It's fixed, thanks again for your feedback. — Shirui Zhao
> 2022年6月21日 21:33,shirui zhao <zhaoth...@gmail.com> 写道: > > Thanks for your feedback, I'll check it out. > > >> 2022年6月21日 21:28,Chever John <cheverjonat...@gmail.com> 写道: >> >> Hi Community >> >> I have received an email for a security report that should be paid >> attention to. So this is the main purpose for this email. >> >> Best regards >> Chenwei Jiang >> >> ---------- Forwarded message --------- >> From: 开源社区OSCS <supp...@mail.oscs1024.com> >> Date: Tue, Jun 21, 2022 at 17:50 >> Subject: apache/apisix-go-plugin-runner项目受到 2 个存在安全缺陷开源组件的影响 >> To: cheverjonathan <cheverjonat...@gmail.com> >> >> >> apache/apisix-go-plugin-runner 项目贡献者,您好: >> >> 当前不管是开源项目还是企业代码项目,都正在遭受来自开源社区的一些存在安全缺陷组件的影响。来自Synopsys OSSRA reports >> 2021的开源安全调查报告显示,平均每个项目会引入55个存在安全缺陷的组件,平均每个项目受这些有缺陷的开源组件影响会导致161个漏洞。 >> >> OSCS 安全社区会关注一批开源项目,并主动去检测并提示项目存在的风险: >> >> - 提示这些开源项目的作者和贡献者,项目正在受到有安全缺陷的开源组件影响 >> - 提示Star&Fork这些项目的开发者,他们可能也会受到这些存在安全缺陷的开源组件影响 >> >> 您好,因为 apache/apisix-go-plugin-runner 正在被 OSCS 关注且受到有安全缺陷的组件影响,所以冒昧通过邮件提醒您。如果 >> OSCS 安全社区的信息对您没有帮助,请点击取消退订 >> <https://sctrack.sendcloud.net/track/unsubscribe.do?p=eyJ1c2VyX2lkIjogMTYwNzcwLCAidGFza19pZCI6ICIiLCAiZW1haWxfaWQiOiAiMTY1NTgwNTAzNzgwN18xNjA3NzBfNDM3NjZfNDUyMS5zYy0xMF85XzFfNzUtaW5ib3VuZDAkY2hldmVyam9uYXRoYW5AZ21haWwuY29tIiwgInNpZ24iOiAiZDMxNzhhNzQ4OTYwZjNmMzRjMzVhMWM0YjI4ZDM4YTYiLCAidXNlcl9oZWFkZXJzIjoge30sICJsYWJlbCI6ICIyMjMxMzkxMSIsICJ0cmFja19kb21haW4iOiAic2N0cmFjay5zZW5kY2xvdWQubmV0IiwgInJlYWxfdHlwZSI6ICIiLCAibmV0ZWFzZSI6ICJmYWxzZSIsICJvdXRfaXAiOiAiMTIwLjEzMi41NS43NCIsICJjb250ZW50X3R5cGUiOiAzLCAicmVjZWl2ZXIiOiAiY2hldmVyam9uYXRoYW5AZ21haWwuY29tIiwgIm1haWxsaXN0X2lkIjogMCwgIm92ZXJzZWFzIjogImZhbHNlIiwgImNhdGVnb3J5X2lkIjogMjU3MzQ3LCAicGFnZV9pZCI6IC0xfQ%3D%3D> >> ,我们会标记为暂不关心,后续不会再次提示您。 >> >> apache/apisix-go-plugin-runner 项目一共引入了 2 个有漏洞的缺陷组件,以下是部分主要信息: >> >> 完整报告: https://www.oscs1024.com/cd/1537361826717495296?sign=6c0aef6a >> <https://sctrack.sendcloud.net/track/click/eyJuZXRlYXNlIjogImZhbHNlIiwgIm1haWxsaXN0X2lkIjogMCwgInRhc2tfaWQiOiAiIiwgImVtYWlsX2lkIjogIjE2NTU4MDUwMzc4MDdfMTYwNzcwXzQzNzY2XzQ1MjEuc2MtMTBfOV8xXzc1LWluYm91bmQwJGNoZXZlcmpvbmF0aGFuQGdtYWlsLmNvbSIsICJzaWduIjogIjBlZWUwYmEzM2Y2NDljYTY3ZTE5YWI5NGMxNDIzYjM4IiwgInVzZXJfaGVhZGVycyI6IHt9LCAibGFiZWwiOiAiMjIzMTM5MTEiLCAidHJhY2tfZG9tYWluIjogInNjdHJhY2suc2VuZGNsb3VkLm5ldCIsICJyZWFsX3R5cGUiOiAiIiwgImxpbmsiOiAiaHR0cHMlM0EvL3d3dy5vc2NzMTAyNC5jb20vY2QvMTUzNzM2MTgyNjcxNzQ5NTI5NiUzRnNpZ24lM0Q2YzBhZWY2YSIsICJvdXRfaXAiOiAiMTIwLjEzMi41NS43NCIsICJjb250ZW50X3R5cGUiOiAzLCAidXNlcl9pZCI6IDE2MDc3MCwgIm92ZXJzZWFzIjogImZhbHNlIiwgImNhdGVnb3J5X2lkIjogMjU3MzQ3fQ==.html> >> >> 缺陷组件:github.com/miekg/dns@v1.0.14 - 直接引入 >> >> - 漏洞标题:miekg Go DNS package 安全特征问题漏洞 >> - 影响描述:miekg Go DNS package是一款DNS服务器软件包。miekg Go DNS package >> 1.1.25之前版本(用在CoreDNS 1.6.6之前版本和其他产品)中存在安全漏洞,该漏洞源于程序没有正确生成随机数。攻击者可利用该漏洞伪造响应。 >> - CVE编号:CVE-2019-19794 >> - 国家漏洞库信息:https://www.cnvd.org.cn/flaw/show/CNVD-2019-45898 >> - 影响范围::(∞, 1.1.25) >> - 最小修复版本:1.1.25 >> - 组件引入路径:apisix-go-plugin-runner@1655370586063567052@-> >> github.com/miekg/dns@v1.0.14 >> - 漏洞详情:https://www.oscs1024.com/hd/MPS-2019-16292 >> <https://sctrack.sendcloud.net/track/click/eyJuZXRlYXNlIjogImZhbHNlIiwgIm1haWxsaXN0X2lkIjogMCwgInRhc2tfaWQiOiAiIiwgImVtYWlsX2lkIjogIjE2NTU4MDUwMzc4MDdfMTYwNzcwXzQzNzY2XzQ1MjEuc2MtMTBfOV8xXzc1LWluYm91bmQwJGNoZXZlcmpvbmF0aGFuQGdtYWlsLmNvbSIsICJzaWduIjogIjZiNzk2MTUxYThhZDk4ZTY1M2FmMWI0NGZkNGE3MDA5IiwgInVzZXJfaGVhZGVycyI6IHt9LCAibGFiZWwiOiAiMjIzMTM5MTEiLCAidHJhY2tfZG9tYWluIjogInNjdHJhY2suc2VuZGNsb3VkLm5ldCIsICJyZWFsX3R5cGUiOiAiIiwgImxpbmsiOiAiaHR0cHMlM0EvL3d3dy5vc2NzMTAyNC5jb20vaGQvTVBTLTIwMTktMTYyOTIlM0ZzJTNEbSIsICJvdXRfaXAiOiAiMTIwLjEzMi41NS43NCIsICJjb250ZW50X3R5cGUiOiAzLCAidXNlcl9pZCI6IDE2MDc3MCwgIm92ZXJzZWFzIjogImZhbHNlIiwgImNhdGVnb3J5X2lkIjogMjU3MzQ3fQ==.html> >> >> 缺陷组件:github.com/dgrijalva/jwt-go@v3.2.0+incompatible - 直接引入 >> >> - 漏洞标题:jwt-go 安全漏洞 >> - 影响描述:jwt-go是个人开发者的一个Go语言的JWT实现。