Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upstream update 2024 June #149

Closed
wants to merge 208 commits into from

Merge remote-tracking branch 'upstream/main' into upstream-update-202…

8b48179
Select commit
Loading
Failed to load commit list.
Closed

Upstream update 2024 June #149

Merge remote-tracking branch 'upstream/main' into upstream-update-202…
8b48179
Select commit
Loading
Failed to load commit list.
Mend for GitHub.com / Mend Security Check failed Jun 24, 2024 in 9m 10s

Security Report

You have successfully remediated 12 vulnerabilities, but introduced 10 new vulnerabilities in this branch.

❌ New vulnerabilities:

CVE Severity CVSS Score Vulnerable Library Suggested Fix Issue
CVE-2024-34351

Path to dependency file: /src/frontend/package.json

Path to vulnerable library: /src/frontend/package.json

Dependency Hierarchy:

-> ❌ next-13.5.1.tgz (Vulnerable Library)

High 7.5 next-13.5.1.tgz Upgrade to version: next - 14.1.1 None
CVE-2023-4316

Path to dependency file: /src/frontend/package.json

Path to vulnerable library: /src/frontend/package.json

Dependency Hierarchy:

-> next-13.5.1.tgz (Root Library)

   -> ❌ zod-3.21.4.tgz (Vulnerable Library)

High 7.5 zod-3.21.4.tgz Upgrade to version: zod - 3.22.3 None
CVE-2023-29483

Path to dependency file: /src/loadgenerator/requirements.txt

Path to vulnerable library: /src/loadgenerator/requirements.txt

Dependency Hierarchy:

-> ❌ dnspython-2.3.0-py3-none-any.whl (Vulnerable Library)

High 7.5 dnspython-2.3.0-py3-none-any.whl Upgrade to version: dnspython - 2.6.0 None
CVE-2024-22195

Path to dependency file: /src/loadgenerator/requirements.txt

Path to vulnerable library: /src/loadgenerator/requirements.txt

Dependency Hierarchy:

-> ❌ Jinja2-3.1.2-py3-none-any.whl (Vulnerable Library)

Medium 6.1 Jinja2-3.1.2-py3-none-any.whl Upgrade to version: jinja2 - 3.1.3 #126
CVE-2024-35195

Path to dependency file: /src/loadgenerator/requirements.txt

Path to vulnerable library: /src/loadgenerator/requirements.txt

Dependency Hierarchy:

-> ❌ requests-2.31.0-py3-none-any.whl (Vulnerable Library)

Medium 5.6 requests-2.31.0-py3-none-any.whl Upgrade to version: requests - 2.32.2 #136
CVE-2024-35255

Path to dependency file: /src/loadgenerator/requirements.txt

Path to vulnerable library: /src/loadgenerator/requirements.txt

Dependency Hierarchy:

-> ❌ azure_identity-1.15.0-py3-none-any.whl (Vulnerable Library)

Medium 5.5 azure_identity-1.15.0-py3-none-any.whl Upgrade to version: @azure/identity (npm) - 4.2.1, @azure/msal-node (npm) - 2.9.1, Azure.Identity (NuGet) - 1.11.4, Microsoft.Identity.Client (NuGet) - 4.61.3, azure-identity (pip) - 1.16.1, com.azure:azure-identity:1.12.2 (Maven), github.com/Azure/azure-sdk-for-go/sdk/azidentity (go) - 1.6.0 None
CVE-2024-34064

Path to dependency file: /src/loadgenerator/requirements.txt

Path to vulnerable library: /src/loadgenerator/requirements.txt

Dependency Hierarchy:

-> ❌ Jinja2-3.1.2-py3-none-any.whl (Vulnerable Library)

Medium 5.4 Jinja2-3.1.2-py3-none-any.whl Upgrade to version: Jinja2 - 3.1.4 #126
CVE-2024-37168

Path to dependency file: /src/frontend/package.json

Path to vulnerable library: /src/frontend/package.json,/src/paymentservice/package.json

Dependency Hierarchy:

-> ❌ grpc-js-1.10.8.tgz (Vulnerable Library)

Medium 5.3 grpc-js-1.10.8.tgz Upgrade to version: @grpc/grpc-js - 1.8.22,1.9.15,1.10.9 None
CVE-2024-29025

Path to dependency file: /src/adservice/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.100.Final/992623e7d8f2d96e41faf1687bb963f5433e3517/netty-codec-http-4.1.100.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.100.Final/992623e7d8f2d96e41faf1687bb963f5433e3517/netty-codec-http-4.1.100.Final.jar

Dependency Hierarchy:

-> grpc-netty-1.61.1.jar (Root Library)

   -> netty-codec-http2-4.1.100.Final.jar

     -> ❌ netty-codec-http-4.1.100.Final.jar (Vulnerable Library)

Medium 5.3 netty-codec-http-4.1.100.Final.jar Upgrade to version: io.netty:netty-codec-http:4.1.108.Final None
CVE-2024-37891

Path to dependency file: /src/loadgenerator/requirements.txt

Path to vulnerable library: /src/loadgenerator/requirements.txt

Dependency Hierarchy:

-> ❌ urllib3-2.0.7-py3-none-any.whl (Vulnerable Library)

Medium 4.4 urllib3-2.0.7-py3-none-any.whl Upgrade to version: urllib3 - 1.26.19,2.2.2 None

✔️ Remediated vulnerabilities:

CVE Vulnerable Library
CVE-2023-48795 golang.org/x/crypto-v0.14.0
CVE-2024-29025 netty-codec-http-4.1.97.Final.jar
CVE-2024-32028 opentelemetry.instrumentation.http.1.5.1-beta.1.nupkg
CVE-2024-32028 opentelemetry.instrumentation.aspnetcore.1.5.1-beta.1.nupkg
CVE-2023-44487 netty-codec-http2-4.1.97.Final.jar
CVE-2024-27308 mio-0.8.9.crate
CVE-2019-0820 system.text.regularexpressions.4.3.0.nupkg
CVE-2023-36665 protobufjs-7.2.4.tgz
CVE-2018-8292 system.net.http.4.3.0.nupkg
CVE-2024-37168 grpc-js-1.9.9.tgz
CVE-2023-37920 certifi-2022.12.7-py3-none-any.whl
WS-2023-0045 remove_dir_all-0.5.3.crate

Base branch total remaining vulnerabilities: 21
Base branch commit: 651312c9c82b789d7867420ec64c43adf2e24321


Total libraries scanned: 880

Scan token: 16640ea603354985b8301852e3088826

View more details on Mend for GitHub.com