Latest version 3.2.0 exposes some vulnerabilities

[alexopenline]

Exposed vulnerabilities:

• https://www.cve.org/CVERecord?id=CVE-2022-41727
• https://www.cve.org/CVERecord?id=CVE-2023-29407
• https://www.cve.org/CVERecord?id=CVE-2023-29408

Introduced through:
google.golang.org/genproto/googleapis/rpc@v0.0.0-20231016165738-49dd2c1f3d0b
Fixed in:
golang.org/x/image/tiff@0.10.0

[cdevarenne]

Thank you for sharing this @alexopenline, we will look at this ASAP.

[cdevarenne]

All three CVEs involve processing an image: decoding a TIFF image.
Even if you are storing TIFF images as events in EventStoreDB, it wouldn’t call the code mentioned in the CVEs.

However a client application that’s decoding a TIFF image from an event could be at risk. In such a case, the onus is on the app developer to use the later version of Go’s TIFF dependency you mention.

We are currently using the October 16 version of this rpc dependency. The Oct 16, Oct 30 and Nov 6 versions of rpc do not mention this as a security issue.

Thanks.