x/vulndb: potential Go vuln in github.com/spiffe/spire: GHSA-m7vp-hqwv-7m5x

[GoVulnBot]

In GitHub Security Advisory GHSA-m7vp-hqwv-7m5x, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/spiffe/spire	1.1.3	>= 1.1.0, < 1.1.3

See doc/triage.md for instructions on how to triage this report.

package: github.com/spiffe/spire
additional_packages:
  - package: github.com/spiffe/spire
    versions:
      - introduced: v0.0.0
        fixed: v1.0.3
versions:
  - introduced: v1.1.0
    fixed: v1.1.3
description: |
    ### Impact
    The net/http Go package has a reported vulnerability tracked under CVE-2021-44716 which allows attacker controlled HTTP/2 requests to trigger unbounded memory usage in HTTP/2 endpoints. gRPC endpoints are not vulnerable as they rely on their own HTTP/2 implementation instead of the net/http package. HTTP/2 endpoints consuming the net/http package within SPIRE server and agent (or other components in this repository) that are _on by default_ include the following:
    - OIDC Discovery Provider
    - K8s Workload Registrar in webhook mode

    The following endpoints are vulnerable _when enabled_:
    - SPIRE server bundle endpoint (i.e. Federation API)

    The following endpoints are _NOT_ vulnerable, since HTTP/2 support in go is not enabled on non-TLS protected endpoints:
    - SPIRE server/agent metrics endpoint when configured for Prometheus
    - SPIRE server/agent health endpoints
    - SPIRE server/agent profiling endpoints

    ### Patches
    SPIRE 1.0.3 and 1.1.3 have been released with an upgraded Go toolchain which patches the vulnerability

    ### Workarounds
    The vulnerability can be worked around entirely by including the `http2server=0` value in the `GODEBUG` environment variable (see https://github.com/golang/go/issues/50058). This turns off HTTP/2 support on all non-gRPC endpoints. They will still function with HTTP/1.1.

    The risk associated with this vulnerability can be somewhat mitigated by limiting the exposure of the endpoints in question. If necessary, vulnerable components or endpoints that are optionally configured can be disabled temporarily.

    ### References
    - https://github.com/golang/go/issues/50058
    - https://go-review.googlesource.com/c/go/+/370574/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-44716
published: 2022-01-12T22:33:04Z
last_modified: 2022-01-12T22:33:04Z
ghsas:
  - GHSA-m7vp-hqwv-7m5x

[neild]

This is CVE-2021-44716 as applied to this particular project. No need for a separate report for it (and I'm not sure that this is in an importable package anyway).

[tatianab]

Needs excluded report

[gopherbot]

Change https://go.dev/cl/513918 mentions this issue: data/excluded: batch add 26 excluded reports