CVE(s) found in v0.20.1 #1400
Labels
Milestone
Comments
|
I don't think we are vulnerable to CVE-2024-34158 or CVE-2024-34155, as the lifecycle doesn't consume source code. We only call decode on data that we ourselves write, so I'd say that we are not vulnerable to CVE-2024-34156 either. The advisories don't list affected packages but I assume a go version update will be needed to silence this notification. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Latest lifecycle release v0.20.1 triggered CVE(s) from Grype. For further details, see: https://github.com/buildpacks/lifecycle/actions/runs/10822952717 json: {
"id": "CVE-2024-34158",
"severity": "High",
"description": "Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion."
}
{
"id": "CVE-2024-34158",
"severity": "High",
"description": "Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion."
}
{
"id": "CVE-2024-34156",
"severity": "High",
"description": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635."
}
{
"id": "CVE-2024-34156",
"severity": "High",
"description": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635."
}
{
"id": "CVE-2024-34155",
"severity": "Unknown",
"description": "Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion."
}
{
"id": "CVE-2024-34155",
"severity": "Unknown",
"description": "Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion."
}
The text was updated successfully, but these errors were encountered: