CVE-2016-9122 (High) detected in github.com/docker/distribution-v2.7.1

[mend-bolt-for-github]

CVE-2016-9122 - High Severity Vulnerability

Vulnerable Library - github.com/docker/distribution-v2.7.1

The toolkit to pack, ship, store, and deliver container content

Library home page: https://proxy.golang.org/github.com/docker/distribution/@v/v2.7.1+incompatible.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ github.com/docker/distribution-v2.7.1 (Vulnerable Library)

Found in HEAD commit: df1f7d3f67826e841793324e4796be4fbd91c00f

Found in base branch: main

Vulnerability Details

go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated.

Publish Date: 2017-03-28

URL: CVE-2016-9122

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Release Date: 2016-09-22

Fix Resolution: Replace or update the following files: signing.go, jws.go, crypter.go, signing_test.go, crypter_test.go

---

Step up your Open Source Security Game with Mend here

[github-actions]

Message that will be displayed on users' first issue

[github-actions]

Stale issue message

[mend-bolt-for-github]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.