ],
          "publishedDate": "2021-10-18T06:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-10-18T06:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-38297",
          "status": "fixed in 1.17.2, 1.16.9",
          "cvss": 9.8,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "description": "Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.",
          "severity": "critical",
          "packageName": "go",
          "packageVersion": "1.13.8",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38297",
          "riskFactors": [
            "Recent vulnerability",
            "Attack complexity: low",
            "Attack vector: network",
            "Critical severity",
            "Has fix"
          ],
          "impactedVersions": [
            "<1.16.9"
          ],
          "publishedDate": "2021-10-18T06:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-10-18T06:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2020-26160",
          "status": "fixed in v4.0.0-preview1",
          "cvss": 7.7,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "description": "jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m[\\\"aud\\\"] (which is allowed by the specification). Because the type assertion fails, \\\"\\\" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.",
          "severity": "high",
          "packageName": "github.com/dgrijalva/jwt-go",
          "packageVersion": "v3.2.0",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-26160",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<v4.0.0-preview1"
          ],
          "publishedDate": "2020-09-30T18:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2020-09-30T18:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-41772",
          "status": "fixed in 1.17.3, 1.16.10",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41772",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.16.10"
          ],
          "publishedDate": "2021-11-08T06:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-11-08T06:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-41772",
          "status": "fixed in 1.17.3, 1.16.10",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.16.5",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41772",
          "riskFactors": [
            "Recent vulnerability",
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity"
          ],
          "impactedVersions": [
            "<1.16.10"
          ],
          "publishedDate": "2021-11-08T06:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-11-08T06:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-41772",
          "status": "fixed in 1.17.3, 1.16.10",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.15",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41772",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.16.10"
          ],
          "publishedDate": "2021-11-08T06:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-11-08T06:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-41772",
          "status": "fixed in 1.17.3, 1.16.10",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.16.6",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41772",
          "riskFactors": [
            "Has fix",
            "High severity",
            "Recent vulnerability",
            "Attack complexity: low",
            "Attack vector: network"
          ],
          "impactedVersions": [
            "<1.16.10"
          ],
          "publishedDate": "2021-11-08T06:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-11-08T06:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-41772",
          "status": "fixed in 1.17.3, 1.16.10",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.8",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41772",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.16.10"
          ],
          "publishedDate": "2021-11-08T06:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-11-08T06:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-41771",
          "status": "fixed in 1.17.3, 1.16.10",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41771",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.16.10"
          ],
          "publishedDate": "2021-11-08T06:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-11-08T06:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-41771",
          "status": "fixed in 1.17.3, 1.16.10",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.16.5",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41771",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.16.10"
          ],
          "publishedDate": "2021-11-08T06:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-11-08T06:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-41771",
          "status": "fixed in 1.17.3, 1.16.10",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.16.6",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41771",
          "riskFactors": [
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability",
            "Attack complexity: low"
          ],
          "impactedVersions": [
            "<1.16.10"
          ],
          "publishedDate": "2021-11-08T06:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-11-08T06:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-41771",
          "status": "fixed in 1.17.3, 1.16.10",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.8",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41771",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.16.10"
          ],
          "publishedDate": "2021-11-08T06:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-11-08T06:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-41771",
          "status": "fixed in 1.17.3, 1.16.10",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.15",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41771",
          "riskFactors": [
            "Has fix",
            "High severity",
            "Recent vulnerability",
            "Attack complexity: low",
            "Attack vector: network"
          ],
          "impactedVersions": [
            "<1.16.10"
          ],
          "publishedDate": "2021-11-08T06:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-11-08T06:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-39293",
          "status": "fixed in 1.17.1, 1.16.8",
          "cvss": 7.5,
          "description": "DOCUMENTATION: A vulnerability was found in archive/zip of the Go standard library. Applications written in Go can panic or potentially exhaust system memory when parsing malformed ZIP files. An attacker capable of submitting a crafted ZIP file to a Go application using archive/zip to process that file could cause a denial of service via memory exhaustion or panic. This particular flaw is an incomplete fix for a previous flaw.             STATEMENT: * In OpenShift Container Platform, multiple components are written in Go and use archive/zip from the standard library. However, all such components are short lived client side tools, not long lived server side executables. As the maximum impact of this vulnerability is a denial of service in client utilities, this vulnerability is rated Low for OpenShift Container Platform.  * This flaw is out of support scope for Red Hat Enterprise Linux 7. For more information about Red Hat Enterprise Linux support scope, please see https://access.redhat.com/support/policy/updates/errata  * Because Service Telemetry Framework1.2 will be retiring soon and the flaw\\'s impact is lower, no update will be provided at this time for STF1.2\\'s smart-gateway-container and sg-core-container.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.16.5",
          "link": "https://github.com/golang/go/issues/47801",
          "riskFactors": [
            "Recent vulnerability",
            "DoS",
            "Has fix",
            "High severity"
          ],
          "impactedVersions": [
            "<1.16.8,1.16"
          ],
          "publishedDate": "2021-08-18T00:00:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-39293",
          "status": "fixed in 1.17.1, 1.16.8",
          "cvss": 7.5,
          "description": "DOCUMENTATION: A vulnerability was found in archive/zip of the Go standard library. Applications written in Go can panic or potentially exhaust system memory when parsing malformed ZIP files. An attacker capable of submitting a crafted ZIP file to a Go application using archive/zip to process that file could cause a denial of service via memory exhaustion or panic. This particular flaw is an incomplete fix for a previous flaw.             STATEMENT: * In OpenShift Container Platform, multiple components are written in Go and use archive/zip from the standard library. However, all such components are short lived client side tools, not long lived server side executables. As the maximum impact of this vulnerability is a denial of service in client utilities, this vulnerability is rated Low for OpenShift Container Platform.  * This flaw is out of support scope for Red Hat Enterprise Linux 7. For more information about Red Hat Enterprise Linux support scope, please see https://access.redhat.com/support/policy/updates/errata  * Because Service Telemetry Framework1.2 will be retiring soon and the flaw\\'s impact is lower, no update will be provided at this time for STF1.2\\'s smart-gateway-container and sg-core-container.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.16.6",
