Critical vulnerability detected in a dependency

[jakub-m-sobczak]

Describe the Bug
A critical vuln in golang.org/x/crypto detected by Grype:

NAME                          INSTALLED  FIXED-IN  TYPE       VULNERABILITY        SEVERITY
github.com/golang-jwt/jwt/v4  v4.4.2     4.5.1     go-module  GHSA-29wx-vh33-7x7r  Low
golang.org/x/crypto           v0.27.0    0.31.0    go-module  GHSA-v778-237x-gjrc  Critical
libcrypto3                    3.1.7-r0   3.1.7-r1  apk        CVE-2024-9143        Medium
libssl3                       3.1.7-r0   3.1.7-r1  apk        CVE-2024-9143        Medium

Vuln:
CVE-2024-45337

Migrate Version
v4.18.1

Go Version
1.22

Additional context
This can be fixed with a PR by bumping golang.org/x/crypto from 0.27.0 to 0.31.0: #1210

[joschi]

The respective functionality (SSH server in golang.org/x/crypto/ssh) affected by CVE-2024-45337 is not used by migrate at all, I think this is not really critical in context of this project.

Updating the dependency would be nice, but it's not a game changer.

[jakub-m-sobczak]

Thanks @joschi. You're right. However, for some, not updating the dependency may be a little uncomfortable, bc Criticals have this annoying tendency to stop builds 😃

[GhimBoon]

Hi, is this going to be updated anytime soon?

[noorul]

Trivy is reporting the following

Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 1)

┌──────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│           Library            │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                          │
├──────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ github.com/golang-jwt/jwt/v4 │ CVE-2024-51744 │ LOW      │ fixed  │ v4.4.2            │ 4.5.1         │ golang-jwt: Bad documentation of error handling in     │
│                              │                │          │        │                   │               │ ParseWithClaims can lead to potentially...             │
│                              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-51744             │
├──────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ golang.org/x/crypto          │ CVE-2024-45337 │ CRITICAL │        │ v0.27.0           │ 0.31.0        │ golang.org/x/crypto/ssh: Misuse of                     │
│                              │                │          │        │                   │               │ ServerConfig.PublicKeyCallback may cause authorization │
│                              │                │          │        │                   │               │ bypass in golang.org/x/crypto                          │
│                              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45337             │
├──────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ golang.org/x/net             │ CVE-2024-45338 │ HIGH     │        │ v0.29.0           │ 0.33.0        │ golang.org/x/net/html: Non-linear parsing of           │
│                              │                │          │        │                   │               │ case-insensitive content in golang.org/x/net/html      │
│                              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45338             │
└──────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

[nablaux]

The respective functionality (SSH server in golang.org/x/crypto/ssh) affected by CVE-2024-45337 is not used by migrate at all, I think this is not really critical in context of this project.

Updating the dependency would be nice, but it's not a game changer.

For us for example golang.org/x/crypto causes critical risks and is needed for ISO auditing. It would be really helpful if we can update these. Many thanks.

[joschi]

Resolved via bc06922 in https://github.com/golang-migrate/migrate/releases/tag/v4.18.2.