Skip to content
This repository has been archived by the owner on Mar 29, 2022. It is now read-only.

同学,您这个项目引入了259个开源组件,存在2个漏洞,辛苦升级一下 #2

Open
ghost opened this issue Mar 7, 2022 · 2 comments
Open

同学,您这个项目引入了259个开源组件,存在2个漏洞,辛苦升级一下 #2

ghost opened this issue Mar 7, 2022 · 2 comments

Comments

@ghost
Copy link

ghost commented Mar 7, 2022

检测到 dtm-labs/dtf 一共引入了259个开源组件,存在2个漏洞

漏洞标题:go-yaml < 2.2.8拒绝服务漏洞
缺陷组件:gopkg.in/yaml.v2@v2.2.2
漏洞编号:CVE-2019-11254
漏洞描述:gopkg.in/yaml.v2是go语言中用于处理yaml格式的包。
在2.2.8之前的版本中,处理恶意的yaml数据时,会导致CPU资源耗尽。
漏洞由Kubernetes开发者在fuzz测试中发现并提交修复补丁。
国家漏洞库信息:https://www.cnvd.org.cn/flaw/show/CNVD-2020-35519
影响范围:(∞, 2.2.8)
最小修复版本:2.2.8
缺陷组件引入路径:github.com/dtm-labs/dtm@->github.com/gin-gonic/gin@v1.7.0->github.com/stretchr/testify@v1.4.0->gopkg.in/yaml.v2@v2.2.2
github.com/dtm-labs/dtm@->go.uber.org/automaxprocs@v1.4.1-0.20210525221652-0180b04c18a7->github.com/stretchr/testify@v1.4.0->gopkg.in/yaml.v2@v2.2.2

另外还有2个漏洞,详细报告:https://mofeisec.com/jr?p=afa7aa
@yedf2
Copy link
Owner

yedf2 commented Mar 7, 2022

gin已升级
但是go-yaml目前已经是v2.4.0了

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yedf2 and others