          "link": "https://github.com/golang/go/issues/47801",
          "riskFactors": [
            "DoS",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.16.8,1.16"
          ],
          "publishedDate": "2021-08-18T00:00:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-33198",
          "status": "fixed in 1.16.5, 1.15.13",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.8",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33198",
          "riskFactors": [
            "Has fix",
            "High severity",
            "Recent vulnerability",
            "Attack complexity: low",
            "Attack vector: network"
          ],
          "impactedVersions": [
            "<1.15.13"
          ],
          "publishedDate": "2021-08-02T19:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-08-02T19:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-33198",
          "status": "fixed in 1.16.5, 1.15.13",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33198",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.15.13"
          ],
          "publishedDate": "2021-08-02T19:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-08-02T19:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-33198",
          "status": "fixed in 1.16.5, 1.15.13",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.15",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33198",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.15.13"
          ],
          "publishedDate": "2021-08-02T19:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-08-02T19:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-33196",
          "status": "fixed in 1.16.5, 1.15.13",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive\\'s header) can cause a NewReader or OpenReader panic.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.8",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33196",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.15.13"
          ],
          "publishedDate": "2021-08-02T19:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-08-02T19:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-33196",
          "status": "fixed in 1.16.5, 1.15.13",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive\\'s header) can cause a NewReader or OpenReader panic.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.15",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33196",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.15.13"
          ],
          "publishedDate": "2021-08-02T19:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-08-02T19:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-33196",
          "status": "fixed in 1.16.5, 1.15.13",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive\\'s header) can cause a NewReader or OpenReader panic.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33196",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.15.13"
          ],
          "publishedDate": "2021-08-02T19:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-08-02T19:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-33194",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.8",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33194",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "DoS",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<=1.15.12"
          ],
          "publishedDate": "2021-05-26T15:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-33194",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.15",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33194",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "DoS",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<=1.15.12"
          ],
          "publishedDate": "2021-05-26T15:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-33194",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33194",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "DoS",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<=1.15.12"
          ],
          "publishedDate": "2021-05-26T15:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-29923",
          "status": "fixed in 1.17",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "description": "Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.16.6",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.17"
          ],
          "publishedDate": "2021-08-07T17:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-08-07T17:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-29923",
          "status": "fixed in 1.17",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "description": "Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.15",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.17"
          ],
          "publishedDate": "2021-08-07T17:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-08-07T17:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-29923",
          "status": "fixed in 1.17",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "description": "Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.16.5",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923",
          "riskFactors": [
            "Has fix",
            "High severity",
            "Recent vulnerability",
            "Attack complexity: low",
            "Attack vector: network"
          ],
          "impactedVersions": [
            "<1.17"
          ],
          "publishedDate": "2021-08-07T17:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-08-07T17:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-29923",
          "status": "fixed in 1.17",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "description": "Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.8",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.17"
          ],
          "publishedDate": "2021-08-07T17:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-08-07T17:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-29923",
          "status": "fixed in 1.17",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "description": "Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923",
          "riskFactors": [
            "High severity",
            "Recent vulnerability",
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix"
          ],
          "impactedVersions": [
            "<1.17"
          ],
          "publishedDate": "2021-08-07T17:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-08-07T17:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-27918",
          "status": "fixed in 1.16.1, 1.15.9",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.15",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-27918",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.15.9"
          ],
          "publishedDate": "2021-03-11T00:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-03-11T00:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-27918",
          "status": "fixed in 1.16.1, 1.15.9",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-27918",
          "riskFactors": [
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability",
            "Attack complexity: low"
          ],
          "impactedVersions": [
            "<1.15.9"
          ],
          "publishedDate": "2021-03-11T00:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-03-11T00:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-27918",
          "status": "fixed in 1.16.1, 1.15.9",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.8",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-27918",
          "riskFactors": [
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability",
            "Attack complexity: low"
          ],
          "impactedVersions": [
            "<1.15.9"
          ],
          "publishedDate": "2021-03-11T00:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-03-11T00:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2020-7919",
          "status": "fixed in 1.13.7, 1.12.16, 0.0.0",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-7919",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.13.7,1.13",
            ">=1.13,1.13"
          ],
          "publishedDate": "2020-03-16T21:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2020-03-16T21:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2020-28367",
          "status": "fixed in 1.15.5, 1.14.12",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "description": "Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injection.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.15",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28367",
          "riskFactors": [
