Fix for CVE-2022-1996 (Score: 9.1)

[sandramayer2]

Hi,
our security scan tool find a possible very high security issue for the CVE-2022-1996.

How it this repository affected?

This affected the go-module emicklei/go-restful for versions before 3.8.0.
In this repository is version 2.15.0 used (https://github.com/kubernetes-sigs/prometheus-adapter/blob/master/go.sum#L158).

Solution

At the moment there exist already a fix but for the newest version 3.8.0:
Code for the fix: emicklei/go-restful@fd3c327
Issue: emicklei/go-restful#489

Can you please update your Go modules to the newest state to fix this issue?

Best regards
Sandra

[gburton1]

Related to another PR that will fix a lot of other CVEs in Golang itself: #519

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[dgrisonnet]

This is a false positive from a transitive dependency that is not using the functionality that is impacted by the CVE, so there is no need to fix it for now.