-
Type: Vulnerability
-
Resolution: Done
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: None
-
None
-
mongodb/mongo-tools
-
Tools and Replicator
-
master
Priority from VULN: Medium
This is a copy of the linked VULN ticket issue. You only need to update this ticket and the VULN ticket will be synced accordingly.
Vulnerability Details
A security finding with medium severity was detected on a Code Repo asset mongodb/mongo-tools. You are responsible for fixing it by Oct 14, 2024.
Details:
File: go.mod
Update package `crypto`
The minimum required version is 0.24.0.
Overview
golang.org/x/crypto/acme/autocert is a package providing automatic access to certificates from Let's Encrypt and any other ACME-based CA
Affected versions of this package are vulnerable to Path Traversal in the `DirCache()` function, due to the use of `path.Base`, which accepts relative paths, instead of `filepath.Base`. An attacker can read HTTP-01 token files on the target filesystem system by passing in filenames with `..`.
*Note:* This vulnerability only exists on Windows, using Windows path separators (`\`), on files with the suffix `+http-01`.
Remediation
Upgrade `golang.org/x/crypto/acme/autocert` to version 0.24.0 or higher.
References
*CWEs: *CWE-22
Asset details:
- Repository Name: mongodb/mongo-tools
- Priority: 50 / 100
- Environments: Production
- URL: *https://github.com/mongodb/mongo-tools*
- Languages: Go, Shell, Perl, Python, JavaScript
- Labels: No labels assigned
Security Tool Links this ticket covers (Optional to look at)
๐ฅ You may request a temporary exception (expires on the exception-deadline you specify) by posting a comment: [justification] [exception-deadline] #request-exception. For example, if you need one more week:
[Requires major change] [Jul 23, 2024] #request-exception
You may also choose not to include an exception deadline by putting 'no-expiration' as your date: [justification] [no-expiration] #request-exception
๐ง You may report a false positive by posting a comment: [justification] #report-false-positive. For example:
[This S3 bucket is supposed to be public] #report-false-positive
๐คจ You may request your team is not the right one for this by posting a comment: #request-another-team
This issue was created, tracked and synced with[ Silk Security|https://silk.security]
- links to