            "High severity",
            "Recent vulnerability",
            "Attack vector: network",
            "Has fix"
          ],
          "impactedVersions": [
            "<1.14.12"
          ],
          "publishedDate": "2020-11-18T17:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2020-11-18T17:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2020-28367",
          "status": "fixed in 1.15.5, 1.14.12",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "description": "Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injection.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28367",
          "riskFactors": [
            "High severity",
            "Recent vulnerability",
            "Attack vector: network",
            "Has fix"
          ],
          "impactedVersions": [
            "<1.14.12"
          ],
          "publishedDate": "2020-11-18T17:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2020-11-18T17:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2020-28367",
          "status": "fixed in 1.15.5, 1.14.12",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "description": "Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injection.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.8",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28367",
          "riskFactors": [
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.14.12"
          ],
          "publishedDate": "2020-11-18T17:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2020-11-18T17:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2020-28366",
          "status": "fixed in 1.15.5, 1.14.12",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "description": "Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.8",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28366",
          "riskFactors": [
            "Recent vulnerability",
            "Attack vector: network",
            "Has fix",
            "High severity"
          ],
          "impactedVersions": [
            "<1.14.12"
          ],
          "publishedDate": "2020-11-18T17:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2020-11-18T17:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2020-28366",
          "status": "fixed in 1.15.5, 1.14.12",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "description": "Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28366",
          "riskFactors": [
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.14.12"
          ],
          "publishedDate": "2020-11-18T17:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2020-11-18T17:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2020-28366",
          "status": "fixed in 1.15.5, 1.14.12",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "description": "Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.15",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28366",
          "riskFactors": [
            "Has fix",
            "High severity",
            "Recent vulnerability",
            "Attack vector: network"
          ],
          "impactedVersions": [
            "<1.14.12"
          ],
          "publishedDate": "2020-11-18T17:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2020-11-18T17:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2020-28362",
          "status": "fixed in 1.15.4, 1.14.12",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.15",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28362",
          "riskFactors": [
            "Recent vulnerability",
            "Attack complexity: low",
            "Attack vector: network",
            "DoS",
            "Has fix",
            "High severity"
          ],
          "impactedVersions": [
            "<1.14.12"
          ],
          "publishedDate": "2020-11-18T17:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2020-11-18T17:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2020-28362",
          "status": "fixed in 1.15.4, 1.14.12",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28362",
          "riskFactors": [
            "High severity",
            "Recent vulnerability",
            "Attack complexity: low",
            "Attack vector: network",
            "DoS",
            "Has fix"
          ],
          "impactedVersions": [
            "<1.14.12"
          ],
          "publishedDate": "2020-11-18T17:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2020-11-18T17:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2020-28362",
          "status": "fixed in 1.15.4, 1.14.12",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.8",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28362",
          "riskFactors": [
            "Recent vulnerability",
            "Attack complexity: low",
            "Attack vector: network",
            "DoS",
            "Has fix",
            "High severity"
          ],
          "impactedVersions": [
            "<1.14.12"
          ],
          "publishedDate": "2020-11-18T17:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2020-11-18T17:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2020-16845",
          "status": "fixed in 1.14.7, 1.13.15",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16845",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.13.15"
          ],
          "publishedDate": "2020-08-06T18:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2020-08-06T18:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2020-16845",
          "status": "fixed in 1.14.7, 1.13.15",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.8",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16845",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.13.15"
          ],
          "publishedDate": "2020-08-06T18:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2020-08-06T18:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2019-17596",
          "status": "fixed in 1.13.2, 1.12.11",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "description": "Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17596",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity"
          ],
          "impactedVersions": [
            "<1.13.2,1.13",
            ">=1.13,1.13"
          ],
          "publishedDate": "2019-10-24T22:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2019-10-24T22:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2019-16276",
          "status": "fixed in 1.13.1, 1.12.10",
          "cvss": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "description": "Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16276",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity"
          ],
          "impactedVersions": [
            "<1.13.1,1.13",
            ">=1.13,1.13"
          ],
          "publishedDate": "2019-09-30T19:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2019-09-30T19:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-33195",
          "status": "fixed in 1.16.5, 1.15.13",
          "cvss": 7.3,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
          "description": "Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.8",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33195",
          "riskFactors": [
            "High severity",
            "Recent vulnerability",
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix"
          ],
          "impactedVersions": [
            "<1.15.13"
          ],
          "publishedDate": "2021-08-02T19:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-08-02T19:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-33195",
          "status": "fixed in 1.16.5, 1.15.13",
          "cvss": 7.3,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
          "description": "Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33195",
          "riskFactors": [
            "Attack complexity: low",
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability"
          ],
          "impactedVersions": [
            "<1.15.13"
          ],
          "publishedDate": "2021-08-02T19:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-08-02T19:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        },
        {
          "id": "CVE-2021-33195",
          "status": "fixed in 1.16.5, 1.15.13",
          "cvss": 7.3,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
          "description": "Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.",
          "severity": "high",
          "packageName": "go",
          "packageVersion": "1.13.15",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33195",
          "riskFactors": [
            "Attack vector: network",
            "Has fix",
            "High severity",
            "Recent vulnerability",
            "Attack complexity: low"
          ],
          "impactedVersions": [
            "<1.15.13"
          ],
          "publishedDate": "2021-08-02T19:15:00Z",
          "discoveredDate": "2021-12-30T11:30:00Z",
          "fixDate": "2021-08-02T19:15:00Z",
          "layerTime": "1970-01-01T00:00:00Z"
        }

