Uploaded image for project: 'MongoDB Database Tools'
  1. MongoDB Database Tools
  2. TOOLS-3615

Security Finding: Update package `crypto`

    • Type: Icon: Vulnerability Vulnerability
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 100.10.0
    • Affects Version/s: None
    • Component/s: None
    • None
    • mongodb/mongo-tools
    • Tools and Replicator
    • master

      Priority from VULN: Medium
      This is a copy of the linked VULN ticket issue. You only need to update this ticket and the VULN ticket will be synced accordingly.


      Vulnerability Details

      A security finding with medium severity was detected on a Code Repo asset mongodb/mongo-tools. You are responsible for fixing it by Oct 14, 2024.

      Details:

      File: go.mod
      Update package `crypto`
      The minimum required version is 0.24.0.

      Overview

      golang.org/x/crypto/acme/autocert is a package providing automatic access to certificates from Let's Encrypt and any other ACME-based CA

      Affected versions of this package are vulnerable to Path Traversal in the `DirCache()` function, due to the use of `path.Base`, which accepts relative paths, instead of `filepath.Base`. An attacker can read HTTP-01 token files on the target filesystem system by passing in filenames with `..`.

      *Note:* This vulnerability only exists on Windows, using Windows path separators (`\`), on files with the suffix `+http-01`.

      Remediation

      Upgrade `golang.org/x/crypto/acme/autocert` to version 0.24.0 or higher.

      References

      *CWEs: *CWE-22

      Asset details:

      • Repository Name: mongodb/mongo-tools
      • Priority: 50 / 100
      • Environments: Production
      • URL: *https://github.com/mongodb/mongo-tools*
      • Languages: Go, Shell, Perl, Python, JavaScript
      • Labels: No labels assigned

      Security Tool Links this ticket covers (Optional to look at)

      ๐Ÿ”ฅ You may request a temporary exception (expires on the exception-deadline you specify) by posting a comment: [justification] [exception-deadline] #request-exception. For example, if you need one more week:

      [Requires major change] [Jul 23, 2024] #request-exception

      You may also choose not to include an exception deadline by putting 'no-expiration' as your date: [justification] [no-expiration] #request-exception

      ๐Ÿง You may report a false positive by posting a comment: [justification] #report-false-positive. For example:

      [This S3 bucket is supposed to be public] #report-false-positive

      ๐Ÿคจ You may request your team is not the right one for this by posting a comment: #request-another-team

      This issue was created, tracked and synced with[ Silk Security|https://silk.security]

            Assignee:
            dave.rolsky@mongodb.com Dave Rolsky
            Reporter:
            dbeng-pm-bot PM Bot
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: