CVE-2020-9283 (High) detected in github.com/coreos/prometheus-operator-v0.26.0

[mend-bolt-for-github]

CVE-2020-9283 - High Severity Vulnerability

Vulnerable Library - github.com/coreos/prometheus-operator-v0.26.0

Prometheus Operator creates/configures/manages Prometheus clusters atop Kubernetes

Dependency Hierarchy:

• github.com/operator-framework/operator-sdk-e3225a40338e66e694de23d523e271db43ff0520 (Root Library)
  • ❌ github.com/coreos/prometheus-operator-v0.26.0 (Vulnerable Library)

Found in HEAD commit: 529bd4477562304d2b7ce7774b0f2acd4b189154

Found in base branch: master

Vulnerability Details

golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.

Publish Date: 2020-02-20

URL: CVE-2020-9283

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9283

Release Date: 2020-02-20

Fix Resolution: github.com/golang/crypto - bac4c82f69751a6dd76e702d54b3ceb88adab236

---

Step up your Open Source Security Game with Mend here