[Apiiro] 2 risks

[haimlebo]

@@@seperated @@@

Discovered on: Jul 28, 2024 13:41
Due date: Jul 29, 2024 13:41
Dependency: golang.org/x/net
Version: 0.0.0-20190311183353-d8887717615a
Type: Sub dependency
Introduced through:

• github.com/smartystreets/goconvey: 1.6.4 > golang.org/x/tools: 0.0.0-20190328211700-ab21143f2384 > golang.org/x/net: 0.0.0-20190311183353-d8887717615a

Vulnerabilities

• golang.org/x/net/http2 Denial of Service vulnerability with CVSS score 7.5. fixed version: 0.0.0-20220906165146-f3363e06e74c
• golang.org/x/net/http vulnerable to a reset flood with CVSS score 7.5. fixed version: 0.0.0-20190813141303-74dc4d7220e7
• golang.org/x/net/http vulnerable to ping floods with CVSS score 7.5. fixed version: 0.0.0-20190813141303-74dc4d7220e7
• golang.org/x/net/http/httpguts vulnerable to Uncontrolled Recursion with CVSS score 5.9. fixed version: 0.0.0-20210428140749-89ef3d95e781
• golang.org/x/net/html Infinite Loop vulnerability with CVSS score 7.5. fixed version: 0.0.0-20210520170846-37e1c6afe023
• HTTP/2 rapid reset can cause excessive work in net/http with CVSS score 7.5. fixed version: 0.17.0
• HTTP/2 Stream Cancellation Attack with CVSS score 5.3. fixed version: 0.17.0
• Improper rendering of text nodes in golang.org/x/net/html with CVSS score 6.1. fixed version: 0.13.0
• net/http, x/net/http2: close connections when receiving too many headers with CVSS score 5.3. fixed version: 0.23.0
• golang.org/x/net/http2 vulnerable to possible excessive memory growth with CVSS score 5.3. fixed version: 0.4.0
• Go net/http Header Canonicalization Cache Memory Consumption Vulnerability with CVSS score 7.5.

About this package:

External dependency: golang.org/x/net
Latest version: v0.27.0
License: BSD-3-Clause
Insights:

• Not fixable - This package includes a CVE that has not been fixed by an official release or patch
• Known exploit - This package has 1 Known Exploited Vulnerabilities.

Source: CISA.gov

• Historical CVEs - This package had at least two critical or high CVEs in two consecutive years
• No version 1 - The package releases hasn't reached v1
• Has vulnerabilities - One or more vulnerabilities have been reported for this package
• High EPSS - This package has 2 vulnerabilities that are highly likely to be exploited according to the EPSS algorithm

Remediation

Upgrade the top level dependencies (Declared in: go.mod) to change golang.org/x/net 0.0.0-20190311183353-d8887717615a to the minimum required version golang.org/x/net 0.23.0:

golang.org/x/net: 0.0.0-20190311183353-d8887717615a -> 0.23.0
View in Apiiro

Discovered on: Jul 28, 2024 14:50
Due date: Jul 29, 2024 14:50
Detection Method: User Password
Secret type: User password
Exposure: Exposed
File type: Tests
Introduced through: Link to file (2 references)
Code preview: TUSERDATA = [{'username': 'user_1', 'password': '•••••',
Validity: No validator
Source: Apiiro
View in Apiiro