Security information¶
Updated the following middleware component versions to resolve vulnerabilities in MSR:
[ENGDTR-4167] Golang 1.21.8
[ENGDTR-4166] Synopsys Scanner 2023.12
All CVEs reported in Pillow are false positives, the result of being picked up from cache but for a version not in use with MSR.
Resolved CVEs, as detailed:
CVE
Status
Problem details from upstream
Resolved
Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause
Certificate.Verify
to panic. This affects all crypto/tls clients, and servers that setConfig.ClientAuth
toVerifyClientCertIfGiven
orRequireAndVerifyClientCert
. The default behavior is for TLS servers to not verify client certificates.Resolved
When parsing a multipart form (either explicitly with
Request.ParseMultipartForm
or implicitly withRequest.FormValue
,Request.PostFormValue
, orRequest.FormFile
), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, theParseMultipartForm
function now correctly limits the maximum size of form lines.CVE-2023-45288
Resolved
CVE has been reserved by an organization or individual and is not currently available in the NVD.
Resolved
When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an
http.Client
does not forward sensitive headers such as “Authorization” or “Cookie”. For example, a redirect fromfoo.com
towww.foo.com
will forward the Authorization header, but a redirect tobar.com
will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.Not Vulnerable
An out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0, as also used in OpenBLAS before version 0.3.18. Specially crafted inputs passed to these functions could cause an application using lapack to crash or possibly disclose portions of its memory.
Not Vulnerable
Pillow through 10.1.0 allows
PIL.ImageMath.eval
Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).