Latest release v0.13.0 has CVE-2021-3538 (score 9.8) from dependency github.com/satori/go.uuid v1.2.0 #617
Comments
srlobo
changed the title
|
It looks like the vulnerability is for generating UUIDs from that library. This collector only uses the library to parse UUID from MySQL. Therefore this collector / version is not vulnerable to CVE-2021-3538. Please do not report results from vulnerability scanners without actively verifying that there is a vulnerability. These version-based scanners often produce false-positives. |
|
Ok, but it's not a good idea to link to unmaintained code anyway (as told in the project discussion): satori/go.uuid#73 (comment) They're suggesting change to https://github.com/gofrs/uuid |
|
PRs welcome. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi
mysqld_exporter showed up in a security scan because it contains github.com/satori/[email protected]
https://nvd.nist.gov/vuln/detail/CVE-2021-3538
github.com/satori/go.uuid is used in
collector/slave_hosts.go.Would it be possible to make a patch release on docker hub containing an updated version of this module?
The text was updated successfully, but these errors were encountered: