You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Sentry go module is dependent upon a number of third-party modules that have recognised security vulnerabilities.
github.com/kataras/iris/v12 - v12.1.8
This affects all versions of package github.com/kataras/iris; all versions of package github.
com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles
method may enable attackers to write to arbitrary locations outside the designated target
folder.
More Info:
• https://nvd.nist.gov/vuln/detail/CVE-2021-23772
• CVE-2021-23772
• kataras/iris@e213dba
The security policy and vulnerability disclosure document (https://sentry.io/security/#vulnerability-disclosure) indicates that Sentry wishes to maintain a secure environment. Updating these modules will help maintain those aspiration.
Additional Context
There was a recent merge (#411) that resolved one of the other security vulnerabilities which I haven't listed, thank you. I hope that providing you this information will allow you to close these further two and perhaps do a security release.
These vulnerabilities were identified using Meterian where we are using github.com/getsentry/sentry-go:v0.12.0 in all our packages. The kataras module has three vulnerabilities caused by their third-party modules (github.com/microcosm-cc/bluemonday:v1.0.2, github.com/kataras/neffos:v0.0.14 and github.com/nats-io/nats.go:v1.9.1). The yaml vulnerability is self-contained.
The text was updated successfully, but these errors were encountered:
Summary
The Sentry go module is dependent upon a number of third-party modules that have recognised security vulnerabilities.
github.com/kataras/iris/v12 - v12.1.8
This affects all versions of package github.com/kataras/iris; all versions of package github.
com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles
method may enable attackers to write to arbitrary locations outside the designated target
folder.
More Info:
• https://nvd.nist.gov/vuln/detail/CVE-2021-23772
• CVE-2021-23772
• kataras/iris@e213dba
gopkg.in/yaml.v2 - v2.2.4
The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10,
1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause
the kube-apiserver to consume excessive CPU cycles while parsing YAML.
More Info:
• CVE-2019-11254
• CVE-2019-11254: kube-apiserver Denial of Service vulnerability from malicious YAML payloads kubernetes/kubernetes#89535
• https://github.com/kubernetes/kubernetes/pull/87467/commits/
b86df2bec4f377afc0ca03482ffad2f0a49a83b8
Motivation
The security policy and vulnerability disclosure document (https://sentry.io/security/#vulnerability-disclosure) indicates that Sentry wishes to maintain a secure environment. Updating these modules will help maintain those aspiration.
Additional Context
There was a recent merge (#411) that resolved one of the other security vulnerabilities which I haven't listed, thank you. I hope that providing you this information will allow you to close these further two and perhaps do a security release.
These vulnerabilities were identified using Meterian where we are using github.com/getsentry/sentry-go:v0.12.0 in all our packages. The kataras module has three vulnerabilities caused by their third-party modules (github.com/microcosm-cc/bluemonday:v1.0.2, github.com/kataras/neffos:v0.0.14 and github.com/nats-io/nats.go:v1.9.1). The yaml vulnerability is self-contained.
The text was updated successfully, but these errors were encountered: