ingress-nginx icon indicating copy to clipboard operation
ingress-nginx copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

Go-restful 2.9.5 vulnerability

Open fred214 opened this issue 3 years ago • 8 comments

Hi Our scanner report the binary nginx-ingress-controller has vulnerability CVE-2022-1996

name		go-restful 
version    v2.9.5+incompatible outdated 

Files (1)
Name 	Size 	Timestamp 	Matching methods
nginx-ingress-controller 	38.06 MB 	2022/05/29 21:06 	go-mod-package

Vulnerabilities (1)
Vulnerability 	Date 	CVSS v2 	CVSS v3 	Type
CVE-2022-1996 	2022/06/08 	6.4 	9.1 	Exact match

Do we have any updates to fix the vulnerability?

fred214 avatar Jun 27 '22 06:06 fred214

Is it possible for you to post the full scan report with all details.

longwuyuan avatar Jun 27 '22 07:06 longwuyuan

Sure,

Component information

name
    go-restful 
version
    v2.9.5+incompatible outdated 
Latest version

    v3.8.0 
website
    github.com 
component type
    Go 
tags
    frameworkrest

Files (2)
Name 	Size 	Timestamp 	Matching methods
	nginx-ingress-controller 	38.06 MB 	2022/05/29 21:06 	
go-mod-package
Path:

    tar xxxxxxxxx_nginx-ingress-controller:1.1.0-56.1dc574b.tar
    docker-layer 8885d8923d5534533fcd97142aa4d859644d64e81e38a777ab1a224eba01c27d/layer.tar
    elf nginx-ingress-controller 

sha1: 914f59b2c6724c0054675c28bc173a547e19f9bf

Package type: go-mod
	nginx-ingress-controller 	38.06 MB 	2022/05/29 21:06 	
go-mod-package
Path:

    tar xxxxxxxxx_nginx-ingress-controller:1.1.0-56.1dc574b.tar
    docker-layer ff7e00ae960fe0c2db71e8c42dc21a2d62d95cef7f8bc0c8b0007f0495b69ddd/layer.tar
    elf nginx-ingress-controller 

sha1: 914f59b2c6724c0054675c28bc173a547e19f9bf

Package type: go-mod
Vulnerabilities (1)
Vulnerability 	Date 	CVSS v2 	CVSS v3 	Type
CVE-2022-1996 	2022/06/08 	6.4 	9.1 	Exact match

fred214 avatar Jun 27 '22 08:06 fred214

Hi, is there any updates?

fred214 avatar Jun 29 '22 01:06 fred214

@fred214 what scanner are you using? and what version of ingress-nginx?

strongjz avatar Jul 02 '22 22:07 strongjz

Hi @strongjz ,we use the commercial scanner Protecode, the controller binary comes from k8s.gcr.io/ingress-nginx/controller:v1.2.1

fred214 avatar Jul 04 '22 01:07 fred214

/area stabilization

longwuyuan avatar Jul 06 '22 18:07 longwuyuan

@fred214 This issue is waiting on https://github.com/kubernetes/apiserver to release 0.25.0 to update the gorestful transitive dependency. As soon as that's live, I'll work on it. /assign

Volatus avatar Jul 23 '22 23:07 Volatus

/kind bug /triage accepted /area security /priority backlog

strongjz avatar Aug 06 '22 20:08 strongjz

Hi, we found the same issue on ingress-nginx:v1.3.0. #8942

sakshisharma84 avatar Aug 19 '22 16:08 sakshisharma84

please see @Volatus 's comment. thanks

tao12345666333 avatar Aug 19 '22 19:08 tao12345666333