Merge pull request #140 from AikidoSec/new-in-ydb-go-sdk

new vulnerability in ydb-go-sdk
AikidoSec · Feb 4, 2025 · 8246517 · 8246517
2 parents 4d3518f + 4c4479a
commit 8246517
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/vulnerabilities/AIKIDO-2025-10072.json b/vulnerabilities/AIKIDO-2025-10072.json
@@ -0,0 +1,28 @@
+{
+  "package_name": "github.com/ydb-platform/ydb-go-sdk/v3",
+  "patch_versions": [
+    "3.99.3"
+  ],
+  "vulnerable_ranges": [
+    [
+      "3.26.0",
+      "3.99.2"
+    ]
+  ],
+  "cwe": [
+    "CWE-835",
+    "CWE-400"
+  ],
+  "tldr": "Affected versions of this package are vulnerable to an infinite loop in the `internal/balancer/local_dc.go::getRandomEndpoints` function. This flaw can cause the system to hang indefinitely, leading to a Denial of Service (DoS) by consuming resources and rendering the application unresponsive.",
+  "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.",
+  "how_to_fix": "Upgrade the `github.com/ydb-platform/ydb-go-sdk/v3` library to the patch version.",
+  "reporter": "",
+  "vulnerable_to": "Infinite Loop",
+  "related_cve_id": "",
+  "language": "GO",
+  "severity_class": "LOW",
+  "aikido_score": 16,
+  "changelog": "https://github.com/ydb-platform/ydb-go-sdk/releases/tag/v3.99.3",
+  "last_modified": "2025-02-04",
+  "published": "2025-02-04"
+}