Uploaded image for project: 'MongoDB Database Tools'
  1. MongoDB Database Tools
  2. TOOLS-3388

mongodb/mongo-tools master :go.mod - Denial of Service DoS in golang.org/x/net

    • TAR 2023-10-30

      This is an automated filing. For more information please see the wiki.

      Vulnerability: mongodb/mongo-tools master :go.mod - Denial of Service DoS in golang.org/x/net

      Package: golang.org/x/net@v0.10.0 within mongodb/mongo-tools(master):go.mod
      Version: <0.17.0
      Introduced through: golang.org/x/net@v0.10.0
      Snyk Link: https://app.snyk.io/org/cloud/project/abad283d-9d91-425f-9249-691c96514f87
      Upgrade Path: golang.org/x/net@0.17.0

      Description

      https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327

        1. Overview
          [golang.org/x/net/http2](https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme) is a work-in-progress HTTP/2 implementation for Go.

      Affected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.

        1. Remediation
          Upgrade `golang.org/x/net/http2` to version 0.17.0 or higher.
        2. References

      Risk Rating

      CVSSv3: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H
      CVSSSCORE: 7.5
      Severity: high
      CVE: CVE-2023-44487
      CWE: CWE-400

      Dependency Chain:

      1) golang.org/x/net:v0.10.0
      2) golang.org/x/net:v0.10.0 <-- github.com/aws/aws-sdk-go:v1.44.317
      3) golang.org/x/net:v0.10.0 <-- golang.org/x/crypto:v0.12.0
      4) golang.org/x/net:v0.10.0 <-- github.com/craiggwilson/goke:v0.0.0-20220110201909-adb8bfb05d58
      5) golang.org/x/net:v0.10.0 <-- github.com/aws/aws-sdk-go:v1.44.317 <-- github.com/craiggwilson/goke:v0.0.0-20220110201909-adb8bfb05d58
      6) golang.org/x/net:v0.10.0 <-- golang.org/x/crypto:v0.12.0 <-- github.com/gopherjs/gopherjs:v1.17.2
      7) golang.org/x/net:v0.10.0 <-- golang.org/x/crypto:v0.12.0 <-- github.com/youmark/pkcs8:v0.0.0-20201027041543-1326539a0a0a
      8) golang.org/x/net:v0.10.0 <-- golang.org/x/crypto:v0.12.0 <-- github.com/gopherjs/gopherjs:v1.17.2 <-- github.com/smartystreets/goconvey:v1.6.4
      9) golang.org/x/net:v0.10.0 <-- golang.org/x/crypto:v0.12.0 <-- github.com/youmark/pkcs8:v0.0.0-20201027041543-1326539a0a0a <-- go.mongodb.org/mongo-driver:v1.10.3

      Next Steps

      1. Verify that you agree with the given CVSSv3 score/due date. If you don't, link a new cvssv3 score (https://www.first.org/cvss/calculator/3.1), and cc one of your teammates. If both of you are in agreement on the new risk rating, adjust the CVSS score/duedate/priority on the ticket.

      2. Upgrade the package by the fix date.

      3. Take pride in knowing you made MongoDB a safer place.

      Questions / Concerns

      If there are any questions concerns, check out the wiki. Thanks!

            Assignee:
            rohan.sharan@mongodb.com Rohan Sharan
            Reporter:
            snyk-cve-cloudsecurity snyk-cve-cloudsecurity
            Dave Rolsky, Tim Fogarty
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: