search

go-kit / kit

A standard library for microservices.
https://gokit.io
MIT License
26.53k stars 2.43k forks source link

Potential security vulnerabilities - CVE-2021-37219, CVE-2021-38698 #1199

Closed galusben closed 2 years ago

galusben commented 2 years ago

What did you do?

I scanned this source code with JFrog Xray through the CLI and got 2 vulnerabilities originating from: github.com/hashicorp/consul/api:1.10.1 CVE-2021-37219 CVE-2021-38698

What did you expect?

The vulnerabilities to be fixed

What happened instead?

The vulnerabilities exists

ChrisHines commented 2 years ago

Those vulnerabilities appear to be in the consul server. Go kit only depends on the github.com/hashicorp/consul/api package to support calling the consul API. Go kit does not run a consul server.

https://github.com/go-kit/kit/search?q=consul

Is there any evidence the github.com/hashicorp/consul/api package is impacted by these vulnerabilities?

galusben commented 2 years ago

You are correct. github.com/hashicorp/consul/api is a sub module of github.com/hashicorp/consul and that is why it was reported on this project. Closing the issue.