github.com/uber-go/tally/v4-v4.1.1: 2 vulnerabilities (highest severity is: 7.5) #899
Description
Vulnerable Library - github.com/uber-go/tally/v4-v4.1.1
A Go metrics interface with fast buffered metrics and third party reporters
Library home page: https://proxy.golang.org/github.com/uber-go/tally/v4/@v/v4.1.1.zip
Path to dependency file: /contrib/tally/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/uber-go/tally/v4/@v/v4.1.1.mod,/go/pkg/mod/cache/download/github.com/uber-go/tally/v4/@v/v4.1.1.mod
Found in HEAD commit: b5942aefecb0379859bab42b44fa267ca8f3f8d8
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (github.com/uber-go/tally/v4-v4.1.1 version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2019-0210 |  High |
7.5 | github.com/uber-go/tally/v4-v4.1.1 | Direct | 0.13.0 | ✅ |
| CVE-2019-0205 | High |
7.5 | github.com/uber-go/tally/v4-v4.1.1 | Direct | org.apache.thrift:libthrift:0.13.0 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2019-0210
Vulnerable Library - github.com/uber-go/tally/v4-v4.1.1
A Go metrics interface with fast buffered metrics and third party reporters
Library home page: https://proxy.golang.org/github.com/uber-go/tally/v4/@v/v4.1.1.zip
Path to dependency file: /contrib/tally/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/uber-go/tally/v4/@v/v4.1.1.mod,/go/pkg/mod/cache/download/github.com/uber-go/tally/v4/@v/v4.1.1.mod
Dependency Hierarchy:
- ❌ github.com/uber-go/tally/v4-v4.1.1 (Vulnerable Library)
Found in HEAD commit: b5942aefecb0379859bab42b44fa267ca8f3f8d8
Found in base branch: master
Vulnerability Details
In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.
Publish Date: 2019-10-29
URL: CVE-2019-0210
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2019-10-29
Fix Resolution: 0.13.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-0205
Vulnerable Library - github.com/uber-go/tally/v4-v4.1.1
A Go metrics interface with fast buffered metrics and third party reporters
Library home page: https://proxy.golang.org/github.com/uber-go/tally/v4/@v/v4.1.1.zip
Path to dependency file: /contrib/tally/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/uber-go/tally/v4/@v/v4.1.1.mod,/go/pkg/mod/cache/download/github.com/uber-go/tally/v4/@v/v4.1.1.mod
Dependency Hierarchy:
- ❌ github.com/uber-go/tally/v4-v4.1.1 (Vulnerable Library)
Found in HEAD commit: b5942aefecb0379859bab42b44fa267ca8f3f8d8
Found in base branch: master
Vulnerability Details
In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.
Publish Date: 2019-10-29
URL: CVE-2019-0205
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0205
Release Date: 2019-10-29
Fix Resolution: org.apache.thrift:libthrift:0.13.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.