Uploaded image for project: 'Go Driver'
  1. Go Driver
  2. GODRIVER-1748

CVE-2019-11254 - Known vulnerability in yaml.v2 v2.2.2

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: 1.4.1
    • Fix Version/s: 1.4.2
    • Component/s: Core API
    • Security Level: Public
    • Labels:
      None

      Description

      The latest of the mongo-go-driver imports 2 packages which in turn import gopkg.in/yaml.v2-v2.2.2, this has a vulnerability identified in https://nvd.nist.gov/vuln/detail/CVE-2019-11254 and first exposed in the kubernetes API - https://github.com/kubernetes/kubernetes/issues/89535 

      The 2 packages are:

      github.com/pelletier/go-toml@v1.4.0

      github.com/stretchr/testify@v1.4.0

      the current versions of both package are patched to a higher level of the yaml package.

        Attachments

          Activity

            People

            Assignee:
            divjot.arora Divjot Arora
            Reporter:
            nicholas_beenham@cable.comcast.com Nicholas Beenham
            Participants:
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: