sdk-ruby icon indicating copy to clipboard operation
sdk-ruby copied to clipboard
verified publisher icon temporalio

temporal-sdk-core-api-0.1.0: 3 vulnerabilities (highest severity is: 9.1)

Open mend-for-github-com[bot] opened this issue 2 years ago • 0 comments

Vulnerable Library - temporal-sdk-core-api-0.1.0

Path to dependency file: /bridge/Cargo.toml

Path to vulnerable library: /bridge/Cargo.toml

Found in HEAD commit: [63b662559cd583d424ccbd121f96a1194e1fa2eb](https://github.com/temporalio/sdk-ruby/commit/63b662559cd583d424ccbd121f96a1194e1fa2eb)

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (temporal-sdk-core-api version) Remediation Possible**
WS-2023-0045 Critical 9.1 remove_dir_all-0.5.3.crate Transitive N/A*
CVE-2018-16875 High 7.5 webpki-0.22.0.crate Transitive N/A*
CVE-2023-26964 High 7.5 hyper-0.14.23.crate Transitive N/A*

_For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

_*In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2023-0045

Vulnerable Library - remove_dir_all-0.5.3.crate

A safe, reliable implementation of remove_dir_all for Windows

Library home page: [https://crates.io/api/v1/crates/remove_dir_all/0.5.3/download](https://crates.io/api/v1/crates/remove_dir_all/0.5.3/download)

Path to dependency file: /bridge/Cargo.toml

Path to vulnerable library: /bridge/Cargo.toml

Dependency Hierarchy:

  • temporal-sdk-core-api-0.1.0 (Root Library)
    • temporal-client-0.1.0
      • temporal-sdk-core-protos-0.1.0
        • prost-wkt-types-0.4.0.crate
          • prost-build-0.11.6.crate
            • tempfile-3.3.0.crate
              • :x: remove_dir_all-0.5.3.crate (Vulnerable Library)

Found in HEAD commit: [63b662559cd583d424ccbd121f96a1194e1fa2eb](https://github.com/temporalio/sdk-ruby/commit/63b662559cd583d424ccbd121f96a1194e1fa2eb)

Found in base branch: main

Vulnerability Details

The remove_dir_all crate is a Rust library that offers additional features over the Rust standard library fs::remove_dir_all function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.

Publish Date: 2023-02-24

URL: [WS-2023-0045](https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead)

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click [here](https://www.first.org/cvss/calculator/3.0).

Suggested Fix

Type: Upgrade version

Origin: [https://github.com/advisories/GHSA-mc8h-8q98-g5hr](https://github.com/advisories/GHSA-mc8h-8q98-g5hr)

Release Date: 2023-02-24

Fix Resolution: remove_dir_all - 0.8.0

CVE-2018-16875

Vulnerable Library - webpki-0.22.0.crate

Web PKI X.509 Certificate Verification.

Library home page: [https://crates.io/api/v1/crates/webpki/0.22.0/download](https://crates.io/api/v1/crates/webpki/0.22.0/download)

Path to dependency file: /bridge/Cargo.toml

Path to vulnerable library: /bridge/Cargo.toml

Dependency Hierarchy:

  • temporal-sdk-core-api-0.1.0 (Root Library)
    • temporal-client-0.1.0
      • temporal-sdk-core-protos-0.1.0
        • tonic-0.8.2.crate
          • tokio-rustls-0.23.4.crate
            • rustls-0.20.7.crate
              • :x: webpki-0.22.0.crate (Vulnerable Library)

Found in HEAD commit: [63b662559cd583d424ccbd121f96a1194e1fa2eb](https://github.com/temporalio/sdk-ruby/commit/63b662559cd583d424ccbd121f96a1194e1fa2eb)

Found in base branch: main

Vulnerability Details

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.

Publish Date: 2018-12-14

URL: [CVE-2018-16875](https://www.mend.io/vulnerability-database/CVE-2018-16875)

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click [here](https://www.first.org/cvss/calculator/3.0).

Suggested Fix

Type: Upgrade version

Origin: [https://github.com/advisories/GHSA-fh2r-99q2-6mmg](https://github.com/advisories/GHSA-fh2r-99q2-6mmg)

Release Date: 2018-12-14

Fix Resolution: golang 1.10.6,golang 1.11.3, webpki - 0.22.2, rustls-webpki - 0.100.2,0.101.4

CVE-2023-26964

Vulnerable Library - hyper-0.14.23.crate

A fast and correct HTTP library.

Library home page: [https://crates.io/api/v1/crates/hyper/0.14.23/download](https://crates.io/api/v1/crates/hyper/0.14.23/download)

Path to dependency file: /bridge/Cargo.toml

Path to vulnerable library: /bridge/Cargo.toml

Dependency Hierarchy:

  • temporal-sdk-core-api-0.1.0 (Root Library)
    • temporal-client-0.1.0
      • temporal-sdk-core-protos-0.1.0
        • tonic-0.8.2.crate
          • :x: hyper-0.14.23.crate (Vulnerable Library)

Found in HEAD commit: [63b662559cd583d424ccbd121f96a1194e1fa2eb](https://github.com/temporalio/sdk-ruby/commit/63b662559cd583d424ccbd121f96a1194e1fa2eb)

Found in base branch: main

Vulnerability Details

An issue was discovered in hyper v0.13.7. h2-0.2.4 Stream stacking occurs when the H2 component processes HTTP2 RST_STREAM frames. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).

Publish Date: 2023-04-11

URL: [CVE-2023-26964](https://www.mend.io/vulnerability-database/CVE-2023-26964)

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click [here](https://www.first.org/cvss/calculator/3.0).

Suggested Fix

Type: Upgrade version

Origin: [https://github.com/advisories/GHSA-f8vr-r385-rh5r](https://github.com/advisories/GHSA-f8vr-r385-rh5r)

Release Date: 2023-04-11

Fix Resolution: h2 - 0.3.17

mend-for-github-com[bot] avatar Feb 26 '23 15:02 mend-for-github-com[bot]