github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1: 4 vulnerabilities (highest severity is: 7.5)

[mend-for-github-com]

Vulnerable Library - github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1

Docker machine driver for VMware Fusion and Workstation.

Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2022-27191	High	7.5	github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1	Direct	N/A	❌
CVE-2020-9283	High	7.5	github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1	Direct	github.com/golang/crypto - bac4c82f69751a6dd76e702d54b3ceb88adab236	❌
CVE-2020-29652	High	7.5	github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1	Direct	v0.0.0-20201216223049-8b5274cf687f	❌
CVE-2021-43565	High	7.5	github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1	Direct	N/A	❌

Details

CVE-2022-27191

Vulnerable Library - github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1

Docker machine driver for VMware Fusion and Workstation.

Dependency Hierarchy:

• ❌ github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1 (Vulnerable Library)

Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3

Found in base branch: main

Vulnerability Details

The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.

Publish Date: 2022-03-18

URL: CVE-2022-27191

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2020-9283

Vulnerable Library - github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1

Docker machine driver for VMware Fusion and Workstation.

Dependency Hierarchy:

• ❌ github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1 (Vulnerable Library)

Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3

Found in base branch: main

Vulnerability Details

golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.

Publish Date: 2020-02-20

URL: CVE-2020-9283

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9283

Release Date: 2020-02-20

Fix Resolution: github.com/golang/crypto - bac4c82f69751a6dd76e702d54b3ceb88adab236

CVE-2020-29652

Vulnerable Library - github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1

Docker machine driver for VMware Fusion and Workstation.

Dependency Hierarchy:

• ❌ github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1 (Vulnerable Library)

Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3

Found in base branch: main

Vulnerability Details

A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.

Publish Date: 2020-12-17

URL: CVE-2020-29652

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1

Release Date: 2020-12-17

Fix Resolution: v0.0.0-20201216223049-8b5274cf687f

CVE-2021-43565

Vulnerable Library - github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1

Docker machine driver for VMware Fusion and Workstation.

Dependency Hierarchy:

• ❌ github.com/machine-drivers/docker-machine-driver-vmware-v0.1.1 (Vulnerable Library)

Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3

Found in base branch: main

Vulnerability Details

There's an input validation flaw in golang.org/x/crypto's readCipherPacket() function. An unauthenticated attacker who sends an empty plaintext packet to a program linked with golang.org/x/crypto/ssh could cause a panic, potentially leading to denial of service.

Publish Date: 2021-11-10

URL: CVE-2021-43565

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.