Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xYzZ2LTVnNW0tOGN3Ms4AA95d
ZITADEL Go's GRPC example code vulnerability - GO-2024-2687 HTTP/2 CONTINUATION flood in net/http
Summary
Applications using the zitadel-go v3 library (next branch) might be impacted by package vulnerabilities.
The output of govulncheck suggests that only example code seems to be impacted, based on 1 of the 3 potential vulnerabilities. This vulnerability is located in the transitive dependency golang.org/x/net v0.19.0, CVE-2023-45288
Patches
3.0.0-next versions are fixed on >= 3.0.0-next.3
ZITADEL recommends upgrading to the latest versions available in due course.
Workarounds
If updating the zitadel-go library is not an option, updating the affected (transient) dependencies works as a workaround.
Details
Direct deps:
- GO-2024-2631 Decompression bomb vulnerability in github.com/go-jose/go-jose
- github.com/go-jose/go-jose/v3 Fixed in v3.0.3.
This module is necessary because github.com/go-jose/go-jose/v3 is imported in github.com/zitadel/zitadel-go/v3/pkg/client/system.
- GO-2024-2611 Infinite loop in JSON unmarshaling in google.golang.org/protobuf
- google.golang.org/protobuf/encoding/protojson
- google.golang.org/protobuf/internal/encoding/json Fixed in v1.33.0.
This module is necessary because google.golang.org/protobuf/reflect/protoreflect is imported in github.com/zitadel/zitadel-go/v3/example/api/grpc/proto.
Transitive deps:
- GO-2024-2687 HTTP/2 CONTINUATION flood in net/http
- golang.org/x/net/http2 Fixed in v0.23.0.
This module is necessary because golang.org/x/net/trace is imported in:
github.com/zitadel/zitadel-go/v3/example/api/grpcgoogle.golang.org/grpc
govulncheck
=== Symbol Results ===
Vulnerability #1: GO-2024-2687
HTTP/2 CONTINUATION flood in net/http
More info: https://pkg.go.dev/vuln/GO-2024-2687
Module: golang.org/x/net
Found in: golang.org/x/[email protected]
Fixed in: golang.org/x/[email protected]
Example traces found:
#1: example/api/grpc/proto/api_grpc.pb.go:239:34: proto.exampleServiceAddTasksServer.Recv calls grpc.serverStream.RecvMsg, which eventually calls http2.ConnectionError.Error
#2: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.ErrCode.String
#3: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.FrameHeader.String
#4: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.FrameType.String
#5: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.ReadFrame
#6: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteContinuation
#7: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteData
#8: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteGoAway
#9: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteHeaders
#10: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WritePing
#11: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteRSTStream
#12: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteSettings
#13: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteSettingsAck
#14: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteWindowUpdate
#15: example/api/grpc/proto/api_grpc.pb.go:239:34: proto.exampleServiceAddTasksServer.Recv calls grpc.serverStream.RecvMsg, which eventually calls http2.GoAwayError.Error
#16: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.Setting.String
#17: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.SettingID.String
#18: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.SettingsFrame.ForeachSetting
#19: example/api/grpc/proto/api_grpc.pb.go:239:34: proto.exampleServiceAddTasksServer.Recv calls grpc.serverStream.RecvMsg, which eventually calls http2.StreamError.Error
#20: example/app/app.go:111:27: app.main calls http.ListenAndServe, which eventually calls http2.chunkWriter.Write
#21: example/api/grpc/proto/api_grpc.pb.go:239:34: proto.exampleServiceAddTasksServer.Recv calls grpc.serverStream.RecvMsg, which eventually calls http2.connError.Error
#22: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.duplicatePseudoHeaderError.Error
#23: pkg/client/auth.go:23:42: client.JWTAuthentication calls profile.NewJWTProfileTokenSource, which eventually calls http2.gzipReader.Close
#24: pkg/authentication/state.go:20:26: authentication.State.Encrypt calls crypto.EncryptAES, which eventually calls http2.gzipReader.Read
#25: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.headerFieldNameError.Error
#26: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.headerFieldValueError.Error
#27: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.pseudoHeaderError.Error
#28: example/app/app.go:111:27: app.main calls http.ListenAndServe, which eventually calls http2.stickyErrWriter.Write
#29: pkg/client/auth.go:23:42: client.JWTAuthentication calls profile.NewJWTProfileTokenSource, which eventually calls http2.transportResponseBody.Close
#30: pkg/authentication/state.go:20:26: authentication.State.Encrypt calls crypto.EncryptAES, which eventually calls http2.transportResponseBody.Read
#31: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.writeData.String
Your code is affected by 1 vulnerability from 1 module.
This scan also found 2 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
PoC
No specific configuration required.
Impact
Indirect package vulnerability. Users following example code might be impacted.
References
- https://pkg.go.dev/vuln/GO-2024-2631
- https://pkg.go.dev/vuln/GO-2024-2611
- https://pkg.go.dev/vuln/GO-2024-2687
Credits
Thanks to @helpisdev for reporting this.
Permalink: https://github.com/advisories/GHSA-qc6v-5g5m-8cw2JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xYzZ2LTVnNW0tOGN3Ms4AA95d
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 4 months ago
Updated: 4 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-qc6v-5g5m-8cw2
References:
- https://github.com/zitadel/zitadel-go/security/advisories/GHSA-qc6v-5g5m-8cw2
- https://github.com/zitadel/zitadel-go/releases/tag/v3.0.0-next.3
- https://pkg.go.dev/vuln/GO-2024-2611
- https://pkg.go.dev/vuln/GO-2024-2631
- https://pkg.go.dev/vuln/GO-2024-2687
- https://www.cve.org/CVERecord?id=CVE-2023-45288
- https://github.com/advisories/GHSA-qc6v-5g5m-8cw2
Blast Radius: 1.0
Affected Packages
go:github.com/zitadel/zitadel-go/v3
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 3.0.0-next.1, <= 3.0.0-next.2
Fixed in: 3.0.0-next.3
All affected versions: 3.0.0-next.1, 3.0.0-next.2
All unaffected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.3.0