go-restful dependency contains vulnerability

[ivan-kolisnyk]

Checks

• [X] I've already read https://github.com/actions/actions-runner-controller/blob/master/TROUBLESHOOTING.md and I'm sure my issue is not covered in the troubleshooting guide.
• [X] I'm not using a custom entrypoint in my runner image

Controller Version

v0.27.0

Helm Chart Version

No response

CertManager Version

No response

Deployment Method

Helm

cert-manager installation

There is no issue with cert manager

Checks

• [X] This isn't a question or user support case (For Q&A and community support, go to Discussions. It might also be a good idea to contract with any of contributors and maintainers if your business is so critical and therefore you need priority support
• [X] I've read releasenotes before submitting this issue and I'm sure it's not due to any recently-introduced backward-incompatible changes
• [X] My actions-runner-controller version (v0.x.y) does support the feature
• [X] I've already upgraded ARC (including the CRDs, see charts/actions-runner-controller/docs/UPGRADING.md for details) to the latest and it didn't fix the issue
• [X] I've migrated to the workflow job webhook event (if you using webhook driven scaling)

Resource Definitions

N/A

To Reproduce

We scanned summerwind/actions-runner-controller image with Prisma

Describe the bug

github.com/emicklei/go-restful/v3 module prior to v3.10.0 is vulnerable to Authentication Bypass by Primary Weakness. There is an inconsistency in how go-restful parses URL paths. This inconsistency could lead to several security check bypass in a complex system.

Describe the expected behavior

summerwind/actions-runner-controller doesn't contain vulnerable packages

Whole Controller Logs

N/A

Whole Runner Pod Logs

N/A

Additional Context

No response

[github-actions[bot]]

Hello! Thank you for filing an issue.

The maintainers will triage your issue shortly.

In the meantime, please take a look at the troubleshooting guide for bug reports.

If this is a feature request, please review our contribution guidelines.

[suhas-arcadis]

Hi Team, Any update on this? We are also having similar issues with image scan with lot of Critical and High impact bugs reported..

[kevholmes]

Aren't these coming in from an indirect k8s dependency? I think it needs to be fixed upstream.