packeto buildpacks vulnerable to CVE-2024-45337 (Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass) in golang.org/x/crypto #324
candrews
started this conversation in
Dependencies Team
Replies: 1 comment
-
As is typical, I believe this is a false positive. See my comment here for background: paketo-buildpacks/bellsoft-liberica#760 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Multiple paketo buildpacks report a vulnerability to CVE-2024-45337 due to including golang.org/x/crypto < 0.31.0.
I confirmed this vulnerability in:
Trivy can be used to see this vulnerability being reported:
Beta Was this translation helpful? Give feedback.
All reactions