Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gopkg.in/yaml.v2 v2.2.4 security vulnerability - CVE-2019-11254 #387

Closed
JimFicarra opened this issue May 14, 2020 · 1 comment · Fixed by #389
Closed

gopkg.in/yaml.v2 v2.2.4 security vulnerability - CVE-2019-11254 #387

JimFicarra opened this issue May 14, 2020 · 1 comment · Fixed by #389

Comments

@JimFicarra
Copy link

Gomega has been flagged by Whitesource security scanning software with a denial of service vulnerability to the kube-apiserver (e.g. sending malicious yaml payloads that consume excessive CPU cycles). Gomega directly imports v2.2.4.

Are there any plans to migrate gomega to use v.2.2.8? We've had to downgrade gingko/gomega versions to avoid this verison of yaml used, but would prefer to use the latest. Please see links below.

NIST Vulernability DB Reference

Issue reference in Kubernetes git repo
@blgm blgm mentioned this issue May 20, 2020
Merged
@blgm
Copy link
Collaborator

blgm commented May 20, 2020

Hi. This should be fixed by #389 and is released in v1.10.1

@blgm blgm closed this as completed May 20, 2020
@RomanBednar RomanBednar mentioned this issue Feb 8, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update dependencies onsi/gomega
2 participants
@JimFicarra @blgm