    golang.org/x/crypto 0.24.0 (golang)
pkg:golang/golang.org/x/crypto@0.24.0
# Dockerfile (80:80)
COPY --from=gomplate /usr/local/bin/gomplate /usr/local/bin/gomplate
 Improper Authorization
| Affected range | <0.31.0 | | Fixed version | 0.31.0 | | CVSS Score | 9.1 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | | EPSS Score | 0.045% | | EPSS Percentile | 18th percentile |
Description
Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.
The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.
For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.
Since this API is widely misused, as a partial mitigation golang.org/x/crypto@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.
Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.
|
golang.org/x/crypto 0.25.0 (golang)
pkg:golang/golang.org/x/crypto@0.25.0
# Dockerfile (76:76)
COPY --from=builder /go/bin/dex /usr/local/bin/dex
Improper Authorization
| Affected range | <0.31.0 | | Fixed version | 0.31.0 | | CVSS Score | 9.1 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | | EPSS Score | 0.045% | | EPSS Percentile | 18th percentile |
Description
Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.
The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.
For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.
Since this API is widely misused, as a partial mitigation golang.org/x/crypto@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.
Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.
|
   stdlib 1.22.4 (golang)
pkg:golang/stdlib@1.22.4
# Dockerfile (80:80)
COPY --from=gomplate /usr/local/bin/gomplate /usr/local/bin/gomplate
| Affected range | <1.22.7 | | Fixed version | 1.22.7 | | EPSS Score | 0.045% | | EPSS Percentile | 18th percentile |
Description
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
| Affected range | <1.22.7 | | Fixed version | 1.22.7 | | EPSS Score | 0.045% | | EPSS Percentile | 18th percentile |
Description
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
| Affected range | >=1.22.0-0
<1.22.5
| | Fixed version | 1.22.5 | | EPSS Score | 0.045% | | EPSS Percentile | 18th percentile |
Description
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.
An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.
| Affected range | <1.22.7 | | Fixed version | 1.22.7 | | EPSS Score | 0.218% | | EPSS Percentile | 60th percentile |
Description
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
| Affected range | <1.22.11 | | Fixed version | 1.22.11 | | EPSS Score | 0.045% | | EPSS Percentile | 18th percentile |
Description
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain.
Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
| Affected range | <1.22.11 | | Fixed version | 1.22.11 | | EPSS Score | 0.045% | | EPSS Percentile | 18th percentile |
Description
The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com.
In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.
| Affected range | <1.22.7 | | Fixed version | 1.22.7 | | EPSS Score | 0.045% | | EPSS Percentile | 18th percentile |
Description
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
| Affected range | <1.22.12 | | Fixed version | 1.22.12 | | EPSS Score | 0.045% | | EPSS Percentile | 18th percentile |
Description
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.
|
 stdlib 1.22.5 (golang)
pkg:golang/stdlib@1.22.5
# Dockerfile (76:76)
COPY --from=builder /go/bin/dex /usr/local/bin/dex
| Affected range | <1.22.7 | | Fixed version | 1.22.7 | | EPSS Score | 0.045% | | EPSS Percentile | 18th percentile |
Description
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
| Affected range | <1.22.7 | | Fixed version | 1.22.7 | | EPSS Score | 0.045% | | EPSS Percentile | 18th percentile |
Description
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
| Affected range | <1.22.7 | | Fixed version | 1.22.7 | | EPSS Score | 0.218% | | EPSS Percentile | 60th percentile |
Description
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
| Affected range | <1.22.11 | | Fixed version | 1.22.11 | | EPSS Score | 0.045% | | EPSS Percentile | 18th percentile |
Description
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain.
Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
| Affected range | <1.22.11 | | Fixed version | 1.22.11 | | EPSS Score | 0.045% | | EPSS Percentile | 18th percentile |
Description
The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com.
In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.
| Affected range | <1.22.7 | | Fixed version | 1.22.7 | | EPSS Score | 0.045% | | EPSS Percentile | 18th percentile |
Description
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
| Affected range | <1.22.12 | | Fixed version | 1.22.12 | | EPSS Score | 0.045% | | EPSS Percentile | 18th percentile |
Description
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.
|
   openssl 3.3.1-r3 (apk)
pkg:apk/alpine/openssl@3.3.1-r3?os_name=alpine&os_version=3.20
# Dockerfile (38:57)
FROM alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5 AS stager
RUN mkdir -p /var/dex
RUN mkdir -p /etc/dex
COPY config.docker.yaml /etc/dex/
FROM alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5 AS gomplate
ARG TARGETOS
ARG TARGETARCH
ARG TARGETVARIANT
ENV GOMPLATE_VERSION=v4.0.1
RUN wget -O /usr/local/bin/gomplate \
"https://github.com/hairyhenderson/gomplate/releases/download/${GOMPLATE_VERSION}/gomplate_${TARGETOS:-linux}-${TARGETARCH:-amd64}${TARGETVARIANT}" \
&& chmod +x /usr/local/bin/gomplate
# For Dependabot to detect base image versions
FROM alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5 AS alpine
| Affected range | <3.3.2-r0 | | Fixed version | 3.3.2-r0 | | EPSS Score | 0.045% | | EPSS Percentile | 18th percentile |
Description
| Affected range | <3.3.2-r1 | | Fixed version | 3.3.2-r1 | | EPSS Score | 0.044% | | EPSS Percentile | 12th percentile |
Description
| Affected range | <3.3.2-r2 | | Fixed version | 3.3.2-r2 | | EPSS Score | 0.044% | | EPSS Percentile | 15th percentile |
Description
| Affected range | <3.3.3-r0 | | Fixed version | 3.3.3-r0 |
Description |
golang.org/x/net 0.27.0 (golang)
pkg:golang/golang.org/x/net@0.27.0
# Dockerfile (76:76)
COPY --from=builder /go/bin/dex /usr/local/bin/dex
 Allocation of Resources Without Limits or Throttling
| Affected range | <0.33.0 | | Fixed version | 0.33.0 | | CVSS Score | 8.7 | | CVSS Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N | | EPSS Score | 0.045% | | EPSS Percentile | 18th percentile |
Description
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
|
github.com/dexidp/dex 2.41.1 (golang)
pkg:golang/github.com/dexidp/dex@2.41.1
# Dockerfile (76:76)
COPY --from=builder /go/bin/dex /usr/local/bin/dex
| Affected range | >=0 | | Fixed version | Not Fixed | | EPSS Score | 0.107% | | EPSS Percentile | 45th percentile |
Description
Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers in github.com/dexidp/dex.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/dexidp/dex from v2.37.0 before v2.38.0.
|
golang.org/x/net 0.26.0 (golang)
pkg:golang/golang.org/x/net@0.26.0
# Dockerfile (80:80)
COPY --from=gomplate /usr/local/bin/gomplate /usr/local/bin/gomplate
Allocation of Resources Without Limits or Throttling
| Affected range | <0.33.0 | | Fixed version | 0.33.0 | | CVSS Score | 8.7 | | CVSS Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N | | EPSS Score | 0.045% | | EPSS Percentile | 18th percentile |
Description
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
|
  github.com/aws/aws-sdk-go 1.54.10 (golang)
pkg:golang/github.com/aws/aws-sdk-go@1.54.10
# Dockerfile (80:80)
COPY --from=gomplate /usr/local/bin/gomplate /usr/local/bin/gomplate
| Affected range | >=0 | | Fixed version | Not Fixed | | EPSS Score | 0.048% | | EPSS Percentile | 20th percentile |
Description
A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files.
| Affected range | >=0 | | Fixed version | Not Fixed | | EPSS Score | 0.044% | | EPSS Percentile | 15th percentile |
Description
A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.
|
google.golang.org/grpc 1.64.0 (golang)
pkg:golang/google.golang.org/grpc@1.64.0
# Dockerfile (80:80)
COPY --from=gomplate /usr/local/bin/gomplate /usr/local/bin/gomplate
 Exposure of Sensitive Information to an Unauthorized Actor
| Affected range | >=1.64.0
<1.64.1
| | Fixed version | 1.64.1 |
Description
Impact
This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information.
Patches
The issue first appeared in 1.64.0 and is patched in 1.64.1 and 1.65.0
Workarounds
If using an affected version and upgrading is not possible, ensuring you do not log or print contexts will avoid the problem.
|
