GHSA-qc6v-5g5m-8cw2

Suggest an improvement
Source
https://github.com/advisories/GHSA-qc6v-5g5m-8cw2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-qc6v-5g5m-8cw2/GHSA-qc6v-5g5m-8cw2.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-qc6v-5g5m-8cw2
Published
2024-07-15T17:55:15Z
Modified
2024-07-15T17:55:15Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
ZITADEL Go's GRPC example code vulnerability - GO-2024-2687 HTTP/2 CONTINUATION flood in net/http
Details

Summary

Applications using the zitadel-go v3 library (next branch) might be impacted by package vulnerabilities. The output of govulncheck suggests that only example code seems to be impacted, based on 1 of the 3 potential vulnerabilities. This vulnerability is located in the transitive dependency golang.org/x/net v0.19.0, CVE-2023-45288

Patches

3.0.0-next versions are fixed on >= 3.0.0-next.3

ZITADEL recommends upgrading to the latest versions available in due course.

Workarounds

If updating the zitadel-go library is not an option, updating the affected (transient) dependencies works as a workaround.

Details

Direct deps:

  • GO-2024-2631 Decompression bomb vulnerability in github.com/go-jose/go-jose
    • github.com/go-jose/go-jose/v3 Fixed in v3.0.3.

This module is necessary because github.com/go-jose/go-jose/v3 is imported in github.com/zitadel/zitadel-go/v3/pkg/client/system.

  • GO-2024-2611 Infinite loop in JSON unmarshaling in google.golang.org/protobuf
    • google.golang.org/protobuf/encoding/protojson
    • google.golang.org/protobuf/internal/encoding/json Fixed in v1.33.0.

This module is necessary because google.golang.org/protobuf/reflect/protoreflect is imported in github.com/zitadel/zitadel-go/v3/example/api/grpc/proto.

Transitive deps:

  • GO-2024-2687 HTTP/2 CONTINUATION flood in net/http
    • golang.org/x/net/http2 Fixed in v0.23.0.

This module is necessary because golang.org/x/net/trace is imported in: - github.com/zitadel/zitadel-go/v3/example/api/grpc - google.golang.org/grpc

govulncheck

=== Symbol Results ===

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.19.0
    Fixed in: golang.org/x/net@v0.23.0
    Example traces found:
      #1: example/api/grpc/proto/api_grpc.pb.go:239:34: proto.exampleServiceAddTasksServer.Recv calls grpc.serverStream.RecvMsg, which eventually calls http2.ConnectionError.Error
      #2: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.ErrCode.String
      #3: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.FrameHeader.String
      #4: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.FrameType.String
      #5: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.ReadFrame
      #6: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteContinuation
      #7: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteData
      #8: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteGoAway
      #9: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteHeaders
      #10: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WritePing
      #11: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteRSTStream
      #12: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteSettings
      #13: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteSettingsAck
      #14: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteWindowUpdate
      #15: example/api/grpc/proto/api_grpc.pb.go:239:34: proto.exampleServiceAddTasksServer.Recv calls grpc.serverStream.RecvMsg, which eventually calls http2.GoAwayError.Error
      #16: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.Setting.String
      #17: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.SettingID.String
      #18: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.SettingsFrame.ForeachSetting
      #19: example/api/grpc/proto/api_grpc.pb.go:239:34: proto.exampleServiceAddTasksServer.Recv calls grpc.serverStream.RecvMsg, which eventually calls http2.StreamError.Error
      #20: example/app/app.go:111:27: app.main calls http.ListenAndServe, which eventually calls http2.chunkWriter.Write
      #21: example/api/grpc/proto/api_grpc.pb.go:239:34: proto.exampleServiceAddTasksServer.Recv calls grpc.serverStream.RecvMsg, which eventually calls http2.connError.Error
      #22: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.duplicatePseudoHeaderError.Error
      #23: pkg/client/auth.go:23:42: client.JWTAuthentication calls profile.NewJWTProfileTokenSource, which eventually calls http2.gzipReader.Close
      #24: pkg/authentication/state.go:20:26: authentication.State.Encrypt calls crypto.EncryptAES, which eventually calls http2.gzipReader.Read
      #25: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.headerFieldNameError.Error
      #26: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.headerFieldValueError.Error
      #27: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.pseudoHeaderError.Error
      #28: example/app/app.go:111:27: app.main calls http.ListenAndServe, which eventually calls http2.stickyErrWriter.Write
      #29: pkg/client/auth.go:23:42: client.JWTAuthentication calls profile.NewJWTProfileTokenSource, which eventually calls http2.transportResponseBody.Close
      #30: pkg/authentication/state.go:20:26: authentication.State.Encrypt calls crypto.EncryptAES, which eventually calls http2.transportResponseBody.Read
      #31: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.writeData.String

Your code is affected by 1 vulnerability from 1 module.
This scan also found 2 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.

PoC

No specific configuration required.

Impact

Indirect package vulnerability. Users following example code might be impacted.

References

  • https://pkg.go.dev/vuln/GO-2024-2631
  • https://pkg.go.dev/vuln/GO-2024-2611
  • https://pkg.go.dev/vuln/GO-2024-2687

Credits

Thanks to @helpisdev for reporting this.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-15T17:55:15Z"
}
References

Affected packages

Go / github.com/zitadel/zitadel-go/v3

Package

Name
github.com/zitadel/zitadel-go/v3
View open source insights on deps.dev
Purl
pkg:golang/github.com/zitadel/zitadel-go/v3

Affected ranges

Type
SEMVER
Events
Introduced
3.0.0-next.1
Fixed
3.0.0-next.3

Database specific

{
    "last_known_affected_version_range": "<= 3.0.0-next.2"
}