Dependency Security Assessment Failure #423
Description
Summary
The Sentry go module is dependent upon a number of third-party modules that have recognised security vulnerabilities.
-
github.com/kataras/iris/v12 - v12.1.8
This affects all versions of package github.com/kataras/iris; all versions of package github.
com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles
method may enable attackers to write to arbitrary locations outside the designated target
folder.
More Info:
• https://nvd.nist.gov/vuln/detail/CVE-2021-23772
• CVE-2021-23772
• kataras/iris@e213dba -
gopkg.in/yaml.v2 - v2.2.4
The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10,
1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause
the kube-apiserver to consume excessive CPU cycles while parsing YAML.
More Info:
• CVE-2019-11254
• CVE-2019-11254: kube-apiserver Denial of Service vulnerability from malicious YAML payloads kubernetes/kubernetes#89535
• https://github.com/kubernetes/kubernetes/pull/87467/commits/
b86df2bec4f377afc0ca03482ffad2f0a49a83b8
Motivation
The security policy and vulnerability disclosure document (https://sentry.io/security/#vulnerability-disclosure) indicates that Sentry wishes to maintain a secure environment. Updating these modules will help maintain those aspiration.
Additional Context
There was a recent merge (#411) that resolved one of the other security vulnerabilities which I haven't listed, thank you. I hope that providing you this information will allow you to close these further two and perhaps do a security release.
These vulnerabilities were identified using Meterian where we are using github.com/getsentry/sentry-go:v0.12.0 in all our packages. The kataras module has three vulnerabilities caused by their third-party modules (github.com/microcosm-cc/bluemonday:v1.0.2, github.com/kataras/neffos:v0.0.14 and github.com/nats-io/nats.go:v1.9.1). The yaml vulnerability is self-contained.