x/vulndb: potential Go vuln in github.com/cortexproject/cortex: GHSA-vw7g-3cc7-7rmh

[GoVulnBot]

Advisory GHSA-vw7g-3cc7-7rmh references a vulnerability in the following Go modules:

Module
github.com/cortexproject/cortex

Description:
A TLS certificate verification issue discovered in cortex v0.42.1 allows attackers to obtain sensitive information via the makeOperatorRequest function.

References:

• ADVISORY: GHSA-vw7g-3cc7-7rmh
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-41265
• WEB: https://gist.github.com/nyxfqq/1a8237f3f9cf793c6433f08b17d1593c

Cross references:

• github.com/cortexproject/cortex appears in 3 other report(s):
  • data/excluded/GO-2022-0915.yaml (x/vulndb: potential Go vuln in github.com/cortexproject/cortex: CVE-2021-31232, GHSA-m45g-f45x-vv22 #915) NOT_IMPORTABLE
  • data/excluded/GO-2022-0927.yaml (x/vulndb: potential Go vuln in github.com/cortexproject/cortex: CVE-2021-36157, GHSA-jphm-g89m-v42p #927) NOT_IMPORTABLE
  • data/reports/GO-2022-1175.yaml (x/vulndb: potential Go vuln in github.com/cortexproject/cortex: CVE-2022-23536 #1175)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/cortexproject/cortex
      vulnerable_at: 1.17.1
summary: cortex establishes TLS connections with `InsecureSkipVerify` set to `true` in github.com/cortexproject/cortex
cves:
    - CVE-2024-41265
ghsas:
    - GHSA-vw7g-3cc7-7rmh
references:
    - advisory: https://github.com/advisories/GHSA-vw7g-3cc7-7rmh
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41265
    - web: https://gist.github.com/nyxfqq/1a8237f3f9cf793c6433f08b17d1593c
source:
    id: GHSA-vw7g-3cc7-7rmh
    created: 2024-08-02T22:01:12.234833231Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/603235 mentions this issue: data/reports: add 29 unreviewed reports