jwt-go >> 4.0.0-preview1之前版本存在安全漏洞。攻击者可利用该漏洞在使用[]string{} for >> m[\"aud\"](规范允许)的情况下绕过预期的访问限制。 >> - CVE编号:CVE-2020-26160 >> - 国家漏洞库信息: >> - 影响范围::(∞, 4.0.0-preview1) >> - 最小修复版本:4.0.0-preview1 >> - 组件引入路径:apisix-go-plugin-runner@1655370586063567052@-> >> github.com/dgrijalva/jwt-go@v3.2.0+incompatible >> - 漏洞详情:https://www.oscs1024.com/hd/MPS-2020-13786 >> <https://sctrack.sendcloud.net/track/click/eyJuZXRlYXNlIjogImZhbHNlIiwgIm1haWxsaXN0X2lkIjogMCwgInRhc2tfaWQiOiAiIiwgImVtYWlsX2lkIjogIjE2NTU4MDUwMzc4MDdfMTYwNzcwXzQzNzY2XzQ1MjEuc2MtMTBfOV8xXzc1LWluYm91bmQwJGNoZXZlcmpvbmF0aGFuQGdtYWlsLmNvbSIsICJzaWduIjogIjQzYzE3MTYyMzg2Y2IyNGI5M2Q1OGQ4NWQyOTBkOTA5IiwgInVzZXJfaGVhZGVycyI6IHt9LCAibGFiZWwiOiAiMjIzMTM5MTEiLCAidHJhY2tfZG9tYWluIjogInNjdHJhY2suc2VuZGNsb3VkLm5ldCIsICJyZWFsX3R5cGUiOiAiIiwgImxpbmsiOiAiaHR0cHMlM0EvL3d3dy5vc2NzMTAyNC5jb20vaGQvTVBTLTIwMjAtMTM3ODYlM0ZzJTNEbSIsICJvdXRfaXAiOiAiMTIwLjEzMi41NS43NCIsICJjb250ZW50X3R5cGUiOiAzLCAidXNlcl9pZCI6IDE2MDc3MCwgIm92ZXJzZWFzIjogImZhbHNlIiwgImNhdGVnb3J5X2lkIjogMjU3MzQ3fQ==.html> >> >> 感谢您为开源生态健康发展做出的努力,在检测报告页中可以获得 OSCS 社区的安全徽章,放置在您的项目 README 中提升安全影响力: >> >> OSCS安全社区敬上 >> >> 祝您工作顺利,生活愉快 >> 对此信息不感兴趣,不希望再次收到 >> <https://sctrack.sendcloud.net/track/unsubscribe.do?p=eyJ1c2VyX2lkIjogMTYwNzcwLCAidGFza19pZCI6ICIiLCAiZW1haWxfaWQiOiAiMTY1NTgwNTAzNzgwN18xNjA3NzBfNDM3NjZfNDUyMS5zYy0xMF85XzFfNzUtaW5ib3VuZDAkY2hldmVyam9uYXRoYW5AZ21haWwuY29tIiwgInNpZ24iOiAiZDMxNzhhNzQ4OTYwZjNmMzRjMzVhMWM0YjI4ZDM4YTYiLCAidXNlcl9oZWFkZXJzIjoge30sICJsYWJlbCI6ICIyMjMxMzkxMSIsICJ0cmFja19kb21haW4iOiAic2N0cmFjay5zZW5kY2xvdWQubmV0IiwgInJlYWxfdHlwZSI6ICIiLCAibmV0ZWFzZSI6ICJmYWxzZSIsICJvdXRfaXAiOiAiMTIwLjEzMi41NS43NCIsICJjb250ZW50X3R5cGUiOiAzLCAicmVjZWl2ZXIiOiAiY2hldmVyam9uYXRoYW5AZ21haWwuY29tIiwgIm1haWxsaXN0X2lkIjogMCwgIm92ZXJzZWFzIjogImZhbHNlIiwgImNhdGVnb3J5X2lkIjogMjU3MzQ3LCAicGFnZV9pZCI6IC0xfQ%3D%3D> >
