Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix CVE-2024-45337 #2889

Closed
andyzhangx opened this issue Dec 12, 2024 · 2 comments · Fixed by #2890
Closed

fix CVE-2024-45337 #2889

andyzhangx opened this issue Dec 12, 2024 · 2 comments · Fixed by #2890
Assignees
@dphulkar-msft
Milestone
10.28.0

Comments

@andyzhangx
Copy link

usr/local/bin/azcopy (gobinary)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2024-45337 │ HIGH │ fixed │ v0.28.0 │ 0.31.0 │ Misuse of ServerConfig.PublicKeyCallback may cause │
│ │ │ │ │ │ │ authorization bypass in golang.org/x/crypto │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-45337
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────┘
@dphulkar-msft dphulkar-msft mentioned this issue Dec 13, 2024
Merged
5 tasks
@dphulkar-msft dphulkar-msft self-assigned this Dec 13, 2024
@vibhansa-msft vibhansa-msft linked a pull request Dec 16, 2024 that will close this issue
Updated version of golang.org/x/crypto to resolve CVE-2024-45337 #2890
Merged
5 tasks
@vibhansa-msft vibhansa-msft added this to the 10.28.0 milestone Jan 20, 2025
@GlenGengMicrosoft
Copy link

@vibhansa-msft @dphulkar-msft Good day to you and this is Glen from Azure CSS team.

One of my customer is asking if we have ETA for the 10.28.0 to release which will contain this fix?

@dphulkar-msft
Copy link
Member

Hello,

The AzCopy 10.28.0 release is planned for January 28, 2025.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dphulkar-msft dphulkar-msft

Labels
None yet
Projects
None yet
Milestone
10.28.0
Development

Successfully merging a pull request may close this issue.

Updated version of golang.org/x/crypto to resolve CVE-2024-45337 Azure/azure-storage-azcopy
4 participants
@andyzhangx @vibhansa-msft @GlenGengMicrosoft @dphulkar-msft