Fix dependencies with CVE-2021-3121

hashicorp / go-discover

Discover nodes in cloud environments

Mozilla Public License 2.0

563 stars 123 forks source link

Fix dependencies with CVE-2021-3121 #171

Closed adzeitor closed 2 years ago

adzeitor commented 3 years ago

Packages k8s.io/api, k8s.io/apimachiner, k8s.io/client-go with versions before v0.19.10 (excluding) contains vulnerable gogo/protobuf v1.3.1.

An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.

See https://nvd.nist.gov/vuln/detail/CVE-2021-3121

hashicorp-cla commented 3 years ago

All committers have signed the CLA.