github.com/dependabot-fixtures/go-major-mismatch-v1.0.4: 3 vulnerabilities (highest severity is: 7.5)

[mend-for-github-com]

Vulnerable Library - github.com/dependabot-fixtures/go-major-mismatch-v1.0.4

Path to dependency file: /go_modules/spec/fixtures/projects/module_major_version_mismatch_v0/go.mod

Path to vulnerable library: /go/pkg/mod/cache/download/golang.org/x/text/@v/v0.0.0-20170915032832-14c0d48ead0c.mod

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (github.com/dependabot-fixtures/go-major-mismatch-v1.0.4 version)	Remediation Possible**	Reachability
CVE-2022-32149	High	7.5	golang.org/x/text-v0.0.0-20170915032832-14c0d48ead0c	Transitive	N/A*	❌
CVE-2021-38561	High	7.5	golang.org/x/text-v0.0.0-20170915032832-14c0d48ead0c	Transitive	N/A*	❌
CVE-2020-14040	High	7.5	golang.org/x/text-v0.0.0-20170915032832-14c0d48ead0c	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-32149

Vulnerable Library - golang.org/x/text-v0.0.0-20170915032832-14c0d48ead0c

[mirror] Go text processing support

Library home page: https://proxy.golang.org/golang.org/x/text/@v/v0.0.0-20170915032832-14c0d48ead0c.zip

Path to dependency file: /go_modules/spec/fixtures/projects/module_major_version_mismatch_v0/go.mod

Path to vulnerable library: /go/pkg/mod/cache/download/golang.org/x/text/@v/v0.0.0-20170915032832-14c0d48ead0c.mod

Dependency Hierarchy:

• github.com/dependabot-fixtures/go-major-mismatch-v1.0.4 (Root Library)
  • rsc.io/quote-v1.5.0
    • rsc.io/sampler-v1.3.0
      • ❌ golang.org/x/text-v0.0.0-20170915032832-14c0d48ead0c (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.

Publish Date: 2022-10-14

URL: CVE-2022-32149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-32149

Release Date: 2022-10-14

Fix Resolution: v0.3.8

CVE-2021-38561

Vulnerable Library - golang.org/x/text-v0.0.0-20170915032832-14c0d48ead0c

[mirror] Go text processing support

Library home page: https://proxy.golang.org/golang.org/x/text/@v/v0.0.0-20170915032832-14c0d48ead0c.zip

Path to dependency file: /go_modules/spec/fixtures/projects/module_major_version_mismatch_v0/go.mod

Path to vulnerable library: /go/pkg/mod/cache/download/golang.org/x/text/@v/v0.0.0-20170915032832-14c0d48ead0c.mod

Dependency Hierarchy:

• github.com/dependabot-fixtures/go-major-mismatch-v1.0.4 (Root Library)
  • rsc.io/quote-v1.5.0
    • rsc.io/sampler-v1.3.0
      • ❌ golang.org/x/text-v0.0.0-20170915032832-14c0d48ead0c (Vulnerable Library)

Found in base branch: main

Vulnerability Details

golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.

Publish Date: 2022-12-26

URL: CVE-2021-38561

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2021-0113

Release Date: 2021-08-12

Fix Resolution: v0.3.7

CVE-2020-14040

Vulnerable Library - golang.org/x/text-v0.0.0-20170915032832-14c0d48ead0c

[mirror] Go text processing support

Library home page: https://proxy.golang.org/golang.org/x/text/@v/v0.0.0-20170915032832-14c0d48ead0c.zip

Path to dependency file: /go_modules/spec/fixtures/projects/module_major_version_mismatch_v0/go.mod

Path to vulnerable library: /go/pkg/mod/cache/download/golang.org/x/text/@v/v0.0.0-20170915032832-14c0d48ead0c.mod

Dependency Hierarchy:

• github.com/dependabot-fixtures/go-major-mismatch-v1.0.4 (Root Library)
  • rsc.io/quote-v1.5.0
    • rsc.io/sampler-v1.3.0
      • ❌ golang.org/x/text-v0.0.0-20170915032832-14c0d48ead0c (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

Publish Date: 2020-06-17

URL: CVE-2020-14040

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2020-0015

Release Date: 2020-06-17

Fix Resolution: v0.3.3