Fix for CVE-2022-1996 (Score: 9.1)

[sandramayer2]

Hi, our security scan tool find a possible very high security issue for the CVE-2022-1996.

How it this repository affected?

This affected the go-module emicklei/go-restful for versions before 3.8.0. In this repository is version 2.15.0 used (https://github.com/kubernetes-sigs/prometheus-adapter/blob/master/go.sum#L158).

Solution

At the moment there exist already a fix but for the newest version 3.8.0: Code for the fix: https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10 Issue: https://github.com/emicklei/go-restful/issues/489

Can you please update your Go modules to the newest state to fix this issue?

Best regards Sandra

[gburton1]

Related to another PR that will fix a lot of other CVEs in Golang itself: https://github.com/kubernetes-sigs/prometheus-adapter/pull/519

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[dgrisonnet]

This is a false positive from a transitive dependency that is not using the functionality that is impacted by the CVE, so there is no need to fix it for now.