Outdated and vulnerable golang protobuf dependency #75
Labels
area/dependency
Issues or PRs related to dependency changes
Comments
|
@jperezdealgaba @acornett21 I think we are now using ansible-operator-plugins/go.mod Line 100 in 42b5d80 |
|
/LGTM! |
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello!
We are using ansible-operator-plugins for some internal developments and after performing SAST on the project we noticed that that the used protobuf version is vulnerable to several attacks:
✗ Medium severity vulnerability found in google.golang.org/protobuf/internal/encoding/json
Description: Infinite loop
Info: LINK
Introduced through: google.golang.org/protobuf/internal/encoding/[email protected]
From: google.golang.org/protobuf/internal/encoding/[email protected]
Fixed in: 1.33.0
CVE: LINK
✗ Medium severity vulnerability found in google.golang.org/protobuf/encoding/protojson
Description: Stack-based Buffer Overflow
Info: LINK
Introduced through: google.golang.org/protobuf/encoding/[email protected]
From: google.golang.org/protobuf/encoding/[email protected]
Fixed in: 1.32.0
✗ Medium severity vulnerability found in google.golang.org/protobuf/encoding/protojson
Description: Infinite loop
Info: LINK
Introduced through: google.golang.org/protobuf/encoding/[email protected]
From: google.golang.org/protobuf/encoding/[email protected]
Fixed in: 1.33.0
Vulnerability Report: LINK
Would it be possible that the probuf version is updated to the most recent version? Thank you!
The text was updated successfully, but these errors were encountered: