Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

logrus and go-restful vulnerabilities in ansible-operator #6502

Closed
venkataramanam opened this issue Jul 18, 2023 · 2 comments · Fixed by #6511
Closed

logrus and go-restful vulnerabilities in ansible-operator #6502

venkataramanam opened this issue Jul 18, 2023 · 2 comments · Fixed by #6511
Assignees
@acornett21
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. language/ansible Issue is related to an Ansible operator project
Milestone
Backlog

Comments

@venkataramanam
Copy link

The following security vulnerabilities are detected by Twistlock image security scanner against latest ansible-operator:v1.30.0 binary. Could we have these fixed please. Thank you.

severity cve link hasfix status packageType packageName packageVersion packagePath description
M PRISMA-2023-0056 sirupsen/logrus#1370 Y fixed in v1.9.3 go github.com/sirupsen/logrus v1.9.2 /usr/local/bin/ansible-operator The github.com/sirupsen/logrus module of all versions is vulnerable to denial of service. Logging more than 64kb of data in a single entry without newlines causes the log writer function to hang indefinitely.
H PRISMA-2022-0227 emicklei/go-restful#497 Y fixed in v3.10.0 go github.com/emicklei/go-restful/v3 v3.9.0 /usr/local/bin/ansible-operator github.com/emicklei/go-restful/v3 module prior to v3.10.0 is vulnerable to Authentication Bypass by Primary Weakness. There is an inconsistency in how go-restful parses URL paths. This inconsistency could lead to several security check bypass in a complex system.
@rashmigottipati rashmigottipati added this to the Backlog milestone Jul 24, 2023
@rashmigottipati rashmigottipati added good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. language/ansible Issue is related to an Ansible operator project help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. labels Jul 24, 2023
@acornett21
Copy link
Contributor

@acornett21
Copy link
Contributor

/assign

@acornett21 acornett21 mentioned this issue Jul 24, 2023
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@acornett21 acornett21

Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. language/ansible Issue is related to an Ansible operator project
Projects
None yet
Milestone
Backlog
Development

Successfully merging a pull request may close this issue.

updating logrus dependency to latest to resolve CVE acornett21/operator-sdk
3 participants
@rashmigottipati @venkataramanam @acornett21