CVE-2024-24791 in v6.42.0 #4163

SivaneshLogandurai · 2024-07-03T07:55:21Z

Describe what happened

Our scanning jobs have identified a new CVE "CVE-2024-24791" in the pulumi-std v1.7.2. This is an issue with the Go standard library net/http.

Sample program

N/A

Log output

Scan result

{
      "Target": "home/appian/.pulumi/plugins/resource-aws-v6.42.0/pulumi-resource-aws",
      "Class": "lang-pkgs",
      "Type": "gobinary",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2024-24791",
          "PkgName": "stdlib",
          "PkgIdentifier": {
            "PURL": "pkg:golang/[email protected]",
            "UID": "f2328c2729d2b74b"
          },
          "InstalledVersion": "1.22.4",
          "FixedVersion": "1.21.12, 1.22.5",
          "Status": "fixed",
          "Layer": {
            "Digest": "sha256:12b42ef700cd619bf6b070c29488e45d2706debd29cc072b6c70cfc476aba9bb",
            "DiffID": "sha256:c01c35830eba6aa5d25006afdecebf6a3ed84701acf2ab573180bd5dc488c3c0"
          },
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-24791",
          "DataSource": {
            "ID": "govulndb",
            "Name": "The Go Vulnerability Database",
            "URL": "https://pkg.go.dev/vuln/"
          },
          "Description": "The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an \"Expect: 100-continue\" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending \"Expect: 100-continue\" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.",
          "Severity": "UNKNOWN",
          "References": [
            "https://go.dev/cl/591255",
            "https://go.dev/issue/67555",
            "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ",
            "https://pkg.go.dev/vuln/GO-2024-2963"
          ],
          "PublishedDate": "2024-07-02T22:15:04.833Z",
          "LastModifiedDate": "2024-07-02T22:15:04.833Z"
        }
      ]
    }

Affected Resource(s)

No response

Output of `pulumi about`

Using pulumi v3.122.0 and pulumi-aws v6.42.0

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

The text was updated successfully, but these errors were encountered:

t0yv0 · 2024-07-03T16:47:50Z

Thank you for the report! My team is looking into getting this fixed.

# This is the 1st commit message: Fix import resources with provider default tags We have special logic around applying default provider tags to resources. This logic only applied to the `Check` call which means it was not applied when you were importing resources. This PR extends that logic to also run during the `Read` call. fix #4030, fix 4080 # This is the commit message #2: skip test # This is the commit message #3: fixing test # This is the commit message #4: Adding more tests # This is the commit message #5: Upgrade pulumi-terraform-bridge to v3.86.0 (#4160) This PR was generated via `$ upgrade-provider pulumi/pulumi-aws --kind=bridge --pr-reviewers=guineveresaenger`. Fixes #4091 Fixes #4137 --- - Upgrading pulumi-terraform-bridge from v3.85.0 to v3.86.0. - Upgrading pulumi-terraform-bridge/pf from v0.38.0 to v0.39.0. # This is the commit message #6: chore: run upstream provider-lint (#4120) This adds a step for running the upstream `provider-lint` make target. As part of this I had to fix some of the patches which violated some lint rules. **0009-Add-ECR-credentials_data_source.patch** - `ForceNew` does not apply to data sources **0032-DisableTagSchemaCheck-for-PF-provider.patch** - Schema have to have a `Type` - Also needed to add a ignore for `S013` which forces `Computed`, `Optional` or `Required` to be set. Looks like it can't recognize the `tagsComputed` var **0034-Fail-fast-when-PF-resources-are-dropped.patch** - Added a lint ignore for a rule which doesn't allow panics **0050-Normalize-retentionDays-in-aws_controltower_landing_.patch** - This test doesn't actually need a region or partition so replacing with a placeholder closes #4110 # This is the commit message #7: fix: CVE-2024-24791 (#4175) Fixes #4163 Upgrades minimally required Go versions to those unaffected by CVE-2024-24791.

SivaneshLogandurai added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Jul 3, 2024

t0yv0 added a commit that referenced this issue Jul 3, 2024

Mandate Go versions fixing CVE-2024-24791 (#4163)

5e4175e

t0yv0 mentioned this issue Jul 3, 2024

fix: CVE-2024-24791 #4175

Merged

t0yv0 removed the needs-triage Needs attention from the triage team label Jul 3, 2024

t0yv0 closed this as completed in #4175 Jul 3, 2024

t0yv0 closed this as completed in 21c0385 Jul 3, 2024

mjeffryes assigned t0yv0 Jul 12, 2024

mjeffryes added this to the 0.107 milestone Jul 24, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2024-24791 in v6.42.0 #4163

CVE-2024-24791 in v6.42.0 #4163

SivaneshLogandurai commented Jul 3, 2024

t0yv0 commented Jul 3, 2024

CVE-2024-24791 in v6.42.0 #4163

CVE-2024-24791 in v6.42.0 #4163

Comments

SivaneshLogandurai commented Jul 3, 2024

Describe what happened

Sample program

Log output

Affected Resource(s)

Output of pulumi about

Additional context

Contributing

t0yv0 commented Jul 3, 2024

Output of `pulumi about`