The text was updated successfully, but these errors were encountered:

jamescarppe · 2022-01-09T22:26:49Z

Thanks for highlighting this. We have flagged this internally with our team and we will be tackling them with the next release.

velzend · 2022-01-10T11:02:23Z

That would be great! Thanks

mariyam-portainer · 2022-02-20T22:14:38Z

Thanks again for highlighting this issue. We have fixed trivy Helm and Portainer vulnerabilities relating to direct dependencies for our next releases. We have tried using the latest Kompose binary, but it doesn't fix the reported vulnerabilities and adds more vulnerabilities. Hence, we chose to not change Kompose binary for now and will look into a fix in future, but ideally wait for Kompose's fix at their side.

velzend · 2022-02-21T20:34:25Z

Thanks for addressing some of the vulnerabilities, all your effort is really appreciated... Since container/ image scanning and the process of understanding, follow-up, and whitelisting any findings is mandatory before we can/ may use the container. Regards, Dennis Op zo 20 feb. 2022 om 23:14 schreef mariyam-portainer < ***@***.***>:

…

Thanks again for highlighting this issue. We have fixed trivy Helm and Portainer vulnerabilities relating to direct dependencies for our next releases. We have tried using the latest Kompose binary, but it doesn't fix the reported vulnerabilities and adds more vulnerabilities. Hence, we choose to not change Kompose binary for now and will look into a fix in future, but ideally wait for Komponse's fix at their side. — Reply to this email directly, view it on GitHub <#6342 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABHSXR2VNOJOQQJRYULV4V3U4FRVRANCNFSM5K7SRVIQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you authored the thread.Message ID: ***@***.***>

velzend added bug/need-confirmation kind/bug Applied to Bugs labels Dec 30, 2021

huib-portainer added the internal/jira label Jan 9, 2022

huib-portainer mentioned this issue Feb 1, 2022

feat: bump golang version to 1.17.6 [EE-2350] #6366

Merged

mariyam-portainer added this to the CE-2.13.0 milestone Feb 20, 2022

This was linked to pull requests Feb 20, 2022

fixed direct dependencies [EE-2172] #6565

Merged

update helm to 3.8.0 [EE-2170] #6564

Merged

DimaSalakhov closed this as completed in #6564 Apr 7, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVEs in Portainer CE #6342

CVEs in Portainer CE #6342

velzend commented Dec 30, 2021

jamescarppe commented Jan 9, 2022

velzend commented Jan 10, 2022

mariyam-portainer commented Feb 20, 2022 •

edited

Loading

velzend commented Feb 21, 2022 via email

CVEs in Portainer CE #6342

CVEs in Portainer CE #6342

Comments

velzend commented Dec 30, 2021

jamescarppe commented Jan 9, 2022

velzend commented Jan 10, 2022

mariyam-portainer commented Feb 20, 2022 • edited Loading

velzend commented Feb 21, 2022 via email

mariyam-portainer commented Feb 20, 2022 •

edited

Loading