Fix for CVE-2022-1996 (Score: 9.1) #175
Comments
|
This is an indirect dependency that we are pulling in from k8s/apiserver. emicklei/go-restful is used for
We don't use that part of the codebase: we are not affected by the vulnerability at all. We will make a version bump soon, so the alerts will go away. |
|
We updated the kubernetes dependencies. We can't do more than that, but I could imagine that it won't contain the newest fix you are referring to. I would keep the issue open for 30 days and close it. If there are no other concerns around it. |
|
Adding a comment here to express interest in the resolution for this. Do we have any updates on possible version updates for this CVE? I'm curious if the fix requires leveraging the replace directive in the go mod file if simply upgrading the direct dependencies isn't enough. Also, my company's scanning tool is picking up this CVE as well as one for golang.org/x/crypto (CVE-2022-27191) (High Severity). This also appears to be an indirect dependency, so it's not clear to me whether your service leverages code here that can trigger the ssh crash. Image version scanned with: |
|
Hi, I will take a look. We are / were in vacation mode. |
|
Cross referencing this issue as there is a general need to solve CVEs that are unrelated: |
Hi,
our security scan tool find a possible very high security issue for the CVE-2022-1996.
How it this repository affected?
This affected the go-module emicklei/go-restful for versions before 3.8.0.
In this repository is version 2.9.5 used:
Solution
At the moment there exist already a fix but for the newest version 3.8.0:
Code for the fix: emicklei/go-restful@fd3c327
Issue: emicklei/go-restful#489
Can you please update your Go modules to the newest state to fix this issue?
Best regards
Sandra
The text was updated successfully, but these errors were encountered: