Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[🐸 Frogbot] Update version of github.com/hashicorp/go-retryablehttp to 0.7.7 #2690

Conversation

github-actions[bot]
Copy link
Contributor

🚨 This automated pull request was created by Frogbot and fixes the below:

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY CONTEXTUAL ANALYSIS DIRECT DEPENDENCIES IMPACTED DEPENDENCY FIXED VERSIONS CVES

Medium
Not Covered github.com/hashicorp/go-retryablehttp:v0.7.2
github.com/jfrog/froggit-go:v1.16.1
github.com/jfrog/jfrog-cli-security:v1.8.0
github.com/xanzy/go-gitlab:v0.95.2
github.com/hashicorp/go-retryablehttp v0.7.2 [0.7.7] CVE-2024-6104

🔬 Research Details

Description:
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.


@eyalbe4 eyalbe4 added the safe to test Approve running integration tests on a pull request label Sep 10, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Sep 10, 2024
@eyalbe4 eyalbe4 closed this Sep 10, 2024
@eyalbe4 eyalbe4 reopened this Sep 10, 2024
@eyalbe4 eyalbe4 added the bug Something isn't working label Sep 10, 2024
@eyalbe4 eyalbe4 merged commit 694d644 into dev Sep 10, 2024
77 checks passed
@sverdlov93 sverdlov93 deleted the frogbot-github.com/hashicorp/go-retryablehttp-e3f433662e29564690757d351adccff3 branch October 28, 2024 14:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants