CVE-2022-27664, CVE-2022-32149 (Go)

danielqsj / kafka_exporter

Kafka exporter for Prometheus

Apache License 2.0

2.1k stars 602 forks source link

CVE-2022-27664, CVE-2022-32149 (Go) #343

Closed cameronwaterman closed 1 year ago

cameronwaterman commented 1 year ago

There are 3 vulnerable dependencies that fall under these CVEs. CVE-2022-27664, CVE-2022-32149

Package	Version	Fix version	CVE
golang.org/x/text	0.3.7	[0.3.8]	CVE-2022-32149
golang.org/x/net	v0.0.0-20220809184613-07c6da5e1ced	0.0.0-20220906165146-f3363e06e74c	CVE-2022-27664
github.com/golang/go	1.19	[1.18.6],[1.19.1]	CVE-2022-27664

FraPazGal commented 1 year ago

Just to give an update on this, there a several new vulnerabilities like CVE-2022-41723 related to the /x/net Golang package that would require a version bump to golang.org/x/net@0.7.0.

Could some maintainer confirm whether kafka-exporter is affected and if there is a plan to update the affected dependencies and perform a new release for kafka-exporter?

danielqsj commented 1 year ago

@FraPazGal thanks, I will update them soon

danielqsj commented 1 year ago

fixed by https://github.com/danielqsj/kafka_exporter/pull/373, golang has beem upgraded to 1.20.4