search

godaddy / kubernetes-client

Simplified Kubernetes API client for Node.js.
MIT License
961 stars 192 forks source link

SHA-1 Weak Authentication Algorithm vulnerability in dependency "request" #691

Open aqan213 opened 3 years ago

aqan213 commented 3 years ago

Our customer reported a vulnerability in bluemix-autoscaling-agent caused by "request" package. The vulnerability reports that

"The request package is vulnerable to Weak Authentication Algorithm. The function function in oauth.js uses SHA-1 for authentication which is no longer considered cryptographically secure."

Here is the hierarchy of the "request" module tracking back to appmetrics

"request" --> kubernetes-client" -->"ibmapm-restclient" --> "ibmapm-embed" --> "appmetrics" --> bluemix-autoscaling-agent

According to request/request#2640 it looks like all versions of request are vulnerable and the request package is depreciated. Can you please take a look? thanks,

aqan213 commented 3 years ago

Hi, Can anyone help to check this issue? thanks,

aqan213 commented 3 years ago

The customer is supposed to fix it in Feb. Is it possible to address this issue asap or can you please give us a date when you plan to do it? thanks,

pinkyjpainadath commented 3 years ago

Hi, We are also facing the same issue. is there a fix expected for this any time soon

donacarr commented 3 years ago

Hi ... any chance to replace "request" with something else not vulnerable?

godber commented 3 years ago

There is already an issue here for request being deprecated.

https://github.com/godaddy/kubernetes-client/issues/614

It would probably make sense to close this issue in preference to that issue.