Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE: PRISMA-2022-0227 in emicklei/go-restful/v3 #635

Closed
sf-nwaller opened this issue Oct 18, 2023 · 4 comments · Fixed by #687
Closed

CVE: PRISMA-2022-0227 in emicklei/go-restful/v3 #635

sf-nwaller opened this issue Oct 18, 2023 · 4 comments · Fixed by #687
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@sf-nwaller
Copy link

sf-nwaller commented Oct 18, 2023

Twistlock reports the following vulnerability with aws-iam-authenticator:

Package: github.com/emicklei/go-restful/v3
CVE: PRISMA-2022-0227
Fix Status: Fixed in:v3.10.0
Impacted versions: <v3.10.0

github.com/emicklei/go-restful/v3 module prior to v3.10.0 is vulnerable to Authentication Bypass by Primary Weakness. There is an inconsistency in how go-restful parses URL paths. This inconsistency could lead to several security check bypass in a complex system.


Currently aws-iam-authenticator is bringing in v3.9.0 as an indirect dependency:

github.com/emicklei/go-restful/v3 v3.9.0 // indirect

go-restful v3.10.0 introduced a regression, but v3.11.0 fixes the vulnerability and also fixes the regression.

Suggestion: go.mod should be updated when possible.

@micahhausler
Copy link
Member

micahhausler commented Nov 7, 2023

Thanks for the issue. Do you have a real CVE ID to point to? Twistlock/Prisma is a commercial project that the Kubernetes project doesn't have a subscription to, and its not clear that we're actually impacted with the affected symbols as govulncheck doesn't identify any issue here. I'm not opposed to updating dependencies, particularly vulnerable dependencies, but I don't want to quickly make updates just to make an eager scanner happy. Have a look at the k/k comment for this exact dependency in Kubernetes.

@sf-nwaller
Copy link
Author

I don't have a real CVE to point to.

It's probably fair to describe Twistlock as an "eager scanner" and I'm not sure there's any real security impact with aws-iam-authenticator.

Your assessment sounds correct to me.

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 5, 2024
@sf-nwaller
Copy link
Author

I am no longer using aws-iam-authenticator so I'll close this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants