ui icon indicating copy to clipboard operation
ui copied to clipboard
verified publisher icon criticalstack

CVE-2020-14040 (High) detected in github.com/docker/distribution-35f1369d377054088c4c2e9079ddbb6c1375105d

Open mend-bolt-for-github[bot] opened this issue 5 years ago • 0 comments

CVE-2020-14040 - High Severity Vulnerability

Vulnerable Library - github.com/docker/distribution-35f1369d377054088c4c2e9079ddbb6c1375105d

The toolkit to pack, ship, store, and deliver container content

Dependency Hierarchy:

  • helm.sh/helm/v3/pkg/action-v3.5.2 (Root Library)
    • helm.sh/helm/v3/internal/experimental/registry-v3.5.2
      • github.com/deislabs/oras/pkg/auth-v0.9.0
        • github.com/docker/docker/registry-v20.10.3
          • github.com/docker/distribution/registry/client/auth-35f1369d377054088c4c2e9079ddbb6c1375105d
            • github.com/docker/distribution/registry/client-35f1369d377054088c4c2e9079ddbb6c1375105d
              • github.com/docker/distribution/registry/storage/cache/memory-35f1369d377054088c4c2e9079ddbb6c1375105d
                • :x: github.com/docker/distribution-35f1369d377054088c4c2e9079ddbb6c1375105d (Vulnerable Library)

Found in HEAD commit: 3f81d12ed6fb2bfa97132e2cfe0df6d996e1465a

Found in base branch: main

Vulnerability Details

The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

Publish Date: 2020-06-17

URL: CVE-2020-14040

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2020-0015

Release Date: 2020-06-17

Fix Resolution: v0.3.3

Step up your Open Source Security Game with WhiteSource here

mend-bolt-for-github[bot] avatar Jan 12 '21 15:01 mend-bolt-for-github[bot]