Hi Community I have received an email for a security report that should be paid attention to. So this is the main purpose for this email.
Best regards Chenwei Jiang ---------- Forwarded message --------- From: 开源社区OSCS <supp...@mail.oscs1024.com> Date: Tue, Jun 21, 2022 at 17:50 Subject: apache/apisix-go-plugin-runner项目受到 2 个存在安全缺陷开源组件的影响 To: cheverjonathan <cheverjonat...@gmail.com> apache/apisix-go-plugin-runner 项目贡献者,您好: 当前不管是开源项目还是企业代码项目,都正在遭受来自开源社区的一些存在安全缺陷组件的影响。来自Synopsys OSSRA reports 2021的开源安全调查报告显示,平均每个项目会引入55个存在安全缺陷的组件,平均每个项目受这些有缺陷的开源组件影响会导致161个漏洞。 OSCS 安全社区会关注一批开源项目,并主动去检测并提示项目存在的风险: - 提示这些开源项目的作者和贡献者,项目正在受到有安全缺陷的开源组件影响 - 提示Star&Fork这些项目的开发者,他们可能也会受到这些存在安全缺陷的开源组件影响 您好,因为 apache/apisix-go-plugin-runner 正在被 OSCS 关注且受到有安全缺陷的组件影响,所以冒昧通过邮件提醒您。如果 OSCS 安全社区的信息对您没有帮助,请点击取消退订 <https://sctrack.sendcloud.net/track/unsubscribe.do?p=eyJ1c2VyX2lkIjogMTYwNzcwLCAidGFza19pZCI6ICIiLCAiZW1haWxfaWQiOiAiMTY1NTgwNTAzNzgwN18xNjA3NzBfNDM3NjZfNDUyMS5zYy0xMF85XzFfNzUtaW5ib3VuZDAkY2hldmVyam9uYXRoYW5AZ21haWwuY29tIiwgInNpZ24iOiAiZDMxNzhhNzQ4OTYwZjNmMzRjMzVhMWM0YjI4ZDM4YTYiLCAidXNlcl9oZWFkZXJzIjoge30sICJsYWJlbCI6ICIyMjMxMzkxMSIsICJ0cmFja19kb21haW4iOiAic2N0cmFjay5zZW5kY2xvdWQubmV0IiwgInJlYWxfdHlwZSI6ICIiLCAibmV0ZWFzZSI6ICJmYWxzZSIsICJvdXRfaXAiOiAiMTIwLjEzMi41NS43NCIsICJjb250ZW50X3R5cGUiOiAzLCAicmVjZWl2ZXIiOiAiY2hldmVyam9uYXRoYW5AZ21haWwuY29tIiwgIm1haWxsaXN0X2lkIjogMCwgIm92ZXJzZWFzIjogImZhbHNlIiwgImNhdGVnb3J5X2lkIjogMjU3MzQ3LCAicGFnZV9pZCI6IC0xfQ%3D%3D> ,我们会标记为暂不关心,后续不会再次提示您。 apache/apisix-go-plugin-runner 项目一共引入了 2 个有漏洞的缺陷组件,以下是部分主要信息: 完整报告: https://www.oscs1024.com/cd/1537361826717495296?sign=6c0aef6a <https://sctrack.sendcloud.net/track/click/eyJuZXRlYXNlIjogImZhbHNlIiwgIm1haWxsaXN0X2lkIjogMCwgInRhc2tfaWQiOiAiIiwgImVtYWlsX2lkIjogIjE2NTU4MDUwMzc4MDdfMTYwNzcwXzQzNzY2XzQ1MjEuc2MtMTBfOV8xXzc1LWluYm91bmQwJGNoZXZlcmpvbmF0aGFuQGdtYWlsLmNvbSIsICJzaWduIjogIjBlZWUwYmEzM2Y2NDljYTY3ZTE5YWI5NGMxNDIzYjM4IiwgInVzZXJfaGVhZGVycyI6IHt9LCAibGFiZWwiOiAiMjIzMTM5MTEiLCAidHJhY2tfZG9tYWluIjogInNjdHJhY2suc2VuZGNsb3VkLm5ldCIsICJyZWFsX3R5cGUiOiAiIiwgImxpbmsiOiAiaHR0cHMlM0EvL3d3dy5vc2NzMTAyNC5jb20vY2QvMTUzNzM2MTgyNjcxNzQ5NTI5NiUzRnNpZ24lM0Q2YzBhZWY2YSIsICJvdXRfaXAiOiAiMTIwLjEzMi41NS43NCIsICJjb250ZW50X3R5cGUiOiAzLCAidXNlcl9pZCI6IDE2MDc3MCwgIm92ZXJzZWFzIjogImZhbHNlIiwgImNhdGVnb3J5X2lkIjogMjU3MzQ3fQ==.html> 缺陷组件:github.com/miekg/dns@v1.0.14 - 直接引入 - 漏洞标题:miekg Go DNS package 安全特征问题漏洞 - 影响描述:miekg Go DNS package是一款DNS服务器软件包。miekg Go DNS package 1.1.25之前版本(用在CoreDNS 1.6.6之前版本和其他产品)中存在安全漏洞,该漏洞源于程序没有正确生成随机数。攻击者可利用该漏洞伪造响应。 - CVE编号:CVE-2019-19794 - 国家漏洞库信息:https://www.cnvd.org.cn/flaw/show/CNVD-2019-45898 - 影响范围::(∞, 1.1.25) - 最小修复版本:1.1.25 - 组件引入路径:apisix-go-plugin-runner@1655370586063567052@-> github.com/miekg/dns@v1.0.14 - 漏洞详情:https://www.oscs1024.com/hd/MPS-2019-16292 <https://sctrack.sendcloud.net/track/click/eyJuZXRlYXNlIjogImZhbHNlIiwgIm1haWxsaXN0X2lkIjogMCwgInRhc2tfaWQiOiAiIiwgImVtYWlsX2lkIjogIjE2NTU4MDUwMzc4MDdfMTYwNzcwXzQzNzY2XzQ1MjEuc2MtMTBfOV8xXzc1LWluYm91bmQwJGNoZXZlcmpvbmF0aGFuQGdtYWlsLmNvbSIsICJzaWduIjogIjZiNzk2MTUxYThhZDk4ZTY1M2FmMWI0NGZkNGE3MDA5IiwgInVzZXJfaGVhZGVycyI6IHt9LCAibGFiZWwiOiAiMjIzMTM5MTEiLCAidHJhY2tfZG9tYWluIjogInNjdHJhY2suc2VuZGNsb3VkLm5ldCIsICJyZWFsX3R5cGUiOiAiIiwgImxpbmsiOiAiaHR0cHMlM0EvL3d3dy5vc2NzMTAyNC5jb20vaGQvTVBTLTIwMTktMTYyOTIlM0ZzJTNEbSIsICJvdXRfaXAiOiAiMTIwLjEzMi41NS43NCIsICJjb250ZW50X3R5cGUiOiAzLCAidXNlcl9pZCI6IDE2MDc3MCwgIm92ZXJzZWFzIjogImZhbHNlIiwgImNhdGVnb3J5X2lkIjogMjU3MzQ3fQ==.html> 缺陷组件:github.com/dgrijalva/jwt-go@v3.2.0+incompatible - 直接引入 - 漏洞标题:jwt-go 安全漏洞 - 影响描述:jwt-go是个人开发者的一个Go语言的JWT实现。jwt-go 4.0.0-preview1之前版本存在安全漏洞。攻击者可利用该漏洞在使用[]string{} for m[\"aud\"](规范允许)的情况下绕过预期的访问限制。 - CVE编号:CVE-2020-26160 - 国家漏洞库信息: - 影响范围::(∞, 4.0.0-preview1) - 最小修复版本:4.0.0-preview1 - 组件引入路径:apisix-go-plugin-runner@1655370586063567052@-> github.com/dgrijalva/jwt-go@v3.2.0+incompatible - 漏洞详情:https://www.oscs1024.com/hd/MPS-2020-13786 <https://sctrack.sendcloud.net/track/click/eyJuZXRlYXNlIjogImZhbHNlIiwgIm1haWxsaXN0X2lkIjogMCwgInRhc2tfaWQiOiAiIiwgImVtYWlsX2lkIjogIjE2NTU4MDUwMzc4MDdfMTYwNzcwXzQzNzY2XzQ1MjEuc2MtMTBfOV8xXzc1LWluYm91bmQwJGNoZXZlcmpvbmF0aGFuQGdtYWlsLmNvbSIsICJzaWduIjogIjQzYzE3MTYyMzg2Y2IyNGI5M2Q1OGQ4NWQyOTBkOTA5IiwgInVzZXJfaGVhZGVycyI6IHt9LCAibGFiZWwiOiAiMjIzMTM5MTEiLCAidHJhY2tfZG9tYWluIjogInNjdHJhY2suc2VuZGNsb3VkLm5ldCIsICJyZWFsX3R5cGUiOiAiIiwgImxpbmsiOiAiaHR0cHMlM0EvL3d3dy5vc2NzMTAyNC5jb20vaGQvTVBTLTIwMjAtMTM3ODYlM0ZzJTNEbSIsICJvdXRfaXAiOiAiMTIwLjEzMi41NS43NCIsICJjb250ZW50X3R5cGUiOiAzLCAidXNlcl9pZCI6IDE2MDc3MCwgIm92ZXJzZWFzIjogImZhbHNlIiwgImNhdGVnb3J5X2lkIjogMjU3MzQ3fQ==.html> 感谢您为开源生态健康发展做出的努力,在检测报告页中可以获得 OSCS 社区的安全徽章,放置在您的项目 README 中提升安全影响力: OSCS安全社区敬上 祝您工作顺利,生活愉快 对此信息不感兴趣,不希望再次收到 <https://sctrack.sendcloud.net/track/unsubscribe.do?p=eyJ1c2VyX2lkIjogMTYwNzcwLCAidGFza19pZCI6ICIiLCAiZW1haWxfaWQiOiAiMTY1NTgwNTAzNzgwN18xNjA3NzBfNDM3NjZfNDUyMS5zYy0xMF85XzFfNzUtaW5ib3VuZDAkY2hldmVyam9uYXRoYW5AZ21haWwuY29tIiwgInNpZ24iOiAiZDMxNzhhNzQ4OTYwZjNmMzRjMzVhMWM0YjI4ZDM4YTYiLCAidXNlcl9oZWFkZXJzIjoge30sICJsYWJlbCI6ICIyMjMxMzkxMSIsICJ0cmFja19kb21haW4iOiAic2N0cmFjay5zZW5kY2xvdWQubmV0IiwgInJlYWxfdHlwZSI6ICIiLCAibmV0ZWFzZSI6ICJmYWxzZSIsICJvdXRfaXAiOiAiMTIwLjEzMi41NS43NCIsICJjb250ZW50X3R5cGUiOiAzLCAicmVjZWl2ZXIiOiAiY2hldmVyam9uYXRoYW5AZ21haWwuY29tIiwgIm1haWxsaXN0X2lkIjogMCwgIm92ZXJzZWFzIjogImZhbHNlIiwgImNhdGVnb3J5X2lkIjogMjU3MzQ3LCAicGFnZV9pZCI6IC0xfQ%3D%3D>
