ZITADEL Go’s GRPC example code vulnerability – GO-2024-2687 HTTP/2 CONTINUATION flood in net/http
Discription

Summary Applications using the zitadel-go v3 library (next branch) might be impacted by package vulnerabilities. The output of govulncheck suggests that only example code seems to be impacted, based on 1 of the 3 potential vulnerabilities. This vulnerability is located in the transitive dependency golang.org/x/net v0.19.0, CVE-2023-45288 Patches 3.0.0-next versions are fixed on >= 3.0.0-next.3 ZITADEL recommends upgrading to the latest versions available in due course. Workarounds If updating the zitadel-go library is not an option, updating the affected (transient) dependencies works as a workaround. Details Direct deps: GO-2024-2631 Decompression bomb vulnerability in github.com/go-jose/go-jose github.com/go-jose/go-jose/v3 Fixed in v3.0.3. This module is necessary because github.com/go-jose/go-jose/v3 is imported in github.com/zitadel/zitadel-go/v3/pkg/client/system. GO-2024-2611 Infinite loop in JSON unmarshaling in google.golang.org/protobuf google.golang.org/protobuf/encoding/protojson google.golang.org/protobuf/internal/encoding/json Fixed in v1.33.0. This module is necessary because google.golang.org/protobuf/reflect/protoreflect is imported in github.com/zitadel/zitadel-go/v3/example/api/grpc/proto. Transitive deps: GO-2024-2687 HTTP/2 CONTINUATION flood in net/http golang.org/x/net/http2 Fixed in v0.23.0. This module is necessary because golang.org/x/net/trace is imported in: – github.com/zitadel/zitadel-go/v3/example/api/grpc – google.golang.org/grpc…Read More

Back to Main

Subscribe for the latest news: