PRISMA-2022-0227: Go-restful v3.9.0 is vulnerable to Authentication Bypass

[rmorelnetapps]

PRISMA-2022-0227:
emicklei/go-restful/v3 module prior to v3.10.0 is vulnerable to Authentication Bypass by Primary Weakness. There is an inconsistency in how go-restful parses URL paths. This inconsistency could lead to several security check bypass in a complex system.

It is on the roadmap to fix it?

[liggitt]

The Kubernetes server does not use go-restful CORS matching, so is unaffected by that vulnerability.

Further, client-go doesn't make use of this module at all, so no vulnerabilities in that component are relevant to client-go users.

Separately, updates to the latest version of this module in kubernetes generally are blocked on incompatibilities in the latest version - see kubernetes/kubernetes#115067

/close

[k8s-ci-robot]

@liggitt: Closing this issue.

In response to this:

The Kubernetes server does not use go-restful CORS matching, so is unaffected by that vulnerability.

Further, client-go doesn't make use of this module at all, so no vulnerabilities in that component are relevant to client-go users.

Separately, updates to the latest version of this module in kubernetes generally are blocked on incompatibilities in the latest version - see kubernetes/kubernetes#115067

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.