{"url":"http://public2.vulnerablecode.io/api/packages/373036?format=json","purl":"pkg:golang/github.com/zitadel/zitadel-go/v3@3.0.0-next.3","type":"golang","namespace":"github.com/zitadel/zitadel-go","name":"v3","version":"3.0.0-next.3","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359730?format=json","vulnerability_id":"VCID-kekt-csjy-6bg1","summary":"ZITADEL Go's GRPC example code vulnerability - GO-2024-2687 HTTP/2 CONTINUATION flood in net/http\n### Summary\nApplications using the `zitadel-go` `v3` library (`next` branch) might be impacted by package vulnerabilities.\nThe output of `govulncheck` suggests that only `example` code seems to be impacted, based on 1 of the 3 potential vulnerabilities. This vulnerability is located in the transitive dependency `golang.org/x/net v0.19.0`, [CVE-2023-45288](https://www.cve.org/CVERecord?id=CVE-2023-45288)\n\n### Patches\n3.0.0-next versions are fixed on >= [3.0.0-next.3](https://github.com/zitadel/zitadel-go/releases/tag/v3.0.0-next.3)\n\nZITADEL recommends upgrading to the latest versions available in due course.\n\n### Workarounds\n\nIf updating the zitadel-go library is not an option, updating the affected (transient) dependencies works as a workaround.\n\n### Details\n\n#### Direct deps:\n\n- [GO-2024-2631](https://pkg.go.dev/vuln/GO-2024-2631) Decompression bomb vulnerability in github.com/go-jose/go-jose\n  - github.com/go-jose/go-jose/v3 Fixed in v3.0.3.\n\nThis module is necessary because [github.com/go-jose/go-jose/v3](https://pkg.go.dev/github.com/go-jose/go-jose/v3@v3.0.1) is imported in `github.com/zitadel/zitadel-go/v3/pkg/client/system`.\n\n- [GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611) Infinite loop in JSON unmarshaling in google.golang.org/protobuf\n  - google.golang.org/protobuf/encoding/protojson\n  - google.golang.org/protobuf/internal/encoding/json Fixed in v1.33.0.\n\nThis module is necessary because [google.golang.org/protobuf/reflect/protoreflect](https://pkg.go.dev/google.golang.org/protobuf@v1.31.0/reflect/protoreflect) is imported in `github.com/zitadel/zitadel-go/v3/example/api/grpc/proto`.\n\n#### Transitive deps:\n- [GO-2024-2687](https://pkg.go.dev/vuln/GO-2024-2687) HTTP/2 CONTINUATION flood in net/http\n  - golang.org/x/net/http2 Fixed in v0.23.0.\n\nThis module is necessary because [golang.org/x/net/trace](https://pkg.go.dev/golang.org/x/net@v0.19.0/trace) is imported in:\n  - `github.com/zitadel/zitadel-go/v3/example/api/grpc`\n  - `google.golang.org/grpc`\n\n#### `govulncheck`\n\n```console\n=== Symbol Results ===\n\nVulnerability #1: GO-2024-2687\n    HTTP/2 CONTINUATION flood in net/http\n  More info: https://pkg.go.dev/vuln/GO-2024-2687\n  Module: golang.org/x/net\n    Found in: golang.org/x/net@v0.19.0\n    Fixed in: golang.org/x/net@v0.23.0\n    Example traces found:\n      #1: example/api/grpc/proto/api_grpc.pb.go:239:34: proto.exampleServiceAddTasksServer.Recv calls grpc.serverStream.RecvMsg, which eventually calls http2.ConnectionError.Error\n      #2: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.ErrCode.String\n      #3: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.FrameHeader.String\n      #4: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.FrameType.String\n      #5: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.ReadFrame\n      #6: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteContinuation\n      #7: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteData\n      #8: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteGoAway\n      #9: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteHeaders\n      #10: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WritePing\n      #11: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteRSTStream\n      #12: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteSettings\n      #13: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteSettingsAck\n      #14: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteWindowUpdate\n      #15: example/api/grpc/proto/api_grpc.pb.go:239:34: proto.exampleServiceAddTasksServer.Recv calls grpc.serverStream.RecvMsg, which eventually calls http2.GoAwayError.Error\n      #16: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.Setting.String\n      #17: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.SettingID.String\n      #18: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.SettingsFrame.ForeachSetting\n      #19: example/api/grpc/proto/api_grpc.pb.go:239:34: proto.exampleServiceAddTasksServer.Recv calls grpc.serverStream.RecvMsg, which eventually calls http2.StreamError.Error\n      #20: example/app/app.go:111:27: app.main calls http.ListenAndServe, which eventually calls http2.chunkWriter.Write\n      #21: example/api/grpc/proto/api_grpc.pb.go:239:34: proto.exampleServiceAddTasksServer.Recv calls grpc.serverStream.RecvMsg, which eventually calls http2.connError.Error\n      #22: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.duplicatePseudoHeaderError.Error\n      #23: pkg/client/auth.go:23:42: client.JWTAuthentication calls profile.NewJWTProfileTokenSource, which eventually calls http2.gzipReader.Close\n      #24: pkg/authentication/state.go:20:26: authentication.State.Encrypt calls crypto.EncryptAES, which eventually calls http2.gzipReader.Read\n      #25: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.headerFieldNameError.Error\n      #26: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.headerFieldValueError.Error\n      #27: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.pseudoHeaderError.Error\n      #28: example/app/app.go:111:27: app.main calls http.ListenAndServe, which eventually calls http2.stickyErrWriter.Write\n      #29: pkg/client/auth.go:23:42: client.JWTAuthentication calls profile.NewJWTProfileTokenSource, which eventually calls http2.transportResponseBody.Close\n      #30: pkg/authentication/state.go:20:26: authentication.State.Encrypt calls crypto.EncryptAES, which eventually calls http2.transportResponseBody.Read\n      #31: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.writeData.String\n\nYour code is affected by 1 vulnerability from 1 module.\nThis scan also found 2 vulnerabilities in packages you import and 1\nvulnerability in modules you require, but your code doesn't appear to call these\nvulnerabilities.\n```\n\n### PoC\nNo specific configuration required.\n\n### Impact\nIndirect package vulnerability. Users following example code might be impacted.\n\n### References\n\n- https://pkg.go.dev/vuln/GO-2024-2631\n- https://pkg.go.dev/vuln/GO-2024-2611\n- https://pkg.go.dev/vuln/GO-2024-2687\n\n### Credits\n\nThanks to @helpisdev for reporting this.","references":[{"reference_url":"https://github.com/zitadel/zitadel-go","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zitadel/zitadel-go"},{"reference_url":"https://github.com/zitadel/zitadel-go/releases/tag/v3.0.0-next.3","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zitadel/zitadel-go/releases/tag/v3.0.0-next.3"},{"reference_url":"https://github.com/zitadel/zitadel-go/security/advisories/GHSA-qc6v-5g5m-8cw2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zitadel/zitadel-go/security/advisories/GHSA-qc6v-5g5m-8cw2"},{"reference_url":"https://pkg.go.dev/vuln/GO-2024-2631","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pkg.go.dev/vuln/GO-2024-2631"},{"reference_url":"https://www.cve.org/CVERecord?id=CVE-2023-45288","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cve.org/CVERecord?id=CVE-2023-45288"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373036?format=json","purl":"pkg:golang/github.com/zitadel/zitadel-go/v3@3.0.0-next.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/zitadel/zitadel-go/v3@3.0.0-next.3"}],"aliases":["GHSA-qc6v-5g5m-8cw2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kekt-csjy-6bg1"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/zitadel/zitadel-go/v3@3.0.0-next.3"}