Snyk test report

Allocation of Resources Without Limits or Throttling

---

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper parsing of malformed tokens which can lead to memory consumption.

Remediation

Upgrade golang.org/x/oauth2/jws to version 0.27.0 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Issue
• GitHub PR
• Go Advisory

---

Server-side Request Forgery (SSRF)

---

Overview

golang.org/x/net/http/httpproxy is a package for HTTP proxy determination based on environment variables, as provided by net/http's ProxyFromEnvironment function

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in proxy.go, because hostname matching against proxy patterns may treat an IPv6 zone ID as a hostname component. An environment variable value like *.example.com could be matched to a request intended for [::1%25.example.com]:80.

Remediation

Upgrade golang.org/x/net/http/httpproxy to version 0.36.0 or higher.

References

• Git Commit
• GitHub Commit
• GitHub Commit
• GitHub Issue

---

Improper Handling of Unexpected Data Type

---

Overview

Affected versions of this package are vulnerable to Improper Handling of Unexpected Data Type when functions including List() and SignWithFlags() process *successAgentMsg. This can be triggered by a malicious agent sending a single 0x06 byte (SSH_AGENT_SUCCESS), which is unmarshalled into a *successAgentMsg, causing a panic and client crash.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

A fix was pushed into the master branch but not yet published.

References

• GitHub Commit
• GitHub Issue

---

Allocation of Resources Without Limits or Throttling

---

Overview

golang.org/x/crypto/ssh is a SSH client and server

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in handshakeTransport in handshake.go. An internal queue gets populated with received packets during the key exchange process, while waiting for the client to send a SSH_MSG_KEXINIT. An attacker can cause the server to become unresponsive to new connections by delaying or withholding this message, or by causing the queue to consume all available memory.

Remediation

Upgrade golang.org/x/crypto/ssh to version 0.35.0 or higher.

References

• Git Commit
• Go Issue
• Vulnerability Advisory

---

Asymmetric Resource Consumption (Amplification)

---

Overview

Affected versions of this package are vulnerable to Asymmetric Resource Consumption (Amplification) through the parse.ParseUnverified function. An attacker can cause excessive memory allocation by sending a crafted request with many period characters in the Authorization header.

Remediation

Upgrade github.com/golang-jwt/jwt/v5 to version 5.2.2 or higher.

References

• GitHub Commit
• GitHub Release 4.5.2
• GitHub Release 5.2.2

---