CVE-2024-24791 in v4.16.3

[SivaneshLogandurai]

Describe what happened

Our scanning jobs have identified a new CVE "CVE-2024-24791" in the pulumi-std v1.7.2. This is an issue with the Go standard library net/http.

Sample program

N/A

Log output

Scan result

{
      "Target": "home/sl/.pulumi/plugins/resource-random-v4.16.3/pulumi-resource-random",
      "Class": "lang-pkgs",
      "Type": "gobinary",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2024-24791",
          "PkgName": "stdlib",
          "PkgIdentifier": {
            "PURL": "pkg:golang/[email protected]",
            "UID": "8a43d8dd3a95d65b"
          },
          "InstalledVersion": "1.21.11",
          "FixedVersion": "1.21.12, 1.22.5",
          "Status": "fixed",
          "Layer": {
            "Digest": "sha256:12b42ef700cd619bf6b070c29488e45d2706debd29cc072b6c70cfc476aba9bb",
            "DiffID": "sha256:c01c35830eba6aa5d25006afdecebf6a3ed84701acf2ab573180bd5dc488c3c0"
          },
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-24791",
          "DataSource": {
            "ID": "govulndb",
            "Name": "The Go Vulnerability Database",
            "URL": "https://pkg.go.dev/vuln/"
          },
          "Description": "The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an \"Expect: 100-continue\" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending \"Expect: 100-continue\" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.",
          "Severity": "UNKNOWN",
          "References": [
            "https://go.dev/cl/591255",
            "https://go.dev/issue/67555",
            "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ",
            "https://pkg.go.dev/vuln/GO-2024-2963"
          ],
          "PublishedDate": "2024-07-02T22:15:04.833Z",
          "LastModifiedDate": "2024-07-02T22:15:04.833Z"
        }
      ]
    }

Affected Resource(s)

No response

Output of pulumi about

Using pulumi v3.122.0 and pulumi-random v4.16.3

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[VenelinMartinov]

Thanks for reporting.

This should get addressed once pulumi/pulumi-terraform-bridge#2160 gets picked up here.

[SivaneshLogandurai]

@VenelinMartinov Can I get an ETA on this ticket?

[VenelinMartinov]

This should get released this week. Do you have a specific reason you need this? Seems unlikely this actually affects the library. I am not aware of any uses of a reverse proxy here.

[sivaneshl]

It's just that our scans are failing with the CVE.