ZITADEL recommends upgrading to the latest versions available in due course.
If updating the zitadel-go library is not an option, updating the affected (transient) dependencies works as a workaround.
=== Symbol Results ===
Vulnerability #1: GO-2024-2687
HTTP/2 CONTINUATION flood in net/http
More info: https://pkg.go.dev/vuln/GO-2024-2687
Module: golang.org/x/net
Found in: golang.org/x/net@v0.19.0
Fixed in: golang.org/x/net@v0.23.0
Example traces found:
#1: example/api/grpc/proto/api_grpc.pb.go:239:34: proto.exampleServiceAddTasksServer.Recv calls grpc.serverStream.RecvMsg, which eventually calls http2.ConnectionError.Error
#2: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.ErrCode.String
#3: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.FrameHeader.String
#4: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.FrameType.String
#5: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.ReadFrame
#6: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteContinuation
#7: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteData
#8: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteGoAway
#9: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteHeaders
#10: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WritePing
#11: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteRSTStream
#12: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteSettings
#13: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteSettingsAck
#14: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteWindowUpdate
#15: example/api/grpc/proto/api_grpc.pb.go:239:34: proto.exampleServiceAddTasksServer.Recv calls grpc.serverStream.RecvMsg, which eventually calls http2.GoAwayError.Error
#16: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.Setting.String
#17: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.SettingID.String
#18: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.SettingsFrame.ForeachSetting
#19: example/api/grpc/proto/api_grpc.pb.go:239:34: proto.exampleServiceAddTasksServer.Recv calls grpc.serverStream.RecvMsg, which eventually calls http2.StreamError.Error
#20: example/app/app.go:111:27: app.main calls http.ListenAndServe, which eventually calls http2.chunkWriter.Write
#21: example/api/grpc/proto/api_grpc.pb.go:239:34: proto.exampleServiceAddTasksServer.Recv calls grpc.serverStream.RecvMsg, which eventually calls http2.connError.Error
#22: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.duplicatePseudoHeaderError.Error
#23: pkg/client/auth.go:23:42: client.JWTAuthentication calls profile.NewJWTProfileTokenSource, which eventually calls http2.gzipReader.Close
#24: pkg/authentication/state.go:20:26: authentication.State.Encrypt calls crypto.EncryptAES, which eventually calls http2.gzipReader.Read
#25: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.headerFieldNameError.Error
#26: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.headerFieldValueError.Error
#27: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.pseudoHeaderError.Error
#28: example/app/app.go:111:27: app.main calls http.ListenAndServe, which eventually calls http2.stickyErrWriter.Write
#29: pkg/client/auth.go:23:42: client.JWTAuthentication calls profile.NewJWTProfileTokenSource, which eventually calls http2.transportResponseBody.Close
#30: pkg/authentication/state.go:20:26: authentication.State.Encrypt calls crypto.EncryptAES, which eventually calls http2.transportResponseBody.Read
#31: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.writeData.String
Your code is affected by 1 vulnerability from 1 module.
This scan also found 2 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
No specific configuration required.
Indirect package vulnerability. Users following example code might be impacted.
Summary
Applications using the
zitadel-go
v3
library (next
branch) might be impacted by package vulnerabilities.The output of
govulncheck
suggests that onlyexample
code seems to be impacted, based on 1 of the 3 potential vulnerabilities. This vulnerability is located in the transitive dependencygolang.org/x/net v0.19.0
, CVE-2023-45288Patches
3.0.0-next versions are fixed on >= 3.0.0-next.3
ZITADEL recommends upgrading to the latest versions available in due course.
Workarounds
If updating the zitadel-go library is not an option, updating the affected (transient) dependencies works as a workaround.
Details
Direct deps:
This module is necessary because github.com/go-jose/go-jose/v3 is imported in
github.com/zitadel/zitadel-go/v3/pkg/client/system
.This module is necessary because google.golang.org/protobuf/reflect/protoreflect is imported in
github.com/zitadel/zitadel-go/v3/example/api/grpc/proto
.Transitive deps:
This module is necessary because golang.org/x/net/trace is imported in:
github.com/zitadel/zitadel-go/v3/example/api/grpc
google.golang.org/grpc
govulncheck
PoC
No specific configuration required.
Impact
Indirect package vulnerability. Users following example code might be impacted.
References
Credits
Thanks to @helpisdev for reporting this.