kubernetes-client icon indicating copy to clipboard operation
kubernetes-client copied to clipboard

Published 20 hours ago verified publisher icon godaddy

SHA-1 Weak Authentication Algorithm vulnerability in dependency "request"

Open aqan213 opened this issue 4 years ago • 5 comments

Our customer reported a vulnerability in bluemix-autoscaling-agent caused by "request" package. The vulnerability reports that

"The request package is vulnerable to Weak Authentication Algorithm. The function function in oauth.js uses SHA-1 for authentication which is no longer considered cryptographically secure."

Here is the hierarchy of the "request" module tracking back to appmetrics

"request" --> kubernetes-client" -->"ibmapm-restclient" --> "ibmapm-embed" --> "appmetrics" --> bluemix-autoscaling-agent

According to request/request#2640 it looks like all versions of request are vulnerable and the request package is depreciated. Can you please take a look? thanks,

aqan213 avatar Jan 15 '21 01:01 aqan213

Hi, Can anyone help to check this issue? thanks,

aqan213 avatar Jan 20 '21 14:01 aqan213

The customer is supposed to fix it in Feb. Is it possible to address this issue asap or can you please give us a date when you plan to do it? thanks,

aqan213 avatar Feb 02 '21 01:02 aqan213

Hi, We are also facing the same issue. is there a fix expected for this any time soon

pinkyjpainadath avatar Feb 18 '21 00:02 pinkyjpainadath

Hi ... any chance to replace "request" with something else not vulnerable?

donacarr avatar Mar 25 '21 08:03 donacarr

There is already an issue here for request being deprecated.

https://github.com/godaddy/kubernetes-client/issues/614

It would probably make sense to close this issue in preference to that issue.

godber avatar Apr 28 '21 21:04 godber