CVE-2021-41772 : go - 1.14.15
Created by: armorcodegithubapp[bot]
DOCUMENTATION: A vulnerability was found in archive/zip of the Go standard library. Applications written in Go where Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can panic when parsing a crafted ZIP archive containing completely invalid names or an empty filename argument. STATEMENT: * In OpenShift Container Platform multiple components are written in Go and use archive/zip from the standard library. However, all such components are short lived client side tools, not long lived server side executables. As the maximum impact of this vulnerability is a denial of service in client utilities, this vulnerability is rated Low for OpenShift Container Plaform. * Because Service Telemetry Framework1.2 will be retiring soon and the flaw's impact is lower, no update will be provided at this time for STF1.2's sg-core-container. * Because Red Hat Ceph Storage only uses Go's archive/zip for the Grafana CLI and thus is not directly exploitable, the vulnerability has been rated low for Red Hat Ceph Storage.
Vulnerable Package: go
Current Version: 1.14.15
Image: apache/apisix-dashboard:latest
Path: /usr/local/apisix-dashboard/manager-api
Clusters: minikube
Host: minikube
Host Distro: CentOS Linux release 8.4.2105
CVSS: 7.5
CVS Vector:
Vulnerability Type: image
File Path: /usr/local/apisix-dashboard/manager-api
Mitigation: fixed in 1.17.3, 1.16.10