Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Update golang.org/x/text to 0.3.3+ CVE-2020-14040 in SGW 2.8.x

Description

SyncGateway 2.8.x has a High Severity vulnerability in the golang.org/x/text library.

HIGH:https://nvd.nist.gov/vuln/detail/CVE-2020-14040

The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

- confirmed via slack that SGW 2.8.3 is using a version that's between v0.3.0 and v0.3.1 (which will be affected by the CVE)
https://github.com/couchbase/sync_gateway/blob/40f04c91d21a4d82db4927b6fc18bacd0862c0b9/manifest/2.8.xml#L78

Activity

Show:

Ben Brooks May 6, 2022 at 2:06 PM

No worries, thanks!

Daniel Petersen May 6, 2022 at 2:04 PM

dup of

Daniel Petersen May 6, 2022 at 2:03 PM

OK - I thought that was the case but wasn't sure. I cloned this ticket and gave it a 2.8.4 milestone. We can close this then.

Ben Brooks May 6, 2022 at 1:50 PM

this is already fixed in 3.x via , should the fix version be left blank until we have a 2.8.x release?

Fixed
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Labels

CVE ID

CVSS/Severity

High

Components

Fix versions

Affects versions

Priority

Instabug

Open Instabug

PagerDuty

Sentry

Zendesk Support

Created May 6, 2022 at 1:24 PM
Updated August 31, 2024 at 10:58 AM
Resolved April 13, 2023 at 11:01 PM
Instabug